You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@zookeeper.apache.org by sy...@apache.org on 2022/02/14 08:02:24 UTC

[zookeeper] branch branch-3.6 updated: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative

This is an automated email from the ASF dual-hosted git repository.

symat pushed a commit to branch branch-3.6
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/branch-3.6 by this push:
     new 68c8e70  ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative
68c8e70 is described below

commit 68c8e706afcb13720e8e00bc0eb1a5c062896ecf
Author: Enrico Olivelli <eo...@apache.org>
AuthorDate: Mon Feb 14 07:50:43 2022 +0000

    ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative
    
    More context here:
    https://issues.apache.org/jira/browse/ZOOKEEPER-4469
    
    I am also updating the OWASP dependency check
    
    Author: Enrico Olivelli <eo...@apache.org>
    
    Reviewers: Norbert Kalmar <nk...@apache.org>, Mate Szalay-Beko <sy...@apache.org>
    
    Closes #1817 from eolivelli/ZOOKEEPER-4469
    
    (cherry picked from commit 428e6f92132e19390c81e19f67d5380451acdbe4)
---
 owaspSuppressions.xml | 12 ++++++++++++
 pom.xml               |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/owaspSuppressions.xml b/owaspSuppressions.xml
index 2565f0d..cf84366 100644
--- a/owaspSuppressions.xml
+++ b/owaspSuppressions.xml
@@ -34,6 +34,18 @@
       <!-- https://github.com/jeremylong/DependencyCheck/issues/1653
            False positive on Netty 4.x-->
       <cve>CVE-2018-12056</cve>
+      <!-- other false positives related to Netty TCNative 4.x -->
+      <cve>CVE-2021-43797</cve>
+      <cve>CVE-2019-16869</cve>
+      <cve>CVE-2015-2156</cve>
+      <cve>CVE-2021-37136</cve>
+      <cve>CVE-2014-3488</cve>
+      <cve>CVE-2021-37137</cve>
+      <cve>CVE-2019-20445</cve>
+      <cve>CVE-2019-20444</cve>
+      <cve>CVE-2021-21295</cve>
+      <cve>CVE-2021-21409</cve>
+      <cve>CVE-2021-21290</cve>
    </suppress>
    <suppress>
       <!-- Seems like false positive - we are not using Prometheus
diff --git a/pom.xml b/pom.xml
index 84dc78f..2606c68 100755
--- a/pom.xml
+++ b/pom.xml
@@ -672,7 +672,7 @@
         <plugin>
           <groupId>org.owasp</groupId>
           <artifactId>dependency-check-maven</artifactId>
-          <version>5.3.0</version>
+          <version>6.5.3</version>
         </plugin>
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>