You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ho...@apache.org on 2024/02/14 18:47:44 UTC

(solr) branch main updated: Suppress two `gradle dependencyCheckAggregate` false positives (#2198)

This is an automated email from the ASF dual-hosted git repository.

houston pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr.git


The following commit(s) were added to refs/heads/main by this push:
     new 52673a2b1a6 Suppress two `gradle dependencyCheckAggregate` false positives (#2198)
52673a2b1a6 is described below

commit 52673a2b1a63ec8dab73361109e4e3d4a47d0fb5
Author: Arnout Engelen <ar...@engelen.eu>
AuthorDate: Wed Feb 14 19:47:39 2024 +0100

    Suppress two `gradle dependencyCheckAggregate` false positives (#2198)
    
    line is incorrectly matched
    
    the kerby CVE is specific to a subcomponent that is not used in Solr
---
 build.gradle                                            |  2 +-
 gradle/validation/owasp-dependency-check/exclusions.xml | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index bc93b1098c4..db98bc4907c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -21,7 +21,7 @@ import java.time.format.DateTimeFormatter
 plugins {
   id 'base'
   id 'com.palantir.consistent-versions' version '2.16.0'
-  id 'org.owasp.dependencycheck' version '8.4.0'
+  id 'org.owasp.dependencycheck' version '9.0.8'
   id 'ca.cutterslade.analyze' version '1.9.1'
   id 'de.thetaphi.forbiddenapis' version '3.6' apply false
   id 'de.undercouch.download' version '5.5.0' apply false
diff --git a/gradle/validation/owasp-dependency-check/exclusions.xml b/gradle/validation/owasp-dependency-check/exclusions.xml
index 7043d611ebb..b56304ec69e 100644
--- a/gradle/validation/owasp-dependency-check/exclusions.xml
+++ b/gradle/validation/owasp-dependency-check/exclusions.xml
@@ -22,6 +22,20 @@
  -->
 
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress base="true">
+     <notes><![CDATA[
+     This CVE only affects the Kerby backend-ldap component, which Solr
+     does not include.
+     ]]></notes>
+     <cve>CVE-2023-25613</cve>
+  </suppress>
+  <suppress base="true">
+     <notes><![CDATA[
+     FP per issue #6388
+     ]]></notes>
+     <packageUrl regex="true">^pkg:maven/org\.apache\.rat/apache-rat@.*$</packageUrl>
+     <cpe>cpe:/a:line:line</cpe>
+  </suppress>
   <suppress>
     <notes><![CDATA[simple-xml-safe is a safe xml-safe fork]]></notes>
     <packageUrl regex="true">^pkg:maven/com\.carrotsearch\.thirdparty/simple\-xml\-safe@.*$</packageUrl>