You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/12/16 12:57:11 UTC

[GitHub] [pulsar] nicoloboschi opened a new pull request #13364: [owasp] Suppress false positive check for netty-tcnative-classes

nicoloboschi opened a new pull request #13364:
URL: https://github.com/apache/pulsar/pull/13364


   ### Motivation
   OWASP dependency check is failing after https://github.com/apache/pulsar/pull/13328 because of
   ```
   netty-tcnative-classes-2.0.46.Final.jar (pkg:maven/io.netty/netty-tcnative-classes@2.0.46.Final, cpe:2.3:a:netty:netty:2.0.46:*:*:*:*:*:*:*) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, CVE-2021-37137, CVE-2021-43797
   ```
   
   see: https://github.com/apache/pulsar/runs/4541586789?check_suite_focus=true
   
   It is a false positive and there's a [PR](https://github.com/jeremylong/DependencyCheck/pull/3890/files) in the owasp plugin repository to suppress this warning.
   
   
   ### Modifications
   
   * Added the suppression for this jar as in the owasp plugin repository
   
   ### Verifying this change
   
   This change is a trivial rework / code cleanup without any test coverage.
   
   ### Documentation
   
   - [x] `no-need-doc` 
    
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] eolivelli commented on pull request #13364: [owasp] Suppress false positive check for netty-tcnative-classes

Posted by GitBox <gi...@apache.org>.

eolivelli commented on pull request #13364:
URL: https://github.com/apache/pulsar/pull/13364#issuecomment-995898091


   @nicoloboschi what about adding a new job to run the OWASP checker against all active branches ?
   it should be scheduled daily, no need to bind it to PR validation or to pushing to a branch


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] lhotari merged pull request #13364: [owasp] Suppress false positive check for netty-tcnative-classes

Posted by GitBox <gi...@apache.org>.

lhotari merged pull request #13364:
URL: https://github.com/apache/pulsar/pull/13364


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nicoloboschi commented on pull request #13364: [owasp] Suppress false positive check for netty-tcnative-classes

Posted by GitBox <gi...@apache.org>.

nicoloboschi commented on pull request #13364:
URL: https://github.com/apache/pulsar/pull/13364#issuecomment-995891782


   /pulsarbot rerun-failure-checks


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nicoloboschi commented on pull request #13364: [owasp] Suppress false positive check for netty-tcnative-classes

Posted by GitBox <gi...@apache.org>.

nicoloboschi commented on pull request #13364:
URL: https://github.com/apache/pulsar/pull/13364#issuecomment-999604588


   @lhotari @eolivelli can you port this fix to branch-2.9 ? 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] lhotari commented on pull request #13364: [owasp] Suppress false positive check for netty-tcnative-classes

Posted by GitBox <gi...@apache.org>.

lhotari commented on pull request #13364:
URL: https://github.com/apache/pulsar/pull/13364#issuecomment-999681463


   > @lhotari @eolivelli can you port this fix to branch-2.9 ?
   
   @nicoloboschi done. 519ff431


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nicoloboschi commented on pull request #13364: [owasp] Suppress false positive check for netty-tcnative-classes

Posted by GitBox <gi...@apache.org>.

nicoloboschi commented on pull request #13364:
URL: https://github.com/apache/pulsar/pull/13364#issuecomment-995928973


   > @nicoloboschi what about adding a new job to run the OWASP checker against all active branches ? it should be scheduled daily, no need to bind it to PR validation or to pushing to a branch
   
   https://github.com/apache/pulsar/pull/13366


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nicoloboschi commented on pull request #13364: [owasp] Suppress false positive check for netty-tcnative-classes

Posted by GitBox <gi...@apache.org>.

nicoloboschi commented on pull request #13364:
URL: https://github.com/apache/pulsar/pull/13364#issuecomment-996818386


   @lhotari @codelipenghui PTAL


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org