You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by ni...@apache.org on 2023/02/23 15:02:00 UTC
[pulsar] 01/03: [improve][sec] Suppress false positive OWASP reports (#19105)
This is an automated email from the ASF dual-hosted git repository.
nicoloboschi pushed a commit to branch branch-2.9
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 8fd1b39ceda19f0e91a02814153ad50e2eb9c0a1
Author: tison <wa...@gmail.com>
AuthorDate: Thu Dec 29 19:08:37 2022 +0800
[improve][sec] Suppress false positive OWASP reports (#19105)
Signed-off-by: tison <wa...@gmail.com>
(cherry picked from commit 62a2058f82c854226bcc8e3fc30490a9ae1d1b1a)
(cherry picked from commit 5f67f67119fd0e2b919362a5149cd8c02858c87f)
(cherry picked from commit 36a41ee372f7ba7853b10de7dcf40b3bfc837394)
---
src/owasp-dependency-check-suppressions.xml | 365 ++++++++++++++++++++++++++--
1 file changed, 344 insertions(+), 21 deletions(-)
diff --git a/src/owasp-dependency-check-suppressions.xml b/src/owasp-dependency-check-suppressions.xml
index 90698c08435..b864e2b5be0 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -20,27 +20,45 @@
-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
- <!-- add supressions for known vulnerabilities detected by OWASP Dependency Check -->
- <suppress>
- <notes>Ignore netty CVEs in GRPC shaded Netty.</notes>
- <filePath regex="true">.*grpc-netty-shaded.*</filePath>
- <cpe>cpe:/a:netty:netty</cpe>
- </suppress>
- <suppress>
- <notes>Suppress all pulsar-presto-distribution vulnerabilities</notes>
- <filePath regex="true">.*pulsar-presto-distribution-.*</filePath>
- <vulnerabilityName regex="true">.*</vulnerabilityName>
- </suppress>
- <suppress>
- <notes>Suppress libthrift-0.12.0.jar vulnerabilities</notes>
- <gav>org.apache.thrift:libthrift:0.12.0</gav>
- <vulnerabilityName regex="true">.*</vulnerabilityName>
- </suppress>
- <suppress>
- <notes>Suppress Zookeeper 3.6.2 vulnerabilities</notes>
- <gav regex="true">org\.apache\.zookeeper:.*:3\.6\.2</gav>
- <vulnerabilityName regex="true">.*</vulnerabilityName>
- </suppress>
+ <!-- add supressions for known vulnerabilities detected by OWASP Dependency Check -->
+ <suppress>
+ <notes>Ignore netty CVEs in GRPC shaded Netty.</notes>
+ <filePath regex="true">.*grpc-netty-shaded.*</filePath>
+ <cpe>cpe:/a:netty:netty</cpe>
+ </suppress>
+ <suppress>
+ <notes>Suppress all pulsar-presto-distribution vulnerabilities</notes>
+ <filePath regex="true">.*pulsar-presto-distribution.*</filePath>
+ <vulnerabilityName regex="true">.*</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes>Suppress libthrift-0.12.0.jar vulnerabilities</notes>
+ <gav>org.apache.thrift:libthrift:0.12.0</gav>
+ <vulnerabilityName regex="true">.*</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: snakeyaml-1.32.jar
+ ]]></notes>
+ <sha1>e80612549feb5c9191c498de628c1aa80693cf0b</sha1>
+ <cve>CVE-2022-1471</cve>
+ </suppress>
+
+ <!-- influxdb dependencies -->
