You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2022/04/20 17:30:59 UTC

[GitHub] [druid] suneet-s commented on a diff in pull request #12463: Supress CVE 2022 26612

suneet-s commented on code in PR #12463:
URL: https://github.com/apache/druid/pull/12463#discussion_r854387634


##########
owasp-dependency-check-suppressions.xml:
##########
@@ -479,4 +479,13 @@
     <packageUrl regex="true">^pkg:maven/org\.asynchttpclient/async-http-client-netty-utils@2.5.3$</packageUrl>
     <cve>CVE-2021-43138</cve>
   </suppress>
+
+  <suppress>
+    <!-- Suppress cves that aren't applicable to hadoop client -->

Review Comment:
   It looks like we already have a section for suppressions like this in https://github.com/apache/druid/blob/691e26d2429cd81afef092dbda32e24ad56bb510/owasp-dependency-check-suppressions.xml#L322-L329
   
   Can you combine this with that section.
   
   This comment explaining why the CVE is being suppressed is great!



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org