You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by jo...@apache.org on 2022/12/03 00:42:17 UTC

[nifi] 04/06: NIFI-10933 Upgraded OWASP Dependency Check from 7.1.2 to 7.3.2

This is an automated email from the ASF dual-hosted git repository.

joewitt pushed a commit to branch support/nifi-1.19
in repository https://gitbox.apache.org/repos/asf/nifi.git

commit 186c85d6eb3cb72c8f111e9cbd5c5ada7e131963
Author: exceptionfactory <ex...@apache.org>
AuthorDate: Fri Dec 2 07:57:20 2022 -0600

    NIFI-10933 Upgraded OWASP Dependency Check from 7.1.2 to 7.3.2
    
    - Removed non-applicable suppressions
    - Added suppressions for Elasticsearch client libraries and other false positives
    
    Signed-off-by: Pierre Villard <pi...@gmail.com>
    
    This closes #6751.
---
 nifi-dependency-check-maven/suppressions.xml | 84 ++++++++++++++++------------
 pom.xml                                      |  2 +-
 2 files changed, 48 insertions(+), 38 deletions(-)

diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml
index 90d67d1063..b2b982eb4d 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -19,26 +19,6 @@
         <packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl>
         <cpe regex="true">^cpe:.*$</cpe>
     </suppress>
-    <suppress>
-        <notes>Meta MX HTTP Client is incorrectly identified as Netty</notes>
-        <packageUrl regex="true">^pkg:maven/com\.metamx/http\-client@.*$</packageUrl>
-        <cpe>cpe:/a:netty:netty</cpe>
-    </suppress>
-    <suppress>
-        <notes>Testcontainers MySQL is incorrectly identified with MySQL server</notes>
-        <packageUrl regex="true">^pkg:maven/org\.testcontainers/mysql@.*$</packageUrl>
-        <cpe>cpe:/a:mysql:mysql</cpe>
-    </suppress>
-    <suppress>
-        <notes>StumbleUpon Async is incorrectly identified as the JavaScript Async library</notes>
-        <packageUrl regex="true">^pkg:maven/com\.stumbleupon/async@.*$</packageUrl>
-        <cve>CVE-2021-43138</cve>
-    </suppress>
-    <suppress>
-        <notes>HBase Async is incorrectly identified as the JavaScript Async library</notes>
-        <packageUrl regex="true">^pkg:maven/org\.hbase/asynchbase@.*$</packageUrl>
-        <cve>CVE-2021-43138</cve>
-    </suppress>
     <suppress>
         <notes>Jetty SSLEngine is incorrectly identified with Jetty Server</notes>
         <packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/jetty\-sslengine@.*$</packageUrl>
@@ -49,11 +29,6 @@
         <packageUrl regex="true">^pkg:maven/com\.zendesk/mysql\-binlog\-connector\-java@.*$</packageUrl>
         <cpe>cpe:/a:mysql:mysql</cpe>
     </suppress>
-    <suppress>
-        <notes>Testcontainers MariaDB is incorrectly identified with MariaDB server</notes>
-        <packageUrl regex="true">^pkg:maven/org\.testcontainers/mariadb@.*$</packageUrl>
-        <cpe>cpe:/a:mariadb:mariadb</cpe>
-    </suppress>
     <suppress>
         <notes>Twill ZooKeeper is incorrectly identified with ZooKeeper server</notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.twill/twill\-zookeeper@.*$</packageUrl>
@@ -65,14 +40,9 @@
         <vulnerabilityName regex="true">^CVE.*$</vulnerabilityName>
     </suppress>
     <suppress>
-        <notes>H2 2 is not vulnerable to CVE-2018-14335</notes>
+        <notes>CVE-2022-45868 requires running H2 from a command not applicable to project references</notes>
         <packageUrl regex="true">^pkg:maven/com\.h2database/h2@2.*$</packageUrl>
-        <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes>Jetty apache-jsp is not part of Apache Tomcat server</notes>
-        <packageUrl>pkg:maven/org.mortbay.jasper/apache-jsp@8.5.70</packageUrl>
-        <cpe>cpe:/a:apache:tomcat</cpe>
+        <vulnerabilityName>CVE-2022-45868</vulnerabilityName>
     </suppress>
     <suppress>
         <notes>CVE-2016-1000027 does not apply to Spring Web 5.3.20 and later</notes>
@@ -84,11 +54,6 @@
         <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
         <vulnerabilityName>CVE-2020-5408</vulnerabilityName>
     </suppress>
-    <suppress>
-        <notes>Spring Security Kerberos Core is an extension of the Spring Security project</notes>
-        <packageUrl regex="true">^pkg:maven/org\.springframework\.security\.kerberos/spring\-security\-kerberos.*$</packageUrl>
-        <cpe>cpe:/a:vmware:spring_security</cpe>
-    </suppress>
     <suppress>
         <notes>Servlet API 2.5 does not include Jetty Server vulnerabilities</notes>
         <packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/servlet\-api@.*$</packageUrl>
@@ -204,4 +169,49 @@
         <packageUrl regex="true">^pkg:maven/com\.amazonaws/aws\-java\-sdk\-swf\-libraries@.*$</packageUrl>
         <cve>CVE-2022-31159</cve>
     </suppress>
+    <suppress>
+        <notes>Hive vulnerabilities do not apply to Iceberg Hive Metadata</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.iceberg/iceberg\-hive\-metastore@.*$</packageUrl>
+        <cpe>cpe:/a:apache:hive</cpe>
+    </suppress>
+    <suppress>
+        <notes>Elasticsearch Server vulnerabilities do not apply to Elasticsearch Plugin</notes>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.plugin/.*?@7.6.0$</packageUrl>
+        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
+    </suppress>
+    <suppress>
+        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-core</notes>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-core@7.6.0$</packageUrl>
+        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
+    </suppress>
+    <suppress>
+        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch</notes>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@7.6.0$</packageUrl>
+        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
+    </suppress>
+    <suppress>
+        <notes>Elasticsearch Server CVE-2020-7009 does not apply to elasticsearch client libraries</notes>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl>
+        <cve>CVE-2020-7009</cve>
+    </suppress>
+    <suppress>
+        <notes>Elasticsearch Server CVE-2020-7014 does not apply to elasticsearch client libraries</notes>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl>
+        <cve>CVE-2020-7014</cve>
+    </suppress>
+    <suppress>
+        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch libraries</notes>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-.*?@7.6.0$</packageUrl>
+        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
+    </suppress>
+    <suppress>
+        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client</notes>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$</packageUrl>
+        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
+    </suppress>
+    <suppress>
+        <notes>HTTP server vulnerabilities do not apply to Apache FTP Server</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl>
+        <cpe>cpe:/a:apache:apache_http_server</cpe>
+    </suppress>
 </suppressions>
diff --git a/pom.xml b/pom.xml
index a75424cf88..cf0c10bdd9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1158,7 +1158,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>7.1.2</version>
+                        <version>7.3.2</version>
                         <executions>
                             <execution>
                                 <inherited>false</inherited>