You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by ab...@apache.org on 2021/08/11 10:17:27 UTC
[druid] branch master updated: Suppress CVEs for jdom2,
kafka-clients, libthrift, solr-solrj (#11572)
This is an automated email from the ASF dual-hosted git repository.
abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new 2a6421d Suppress CVEs for jdom2, kafka-clients, libthrift, solr-solrj (#11572)
2a6421d is described below
commit 2a6421d0d970bd788cdf56dd6763ddbf0aa22d6f
Author: Jonathan Wei <jo...@users.noreply.github.com>
AuthorDate: Wed Aug 11 05:16:57 2021 -0500
Suppress CVEs for jdom2, kafka-clients, libthrift, solr-solrj (#11572)
---
owasp-dependency-check-suppressions.xml | 46 ++++++++++++++++++++++++++++-----
1 file changed, 40 insertions(+), 6 deletions(-)
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 88a1fd3..9b46f22 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -264,6 +264,18 @@
</suppress>
<suppress>
<!--
+ ~ TODO: Fix when Apache Ranger 2.1 is released
+ - transitive dep from apache-ranger, upgrading to 2.1.0 adds other CVEs, staying at ranger 2.0.0 for now
+ -->
+ <notes><![CDATA[
+ file name: kafka-clients-2.0.0.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka-clients@2.0.0$</packageUrl>
+ <cve>CVE-2019-12399</cve>
+ <cve>CVE-2018-17196</cve>
+ </suppress>
+ <suppress>
+ <!--
~ TODO: Fix when Apache Ranger is released with updated log4j
-->
<notes><![CDATA[
@@ -344,13 +356,35 @@
</suppress>
<suppress>
- <notes><![CDATA[
+ <!-- Transitive dependency from apache-ranger, latest ranger version 2.1.0 still uses solr 7.7.1-->
+ <notes><![CDATA[
file name: solr-solrj-7.7.1.jar
]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.solr/solr-solrj@7.7.1$</packageUrl>
- <cve>CVE-2020-13957</cve>
- <cve>CVE-2019-17558</cve>
- <cve>CVE-2019-0193</cve>
- <cve>CVE-2020-13941</cve>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.solr/solr-solrj@7.7.1$</packageUrl>
+ <cve>CVE-2020-13957</cve>
+ <cve>CVE-2019-17558</cve>
+ <cve>CVE-2019-0193</cve>
+ <cve>CVE-2020-13941</cve>
+ <cve>CVE-2021-29943</cve>
+ <cve>CVE-2021-27905</cve>
+ <cve>CVE-2021-29262</cve>
+ </suppress>
+
+ <suppress>
+ <!-- Transitive dependency from aliyun-sdk-oss, there is currently no newer version of jdom2 as well-->
+ <notes><![CDATA[
+ file name: jdom2-2.0.6.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.jdom/jdom2@2.0.6$</packageUrl>
+ <cve>CVE-2021-33813</cve>
+ </suppress>
+
+ <suppress>
+ <!-- Upgrading to libthrift-0.14.2 adds many tomcat CVEs, suppress and stay at 0.13.0 for now-->
+ <notes><![CDATA[
+ file name: libthrift-0.13.0.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.13.0$</packageUrl>
+ <cve>CVE-2020-13949</cve>
</suppress>
</suppressions>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org