You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by sh...@apache.org on 2022/06/03 04:50:28 UTC
[pulsar] branch master updated: [fix][owasp] Suppress CVE-2016-1000027 detection in Spring dependencies (#15864)
This is an automated email from the ASF dual-hosted git repository.
shoothzj pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new 10a8c852b8e [fix][owasp] Suppress CVE-2016-1000027 detection in Spring dependencies (#15864)
10a8c852b8e is described below
commit 10a8c852b8e1442192e347586b97bd35d4610f7e
Author: Christophe Bornet <cb...@hotmail.com>
AuthorDate: Fri Jun 3 06:50:23 2022 +0200
[fix][owasp] Suppress CVE-2016-1000027 detection in Spring dependencies (#15864)
### Motivation
Fix OWASP scan as CVE-2016-1000027 is a false positive for Spring
See https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-1132113566
### Modifications
* Added CVE-2016-1000027 to OWASP suppressions fiile
* Removed old suppressions not used anymore
### Verifying this change
- [x] Make sure that the change passes the CI checks.
This change is a trivial rework / code cleanup without any test coverage.
### Does this pull request potentially affect one of the following parts:
no
*If `yes` was chosen, please highlight the changes*
- Dependencies (does it add or upgrade a dependency): (yes / no)
- The public API: (yes / no)
- The schema: (yes / no / don't know)
- The default values of configurations: (yes / no)
- The wire protocol: (yes / no)
- The rest endpoints: (yes / no)
- The admin cli options: (yes / no)
- Anything that affects deployment: (yes / no / don't know)
### Documentation
Check the box below or label this PR directly.
Need to update docs?
- [ ] `doc-required`
(Your PR needs to update docs and you will update later)
- [x] `doc-not-needed`
fix
- [ ] `doc`
(Your PR contains doc changes)
- [ ] `doc-complete`
(Docs have been already added)
---
src/owasp-dependency-check-suppressions.xml | 29 +++--------------------------
1 file changed, 3 insertions(+), 26 deletions(-)
diff --git a/src/owasp-dependency-check-suppressions.xml b/src/owasp-dependency-check-suppressions.xml
index a4ad4ac5246..8fe1fd54406 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -169,32 +169,9 @@
<cpe>cpe:/a:apache:rocketmq</cpe>
</suppress>
<suppress>
- <notes><![CDATA[
- file name: spring-core-3.2.18.RELEASE.jar
- ]]></notes>
- <sha1>0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd</sha1>
- <cpe>cpe:/a:pivotal_software:spring_framework</cpe>
- </suppress>
- <suppress>
- <notes><![CDATA[
- file name: spring-core-3.2.18.RELEASE.jar
- ]]></notes>
- <sha1>0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd</sha1>
- <cpe>cpe:/a:springsource:spring_framework</cpe>
- </suppress>
- <suppress>
- <notes><![CDATA[
- file name: spring-core-3.2.18.RELEASE.jar
- ]]></notes>
- <sha1>0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd</sha1>
- <cpe>cpe:/a:vmware:spring_framework</cpe>
- </suppress>
- <suppress>
- <notes><![CDATA[
- file name: spring-core-3.2.18.RELEASE.jar
- ]]></notes>
- <sha1>0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd</sha1>
- <cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
+ <notes><![CDATA[Ignored since we are not vulnerable]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.springframework/spring.*$</packageUrl>
+ <cve>CVE-2016-1000027</cve>
</suppress>
<suppress>
<notes><![CDATA[