Suppressions cleanup CVE-2021-29425

jeremiahjstacey · jeremiahjstacey · commit 770f80c1f633 · 2022-04-20T16:49:24.000-05:00
Removing suppression entry for listed cve.
commons-io has been updated beyond the 2.6 vulnerability.
diff --git a/suppressions.xml b/suppressions.xml
@@ -53,18 +53,6 @@
         <cpe>cpe:/a:apache:log4j</cpe>
         <cve>CVE-2021-4104</cve>
     </suppress>
-    <suppress>
-        <notes><![CDATA[
-            FIXME: Once we switch to Java 8 as the minimal JDK, update commons-io to the latest and delete this.
-
-            This CVE is path traversal issue in FileNameUtils.normalize(). That class is not used directly or indirectly
-            by ESAPI. We are required to use an older version of Commons-IO because of a direct dependency on Antisamy.
-
-            file name: commons-io-2.6.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/commons\-io/commons\-io@.*$</packageUrl>
-        <cve>CVE-2021-29425</cve>
-    </suppress>
     <suppress>
         <notes><![CDATA[
             ESAPI does not use this jar directly. It is a transitive dependency of AntiSamy and (as per Dave Wichers on
