You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by jo...@apache.org on 2022/12/03 00:42:17 UTC
[nifi] 04/06: NIFI-10933 Upgraded OWASP Dependency Check from 7.1.2 to 7.3.2
This is an automated email from the ASF dual-hosted git repository.
joewitt pushed a commit to branch support/nifi-1.19
in repository https://gitbox.apache.org/repos/asf/nifi.git
commit 186c85d6eb3cb72c8f111e9cbd5c5ada7e131963
Author: exceptionfactory <ex...@apache.org>
AuthorDate: Fri Dec 2 07:57:20 2022 -0600
NIFI-10933 Upgraded OWASP Dependency Check from 7.1.2 to 7.3.2
- Removed non-applicable suppressions
- Added suppressions for Elasticsearch client libraries and other false positives
Signed-off-by: Pierre Villard <pi...@gmail.com>
This closes #6751.
---
nifi-dependency-check-maven/suppressions.xml | 84 ++++++++++++++++------------
pom.xml | 2 +-
2 files changed, 48 insertions(+), 38 deletions(-)
diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml
index 90d67d1063..b2b982eb4d 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -19,26 +19,6 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl>
<cpe regex="true">^cpe:.*$</cpe>
</suppress>
- <suppress>
- <notes>Meta MX HTTP Client is incorrectly identified as Netty</notes>
- <packageUrl regex="true">^pkg:maven/com\.metamx/http\-client@.*$</packageUrl>
- <cpe>cpe:/a:netty:netty</cpe>
- </suppress>
- <suppress>
- <notes>Testcontainers MySQL is incorrectly identified with MySQL server</notes>
- <packageUrl regex="true">^pkg:maven/org\.testcontainers/mysql@.*$</packageUrl>
- <cpe>cpe:/a:mysql:mysql</cpe>
- </suppress>
- <suppress>
- <notes>StumbleUpon Async is incorrectly identified as the JavaScript Async library</notes>
- <packageUrl regex="true">^pkg:maven/com\.stumbleupon/async@.*$</packageUrl>
- <cve>CVE-2021-43138</cve>
- </suppress>
- <suppress>
- <notes>HBase Async is incorrectly identified as the JavaScript Async library</notes>
- <packageUrl regex="true">^pkg:maven/org\.hbase/asynchbase@.*$</packageUrl>
- <cve>CVE-2021-43138</cve>
- </suppress>
<suppress>
<notes>Jetty SSLEngine is incorrectly identified with Jetty Server</notes>
<packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/jetty\-sslengine@.*$</packageUrl>
@@ -49,11 +29,6 @@
<packageUrl regex="true">^pkg:maven/com\.zendesk/mysql\-binlog\-connector\-java@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
- <suppress>
- <notes>Testcontainers MariaDB is incorrectly identified with MariaDB server</notes>
- <packageUrl regex="true">^pkg:maven/org\.testcontainers/mariadb@.*$</packageUrl>
- <cpe>cpe:/a:mariadb:mariadb</cpe>
- </suppress>
<suppress>
<notes>Twill ZooKeeper is incorrectly identified with ZooKeeper server</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.twill/twill\-zookeeper@.*$</packageUrl>
@@ -65,14 +40,9 @@
<vulnerabilityName regex="true">^CVE.*$</vulnerabilityName>
</suppress>
<suppress>
- <notes>H2 2 is not vulnerable to CVE-2018-14335</notes>
+ <notes>CVE-2022-45868 requires running H2 from a command not applicable to project references</notes>
<packageUrl regex="true">^pkg:maven/com\.h2database/h2@2.*$</packageUrl>
- <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
- </suppress>
- <suppress>
- <notes>Jetty apache-jsp is not part of Apache Tomcat server</notes>
- <packageUrl>pkg:maven/org.mortbay.jasper/apache-jsp@8.5.70</packageUrl>
- <cpe>cpe:/a:apache:tomcat</cpe>
+ <vulnerabilityName>CVE-2022-45868</vulnerabilityName>
</suppress>
<suppress>
<notes>CVE-2016-1000027 does not apply to Spring Web 5.3.20 and later</notes>
@@ -84,11 +54,6 @@
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
<vulnerabilityName>CVE-2020-5408</vulnerabilityName>
</suppress>
- <suppress>
- <notes>Spring Security Kerberos Core is an extension of the Spring Security project</notes>
- <packageUrl regex="true">^pkg:maven/org\.springframework\.security\.kerberos/spring\-security\-kerberos.*$</packageUrl>
- <cpe>cpe:/a:vmware:spring_security</cpe>
- </suppress>
<suppress>
<notes>Servlet API 2.5 does not include Jetty Server vulnerabilities</notes>
<packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/servlet\-api@.*$</packageUrl>
@@ -204,4 +169,49 @@
<packageUrl regex="true">^pkg:maven/com\.amazonaws/aws\-java\-sdk\-swf\-libraries@.*$</packageUrl>
<cve>CVE-2022-31159</cve>
</suppress>
+ <suppress>
+ <notes>Hive vulnerabilities do not apply to Iceberg Hive Metadata</notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.iceberg/iceberg\-hive\-metastore@.*$</packageUrl>
+ <cpe>cpe:/a:apache:hive</cpe>
+ </suppress>
+ <suppress>
+ <notes>Elasticsearch Server vulnerabilities do not apply to Elasticsearch Plugin</notes>
+ <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.plugin/.*?@7.6.0$</packageUrl>
+ <cpe regex="true">^cpe:/a:elastic.*$</cpe>
+ </suppress>
+ <suppress>
+ <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-core</notes>
+ <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-core@7.6.0$</packageUrl>
+ <cpe regex="true">^cpe:/a:elastic.*$</cpe>
+ </suppress>
+ <suppress>
+ <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch</notes>
+ <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@7.6.0$</packageUrl>
+ <cpe regex="true">^cpe:/a:elastic.*$</cpe>
+ </suppress>
+ <suppress>
+ <notes>Elasticsearch Server CVE-2020-7009 does not apply to elasticsearch client libraries</notes>
+ <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl>
+ <cve>CVE-2020-7009</cve>
+ </suppress>
+ <suppress>
+ <notes>Elasticsearch Server CVE-2020-7014 does not apply to elasticsearch client libraries</notes>
+ <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl>
+ <cve>CVE-2020-7014</cve>
+ </suppress>
+ <suppress>
+ <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch libraries</notes>
+ <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-.*?@7.6.0$</packageUrl>
+ <cpe regex="true">^cpe:/a:elastic.*$</cpe>
+ </suppress>
+ <suppress>
+ <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client</notes>
+ <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$</packageUrl>
+ <cpe regex="true">^cpe:/a:elastic.*$</cpe>
+ </suppress>
+ <suppress>
+ <notes>HTTP server vulnerabilities do not apply to Apache FTP Server</notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl>
+ <cpe>cpe:/a:apache:apache_http_server</cpe>
+ </suppress>
</suppressions>
diff --git a/pom.xml b/pom.xml
index a75424cf88..cf0c10bdd9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1158,7 +1158,7 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
- <version>7.1.2</version>
+ <version>7.3.2</version>
<executions>
<execution>
<inherited>false</inherited>