+ <suppress>
+ <notes><![CDATA[
+ file name: msgpack-core-0.9.0.jar
+ ]]></notes>
+ <sha1>87d9ce0b22de48428fa32bb8ad476e18b6969548</sha1>
+ <cve>CVE-2022-41719</cve>
+ </suppress>
+
+ <!-- see https://github.com/apache/pulsar/pull/16110 -->
+ <suppress>
+ <notes>Suppress Zookeeper 3.6.2 vulnerabilities</notes>
+ <gav regex="true">org\.apache\.zookeeper:.*:3\.6\.2</gav>
+ <vulnerabilityName regex="true">.*</vulnerabilityName>
+ </suppress>
<!-- see https://github.com/apache/pulsar/pull/14629-->
<suppress>
@@ -140,7 +158,312 @@
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
+<<<<<<< HEAD
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2021-25263</cve>
</suppress>
+=======
+ <sha1>fa9a1ccda7d78edb51a3a33d3493566092786a30</sha1>
+ <cve>CVE-2021-25263</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: logback-core-1.1.3.jar
+ ]]></notes>
+ <sha1>e3c02049f2dbbc764681b40094ecf0dcbc99b157</sha1>
+ <cpe>cpe:/a:qos:logback</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: rocketmq-acl-4.5.2.jar
+ ]]></notes>
+ <sha1>0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd</sha1>
+ <cpe>cpe:/a:apache:rocketmq</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[Ignored since we are not vulnerable]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.springframework/spring.*$</packageUrl>
+ <cve>CVE-2016-1000027</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: logback-classic-1.1.3.jar
+ ]]></notes>
+ <sha1>d90276fff414f06cb375f2057f6778cd63c6082f</sha1>
+ <cpe>cpe:/a:qos:logback</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: logback-core-1.1.3.jar
+ ]]></notes>
+ <sha1>e3c02049f2dbbc764681b40094ecf0dcbc99b157</sha1>
+ <vulnerabilityName>CVE-2017-5929</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: logback-classic-1.1.3.jar
+ ]]></notes>
+ <sha1>d90276fff414f06cb375f2057f6778cd63c6082f</sha1>
+ <cve>CVE-2017-5929</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: logback-classic-1.1.3.jar
+ ]]></notes>
+ <sha1>d90276fff414f06cb375f2057f6778cd63c6082f</sha1>
+ <cve>CVE-2021-42550</cve>
+ </suppress>
+
+ <!-- jetcd matched against ETCD server CVEs-->
+ <suppress>
+ <notes><![CDATA[
+ file name: jetcd-core-0.5.11.jar
+ ]]></notes>
+ <sha1>c85851ca3ea8128d480d3f75c568a37e64e8a77b</sha1>
+ <cve>CVE-2020-15106</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: jetcd-core-0.5.11.jar
+ ]]></notes>
+ <sha1>c85851ca3ea8128d480d3f75c568a37e64e8a77b</sha1>
+ <cve>CVE-2020-15112</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: jetcd-core-0.5.11.jar
+ ]]></notes>
+ <sha1>c85851ca3ea8128d480d3f75c568a37e64e8a77b</sha1>
+ <cve>CVE-2020-15113</cve>
+ </suppress>
+
+ <suppress>
+ <notes><![CDATA[
+ file name: jetcd-common-0.5.11.jar
+ ]]></notes>
+ <sha1>6dac6efe035a2be9ba299fbf31be5f903401869f</sha1>
+ <cve>CVE-2020-15106</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: jetcd-common-0.5.11.jar
+ ]]></notes>
