You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ho...@apache.org on 2024/02/14 18:47:44 UTC
(solr) branch main updated: Suppress two `gradle dependencyCheckAggregate` false positives (#2198)
This is an automated email from the ASF dual-hosted git repository.
houston pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/main by this push:
new 52673a2b1a6 Suppress two `gradle dependencyCheckAggregate` false positives (#2198)
52673a2b1a6 is described below
commit 52673a2b1a63ec8dab73361109e4e3d4a47d0fb5
Author: Arnout Engelen <ar...@engelen.eu>
AuthorDate: Wed Feb 14 19:47:39 2024 +0100
Suppress two `gradle dependencyCheckAggregate` false positives (#2198)
line is incorrectly matched
the kerby CVE is specific to a subcomponent that is not used in Solr
---
build.gradle | 2 +-
gradle/validation/owasp-dependency-check/exclusions.xml | 14 ++++++++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/build.gradle b/build.gradle
index bc93b1098c4..db98bc4907c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -21,7 +21,7 @@ import java.time.format.DateTimeFormatter
plugins {
id 'base'
id 'com.palantir.consistent-versions' version '2.16.0'
- id 'org.owasp.dependencycheck' version '8.4.0'
+ id 'org.owasp.dependencycheck' version '9.0.8'
id 'ca.cutterslade.analyze' version '1.9.1'
id 'de.thetaphi.forbiddenapis' version '3.6' apply false
id 'de.undercouch.download' version '5.5.0' apply false
diff --git a/gradle/validation/owasp-dependency-check/exclusions.xml b/gradle/validation/owasp-dependency-check/exclusions.xml
index 7043d611ebb..b56304ec69e 100644
--- a/gradle/validation/owasp-dependency-check/exclusions.xml
+++ b/gradle/validation/owasp-dependency-check/exclusions.xml
@@ -22,6 +22,20 @@
-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+ <suppress base="true">
+ <notes><![CDATA[
+ This CVE only affects the Kerby backend-ldap component, which Solr
+ does not include.
+ ]]></notes>
+ <cve>CVE-2023-25613</cve>
+ </suppress>
+ <suppress base="true">
+ <notes><![CDATA[
+ FP per issue #6388
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.rat/apache-rat@.*$</packageUrl>
+ <cpe>cpe:/a:line:line</cpe>
+ </suppress>
<suppress>
<notes><![CDATA[simple-xml-safe is a safe xml-safe fork]]></notes>
<packageUrl regex="true">^pkg:maven/com\.carrotsearch\.thirdparty/simple\-xml\-safe@.*$</packageUrl>