You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by jo...@apache.org on 2023/01/31 00:13:30 UTC
[nifi] branch main updated: NIFI-11114 Thise closes #6906. Upgraded OWASP Dependency Check from 7.4.4 to 8.0.2
This is an automated email from the ASF dual-hosted git repository.
joewitt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new bda1bd326d NIFI-11114 Thise closes #6906. Upgraded OWASP Dependency Check from 7.4.4 to 8.0.2
bda1bd326d is described below
commit bda1bd326d3b4b097bdbb9bb70f9c01479ff7759
Author: exceptionfactory <ex...@apache.org>
AuthorDate: Mon Jan 30 13:40:09 2023 -0600
NIFI-11114 Thise closes #6906. Upgraded OWASP Dependency Check from 7.4.4 to 8.0.2
- Added jetty-jmx to managed dependencies to maintain aligned versions
Signed-off-by: Joe Witt <jo...@apache.org>
---
nifi-dependency-check-maven/suppressions.xml | 21 ++++++++++++++++++---
pom.xml | 7 ++++++-
2 files changed, 24 insertions(+), 4 deletions(-)
diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml
index ee73d03bb0..fd17ad5457 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -180,8 +180,23 @@
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
- <notes>HTTP server vulnerabilities do not apply to Apache FTP Server</notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl>
- <cpe>cpe:/a:apache:apache_http_server</cpe>
+ <notes>CVE-2022-45046 description notes that the initial issue was not a security vulnerability</notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel\-salesforce@.*$</packageUrl>
+ <cve>CVE-2022-45046</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2020-36632 applies to JavaScript module named hughsk/flat not flatbuffers</notes>
+ <packageUrl regex="true">^pkg:maven/com\.vlkan/flatbuffers@.*$</packageUrl>
+ <cve>CVE-2020-36632</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2018-8015 applies to Apache ORC not to Apache Iceberg</notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.iceberg/iceberg\-orc@.*$</packageUrl>
+ <cve>CVE-2018-8015</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2022-39135 applies to Calcite not Calcite Avatica</notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.calcite\.avatica/.*?@.*$</packageUrl>
+ <cve>CVE-2022-39135</cve>
</suppress>
</suppressions>
diff --git a/pom.xml b/pom.xml
index 44ae66f326..6115b3be61 100644
--- a/pom.xml
+++ b/pom.xml
@@ -512,6 +512,11 @@
<artifactId>jetty-util-ajax</artifactId>
<version>${jetty.version}</version>
</dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-jmx</artifactId>
+ <version>${jetty.version}</version>
+ </dependency>
<dependency>
<groupId>org.eclipse.jetty.http2</groupId>
<artifactId>http2-client</artifactId>
@@ -1190,7 +1195,7 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
- <version>7.4.4</version>
+ <version>8.0.2</version>
<executions>
<execution>
<inherited>false</inherited>