+ <sha1>6dac6efe035a2be9ba299fbf31be5f903401869f</sha1>
+ <cve>CVE-2020-15112</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: jetcd-common-0.5.11.jar
+ ]]></notes>
+ <sha1>6dac6efe035a2be9ba299fbf31be5f903401869f</sha1>
+ <cve>CVE-2020-15113</cve>
+ </suppress>
+
+ <!-- bouncycastle misdetections -->
+ <suppress>
+ <notes><![CDATA[
+ file name: bc-fips-1.0.2.jar
+ ]]></notes>
+ <sha1>4fb5db5f03d00f6a94e43b78d097978190e4abb2</sha1>
+ <cve>CVE-2020-26939</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: bcpkix-fips-1.0.2.jar
+ ]]></notes>
+ <sha1>543bc7a08cdba0172e95e536b5f7ca61f021253d</sha1>
+ <cve>CVE-2020-15522</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: bcpkix-fips-1.0.2.jar
+ ]]></notes>
+ <sha1>543bc7a08cdba0172e95e536b5f7ca61f021253d</sha1>
+ <cve>CVE-2020-26939</cve>
+ </suppress>
+
+ <!-- jclouds/openswift misdetections -->
+ <suppress>
+ <notes><![CDATA[
+ file name: openstack-swift-2.5.0.jar
+ ]]></notes>
+ <sha1>d99d0eab2e01d69d8a326fc152427fbd759af88a</sha1>
+ <cve>CVE-2016-0738</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: openstack-swift-2.5.0.jar
+ ]]></notes>
+ <sha1>d99d0eab2e01d69d8a326fc152427fbd759af88a</sha1>
+ <cve>CVE-2017-16613</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: openstack-keystone-2.5.0.jar
+ ]]></notes>
+ <sha1>a7e89bd278fa8be9fa604dda66d1606de5530797</sha1>
+ <cve>CVE-2018-14432</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: openstack-keystone-2.5.0.jar
+ ]]></notes>
+ <sha1>a7e89bd278fa8be9fa604dda66d1606de5530797</sha1>
+ <cve>CVE-2018-20170</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: openstack-keystone-2.5.0.jar
+ ]]></notes>
+ <sha1>a7e89bd278fa8be9fa604dda66d1606de5530797</sha1>
+ <cve>CVE-2020-12689</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: openstack-keystone-2.5.0.jar
+ ]]></notes>
+ <sha1>a7e89bd278fa8be9fa604dda66d1606de5530797</sha1>
+ <cve>CVE-2020-12690</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: openstack-keystone-2.5.0.jar
+ ]]></notes>
+ <sha1>a7e89bd278fa8be9fa604dda66d1606de5530797</sha1>
+ <cve>CVE-2020-12691</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: openstack-keystone-2.5.0.jar
+ ]]></notes>
+ <sha1>a7e89bd278fa8be9fa604dda66d1606de5530797</sha1>
+ <cve>CVE-2020-12692</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: openstack-keystone-2.5.0.jar
+ ]]></notes>
+ <sha1>a7e89bd278fa8be9fa604dda66d1606de5530797</sha1>
+ <cve>CVE-2021-3563</cve>
+ </suppress>
+
+ <!-- Solr misdetection.
+ Cannot be tied to a sha1,
+ mismatches org.apache.pulsar:pulsar-io-solr:2.10.0-SNAPSHOT
+ -->
+ <suppress>
+ <notes><![CDATA[
+ file name: org.apache.pulsar:pulsar-io-solr:2.10.0-SNAPSHOT
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.pulsar/pulsar\-io\-solr@.*-SNAPSHOT$</packageUrl>
+ <cpe>cpe:/a:apache:pulsar</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: org.apache.pulsar:pulsar-io-solr:2.10.0-SNAPSHOT
