From fcf493839c715b07381343a576d833f1628690bb Mon Sep 17 00:00:00 2001
From: Gary O'Neall <gary@sourceauditor.com>
Date: Wed, 15 Oct 2025 10:38:18 -0700
Subject: [PATCH] Suppress false positives in dependency track report

---
 dependency-check-supress.xml | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/dependency-check-supress.xml b/dependency-check-supress.xml
index 442d77a..0eb63bd 100644
--- a/dependency-check-supress.xml
+++ b/dependency-check-supress.xml
@@ -1,4 +1,19 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-
+    <suppress>
+        <notes><![CDATA[
+   file name: icu4j-75.1.jar
+   This is a known false positive related to the CVE data
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.ibm\.icu/icu4j@.*$</packageUrl>
+        <cve>CVE-2025-5222</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: spdx-java-model-2_X-1.0.1.jar
+   Reference https://github.com/dependency-check/DependencyCheck/issues/8051
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.spdx/spdx-java-model-2_X@.*$</packageUrl>
+        <cpe>cpe:/a:x.org:x.org</cpe>
+    </suppress>
 </suppressions>
\ No newline at end of file