Added suppression for CVE-2026-0994 (#90)

sarthak77 · web-flow · commit 9c3702c2d460 · 2026-04-10T19:16:42.000+05:30
diff --git a/dependency-check/global-suppressions.xml b/dependency-check/global-suppressions.xml
@@ -141,6 +141,15 @@
     <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback-core@.*$</packageUrl>
     <vulnerabilityName>CVE-2024-12798</vulnerabilityName>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+   CVE-2026-0994 is a Python-only protobuf vulnerability affecting json_format.ParseDict.
+   This project uses Java protobuf (protobuf-java and protobuf-java-util), which do not
+   include the vulnerable Python code path. Hence this is a false positive.
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/(protobuf\-java|protobuf\-java\-util)@.*$</packageUrl>
+    <cve>CVE-2026-0994</cve>
+  </suppress>
   <suppress>
    <notes><![CDATA[
    file name: micrometer-registry-prometheus-simpleclient-1.14.4.jar
