From 4d571edcf3d9f4a9af759c293a1d1f1eb55095df Mon Sep 17 00:00:00 2001
From: Jonatan Rhodin <jonatan.rhodin@mullvad.net>
Date: Fri, 20 Sep 2024 15:36:23 +0200
Subject: [PATCH] Suppress CVE-2024-7254

---
 android/config/dependency-check-suppression.xml | 9 +++++++++
 android/gradle/osv-scanner.toml                 | 5 +++++
 android/test/test-suppression.xml               | 9 +++++++++
 3 files changed, 23 insertions(+)

diff --git a/android/config/dependency-check-suppression.xml b/android/config/dependency-check-suppression.xml
index ae30e89fff41..2462a467ba85 100644
--- a/android/config/dependency-check-suppression.xml
+++ b/android/config/dependency-check-suppression.xml
@@ -40,4 +40,13 @@
         <packageUrl regex="true">^pkg:maven/commons\-validator/commons\-validator@.*$</packageUrl>
         <cve>CVE-2021-3765</cve>
     </suppress>
+    <suppress until="2024-12-01Z">
+        <notes><![CDATA[
+            Denial of service using protobuf.
+            Should not be applicable since client and server are always in sync and we are only
+            communicating locally over UDS.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf-.*@.*$</packageUrl>
+        <cve>CVE-2024-7254</cve>
+    </suppress>
 </suppressions>
diff --git a/android/gradle/osv-scanner.toml b/android/gradle/osv-scanner.toml
index 53491f84855e..ce19dcfe266a 100644
--- a/android/gradle/osv-scanner.toml
+++ b/android/gradle/osv-scanner.toml
@@ -68,6 +68,11 @@ id = "CVE-2022-24329" # GHSA-2qp4-g3q3-f92w
 ignoreUntil = 2024-11-02
 reason = "This CVE only affect Multiplatform Gradle Projects, which this project is not."
 
+[[IgnoredVulns]]
+id = "CVE-2024-7254" # GHSA-735f-pc8j-v9w8
+ignoreUntil = 2024-11-02
+reason = "Should not be applicable since client and server are always in sync and we are only communicating locally over UDS."
+
 [[PackageOverrides]]
 name = "org.bouncycastle:bcprov-jdk15on"
 ecosystem = "Maven"
diff --git a/android/test/test-suppression.xml b/android/test/test-suppression.xml
index fac53625c9a1..cb6bd25a192d 100644
--- a/android/test/test-suppression.xml
+++ b/android/test/test-suppression.xml
@@ -17,4 +17,13 @@
         <cve>CVE-2023-33953</cve>
         <cve>CVE-2023-44487</cve>
     </suppress>
+    <suppress until="2024-12-01Z">
+        <notes><![CDATA[
+            Denial of service using protobuf.
+            Should not be applicable since client and server are always in sync and we are only
+            communicating locally over UDS.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf-.*@.*$</packageUrl>
+        <cve>CVE-2024-7254</cve>
+    </suppress>
 </suppressions>