You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/12/16 12:57:11 UTC
[GitHub] [pulsar] nicoloboschi opened a new pull request #13364: [owasp] Suppress false positive check for netty-tcnative-classes
nicoloboschi opened a new pull request #13364:
URL: https://github.com/apache/pulsar/pull/13364
### Motivation
OWASP dependency check is failing after https://github.com/apache/pulsar/pull/13328 because of
```
netty-tcnative-classes-2.0.46.Final.jar (pkg:maven/io.netty/netty-tcnative-classes@2.0.46.Final, cpe:2.3:a:netty:netty:2.0.46:*:*:*:*:*:*:*) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, CVE-2021-37137, CVE-2021-43797
```
see: https://github.com/apache/pulsar/runs/4541586789?check_suite_focus=true
It is a false positive and there's a [PR](https://github.com/jeremylong/DependencyCheck/pull/3890/files) in the owasp plugin repository to suppress this warning.
### Modifications
* Added the suppression for this jar as in the owasp plugin repository
### Verifying this change
This change is a trivial rework / code cleanup without any test coverage.
### Documentation
- [x] `no-need-doc`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] eolivelli commented on pull request #13364: [owasp] Suppress false positive check for netty-tcnative-classes
Posted by GitBox <gi...@apache.org>.
eolivelli commented on pull request #13364:
URL: https://github.com/apache/pulsar/pull/13364#issuecomment-995898091
@nicoloboschi what about adding a new job to run the OWASP checker against all active branches ?
it should be scheduled daily, no need to bind it to PR validation or to pushing to a branch
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] lhotari merged pull request #13364: [owasp] Suppress false positive check for netty-tcnative-classes
Posted by GitBox <gi...@apache.org>.
lhotari merged pull request #13364:
URL: https://github.com/apache/pulsar/pull/13364
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on pull request #13364: [owasp] Suppress false positive check for netty-tcnative-classes
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on pull request #13364:
URL: https://github.com/apache/pulsar/pull/13364#issuecomment-995891782
/pulsarbot rerun-failure-checks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on pull request #13364: [owasp] Suppress false positive check for netty-tcnative-classes
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on pull request #13364:
URL: https://github.com/apache/pulsar/pull/13364#issuecomment-999604588
@lhotari @eolivelli can you port this fix to branch-2.9 ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] lhotari commented on pull request #13364: [owasp] Suppress false positive check for netty-tcnative-classes
Posted by GitBox <gi...@apache.org>.
lhotari commented on pull request #13364:
URL: https://github.com/apache/pulsar/pull/13364#issuecomment-999681463
> @lhotari @eolivelli can you port this fix to branch-2.9 ?
@nicoloboschi done. 519ff431
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on pull request #13364: [owasp] Suppress false positive check for netty-tcnative-classes
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on pull request #13364:
URL: https://github.com/apache/pulsar/pull/13364#issuecomment-995928973
> @nicoloboschi what about adding a new job to run the OWASP checker against all active branches ? it should be scheduled daily, no need to bind it to PR validation or to pushing to a branch
https://github.com/apache/pulsar/pull/13366
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on pull request #13364: [owasp] Suppress false positive check for netty-tcnative-classes
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on pull request #13364:
URL: https://github.com/apache/pulsar/pull/13364#issuecomment-996818386
@lhotari @codelipenghui PTAL
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org