From 5540b4160babd4584dcfe9fbd32b9cfd21a8ac2d Mon Sep 17 00:00:00 2001
From: Andreas Svanberg <andreass@dsv.su.se>
Date: Fri, 20 Dec 2024 14:12:38 +0100
Subject: [PATCH] Suppress warning about CVE-2024-49203

https://nvd.nist.gov/vuln/detail/CVE-2024-49203
https://github.com/querydsl/querydsl/issues/3757

Basically if you allow untrusted user input to be used in the "ORDER BY" clause
you can be vulnerable to SQL injection.

I believe this is nonsense and akin to saying every Java application has a
security vulnerability because JDBC allows you to execute arbitrary SQL if you
do not properly use PreparedStatement with parameters over a string-concatenated
Statement.

Even if this is considered a valid vulnerability we do not, currently, allow
untrusted user input to be used in the "ORDER BY" clause.
---
 owasp.xml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/owasp.xml b/owasp.xml
index c504d51e0f..125e5e37f6 100644
--- a/owasp.xml
+++ b/owasp.xml
@@ -72,4 +72,22 @@
         </notes>
         <cve>CVE-2024-23076</cve>
     </suppress>
+    <suppress>
+        <notes>
+            https://nvd.nist.gov/vuln/detail/CVE-2024-49203
+            https://github.com/querydsl/querydsl/issues/3757
+
+            Basically if you allow untrusted user input to be used in the "ORDER BY" clause
+            you can be vulnerable to SQL injection.
+
+            I believe this is nonsense and akin to saying every Java application has a
+            security vulnerability because JDBC allows you to execute arbitrary SQL if you
+            do not properly use PreparedStatement with parameters over a string-concatenated
+            Statement.
+
+            Even if this is considered a valid vulnerability we do not, currently, allow
+            untrusted user input to be used in the "ORDER BY" clause.
+        </notes>
+        <cve>CVE-2024-49203</cve>
+    </suppress>
 </suppressions>