Skip to content

chore(fp): consolidate Prometheus server suppressions #8499

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nhumblot merged 2 commits into from
May 15, 2026
+9 −48
Merged

chore(fp): consolidate Prometheus server suppressions #8499

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d14a99d
chore(fp): consolidate Prometheus server suppressions
chadlwilson May 12, 2026
bdf109c
chore: fix minor indent typo
chadlwilson May 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 9 additions & 48 deletions generatedSuppressions.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,13 +243,6 @@
<packageUrl regex="true">^pkg:maven/org\.clojure/data\.priority-map@.*$</packageUrl>
<cpe>cpe:/a:priority-software:priority</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4681
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.amazonaws/aws-java-sdk-prometheus@.*$</packageUrl>
<cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4651
Expand Down Expand Up @@ -461,13 +454,6 @@
<packageUrl regex="true">^pkg:maven/com\.github\.luben/zstd-jni@.*$</packageUrl>
<cpe>cpe:/a:freebsd:freebsd</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5506
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.kamon/kamon-prometheus_2\.13@.*$</packageUrl>
<cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #5529
Expand Down Expand Up @@ -952,13 +938,6 @@
<packageUrl regex="true">^pkg:nuget/MongoDB\.Bson@.*$</packageUrl>
<cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6595
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentelemetry\.contrib/opentelemetry-prometheus-client-bridge@.*$</packageUrl>
<cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6613
Expand Down Expand Up @@ -1238,15 +1217,6 @@ only pkg:maven/org.clojure:clojure@.* is the CPE cpe:/a:clojure:clojure
<packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/ftplet-api@.*$</packageUrl>
<cpe regex="true">^cpe:/a:apache:mina:.*</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #6981 - manual addition prometheus java_client libraries
seen as the prometheus server, but they would receive product client_java
(no CPE yet, but observed from the existing CPE for the go client client_go)
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.prometheus/prometheus-.*$</packageUrl>
<cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Original suppression as per #952 suppressed individual CVEs.
Expand Down Expand Up @@ -1690,13 +1660,6 @@ only pkg:maven/org.clojure:clojure@.* is the CPE cpe:/a:clojure:clojure
<packageUrl regex="true">^pkg:maven/org\.nokogiri/nekodtd@.*$</packageUrl>
<cpe>cpe:/a:nokogiri:nokogiri</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #7689
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.micrometer/micrometer-registry-prometheus-simpleclient@.*$</packageUrl>
<cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #7715
Expand Down Expand Up @@ -1954,13 +1917,6 @@ only pkg:maven/org.clojure:clojure@.* is the CPE cpe:/a:clojure:clojure
<packageUrl regex="true">^pkg:maven/org\.jetbrains\.exposed/exposed-kotlin-datetime@.*$</packageUrl>
<cpe>cpe:/a:jetbrains:kotlin</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #8184
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentelemetry/opentelemetry-exporter-prometheus@.*$</packageUrl>
<cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #7869
Expand Down Expand Up @@ -2149,8 +2105,13 @@ only pkg:maven/org.clojure:clojure@.* is the CPE cpe:/a:clojure:clojure
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #8497
hand-curated better suppression FP per issue #1927, #2001, #2109, #2341, #2628, #3427, #4205, #4681, #5506, #6595,
#6981, #7689, #8184, #8497 (and others)
These CVEs are all for the golang based server; so exclude for all packages except the golang/github.com/prometheus/prometheus server module.
Other prometheus CVEs in other components have their own CPE. The ones being suppressed here can be reviewed at
- https://github.com/prometheus/prometheus/security
- https://nvd.nist.gov/vuln/search#/nvd/home?cpeFilterMode=applicability&cpeName=cpe:2.3:a:prometheus:prometheus:*:*:*:*:*:*:*:*&resultType=records
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.micrometer/micrometer-registry-prometheus@.*$</packageUrl>
<cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>
<packageUrl regex="true">^pkg:(?!golang/github\.com/prometheus/prometheus).*$</packageUrl>
<cpe>cpe:/a:prometheus:prometheus:</cpe>
</suppress>