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.pulsar/pulsar\-io\-solr@.*-SNAPSHOT$</packageUrl>
+ <cpe>cpe:/a:apache:solr</cpe>
+ </suppress>
+
+ <!-- debezium-related misdetections -->
+ <suppress>
+ <notes><![CDATA[
+ file name: debezium-connector-mysql-1.7.2.Final.jar
+ ]]></notes>
+ <sha1>a501bd758344d60fd400f5ce58694d52b2dbc6d8</sha1>
+ <cve>CVE-2010-1626</cve>
+ <cve>CVE-2009-4028</cve>
+ <cve>CVE-2007-1420</cve>
+ <cve>CVE-2007-5925</cve>
+ <cve>CVE-2007-2691</cve>
+ <cve>CVE-2009-0819</cve>
+ <cve>CVE-2010-1621</cve>
+ <cve>CVE-2010-3677</cve>
+ <cve>CVE-2010-3682</cve>
+ <cve>CVE-2012-5627</cve>
+ <cve>CVE-2015-2575</cve>
+ <cve>CVE-2017-15945</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: mysql-binlog-connector-java-0.25.3.jar
+ ]]></notes>
+ <sha1>45b3fdd0b953d744a8570f74eb5e1016f8ed5ca9</sha1>
+ <cve>CVE-2007-1420</cve>
+ <cve>CVE-2007-2691</cve>
+ <cve>CVE-2007-5925</cve>
+ <cve>CVE-2009-0819</cve>
+ <cve>CVE-2009-4028</cve>
+ <cve>CVE-2010-1621</cve>
+ <cve>CVE-2010-1626</cve>
+ <cve>CVE-2010-3677</cve>
+ <cve>CVE-2010-3682</cve>
+ <cve>CVE-2012-5627</cve>
+ <cve>CVE-2015-2575</cve>
+ <cve>CVE-2017-15945</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: debezium-connector-postgres-1.7.2.Final.jar
+ ]]></notes>
+ <sha1>69c1edfa7d89531af511fcd07e8516fa450f746a</sha1>
+ <cve>CVE-2007-2138</cve>
+ <cve>CVE-2010-0733</cve>
+ <cve>CVE-2014-0060</cve>
+ <cve>CVE-2014-0061</cve>
+ <cve>CVE-2014-0062</cve>
+ <cve>CVE-2014-0063</cve>
+ <cve>CVE-2014-0064</cve>
+ <cve>CVE-2014-0065</cve>
+ <cve>CVE-2014-0066</cve>
+ <cve>CVE-2014-0067</cve>
+ <cve>CVE-2014-8161</cve>
+ <cve>CVE-2015-0241</cve>
+ <cve>CVE-2015-0242</cve>
+ <cve>CVE-2015-0243</cve>
+ <cve>CVE-2015-0244</cve>
+ <cve>CVE-2015-3166</cve>
+ <cve>CVE-2015-3167</cve>
+ <cve>CVE-2016-0766</cve>
+ <cve>CVE-2016-0768</cve>
+ <cve>CVE-2016-0773</cve>
+ <cve>CVE-2016-5423</cve>
+ <cve>CVE-2016-5424</cve>
+ <cve>CVE-2016-7048</cve>
+ <cve>CVE-2017-14798</cve>
+ <cve>CVE-2017-7484</cve>
+ <cve>CVE-2018-1115</cve>
+ <cve>CVE-2019-10127</cve>
+ <cve>CVE-2019-10128</cve>
+ <cve>CVE-2019-10210</cve>
+ <cve>CVE-2019-10211</cve>
+ <cve>CVE-2020-25694</cve>
+ <cve>CVE-2020-25695</cve>
+ <cve>CVE-2021-3393</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: protostream-types-4.4.1.Final.jar
+ ]]></notes>
+ <sha1>29b45ebea1e4ce62ab3ec5eb76fa9771f98941b0</sha1>
+ <cve>CVE-2016-0750</cve>
+ <cve>CVE-2017-15089</cve>
+ <cve>CVE-2017-2638</cve>
+ <cve>CVE-2019-10158</cve>
+ <cve>CVE-2019-10174</cve>
+ <cve>CVE-2020-25711</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: mariadb-java-client-2.7.5.jar
+ ]]></notes>
+ <sha1>9dd29797ecabe7d2e7fa892ec6713a5552cfcc59</sha1>
+ <cve>CVE-2020-28912</cve>
+ <cve>CVE-2021-46669</cve>
+ <cve>CVE-2021-46666</cve>
+ <cve>CVE-2021-46667</cve>
+ </suppress>
+
+>>>>>>> 36a41ee372f ([improve][sec] Suppress false positive OWASP reports (#19105))
</suppressions>