(PDB-5235) suppress nvd failure on Rust CVE

Author: austb

dev-resources/suppression.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <notes><![CDATA[
+    This suppresses a medium vulnerability that was found in a cache crate for
+    Rust.  It is a false positive on the Clojure package core.cache-0.7.1 since
+    the Clojure package that we use does not have any relation to Rust.
+    The file name that causes the false positive: core.cache-0.7.1.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.clojure/core\.cache@.*$</packageUrl>
+    <cve>CVE-2020-36448</cve>
+  </suppress>
+</suppressions>

project.clj

@@ -270,6 +270,7 @@
                                                       org.slf4j/jcl-over-slf4j
                                                       org.clojure/clojure
                                                       org.slf4j/slf4j-api]]]}]
+
              :fips [:defaults
                     {:dependencies [[org.bouncycastle/bcpkix-fips]
                                     [org.bouncycastle/bc-fips]
@@ -347,6 +348,8 @@
                                          (if (map? prev) [new prev] (conj prev new)))
                                        #(spit %1 (pr-str %2))]}
 
+  :nvd {:suppression-file "dev-resources/suppression.xml"}
+
   :eastwood {:config-files ["eastwood.clj"]
              ;; local-shadows-var is too distruptive, particularly
              ;; with respect to defservice dependency methods, and