You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2021/05/06 21:06:48 UTC

[GitHub] [druid] maytasm opened a new pull request #11215: Suppressing false positive CVE-2020-7791

maytasm opened a new pull request #11215:
URL: https://github.com/apache/druid/pull/11215


   Suppressing false positive CVE-2020-7791
   
   ### Description
   CVE-2020-7791 (https://snyk.io/vuln/SNYK-DOTNET-I18N-1050179) refers to https://github.com/turquoiseowl/i18n where the issue is indicated to be in some .cs file (which is C#). Apache Druid which has a dependency on hadoop-auth, where hadoop-auth has a dependency on apacheds-kerberos-codec which in turn has a dependency on apacheds-i18n. The apacheds-i18n that is used here  is https://github.com/apache/directory-server/tree/master/i18n (Java) and is different from the one in the CVE-2020-7791
   
   This PR has:
   - [x] been self-reviewed.
      - [ ] using the [concurrency checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md) (Remove this item if the PR doesn't have any relation to concurrency.)
   - [ ] added documentation for new or modified features or behaviors.
   - [ ] added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
   - [ ] added or updated version, license, or notice information in [licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md)
   - [ ] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
   - [ ] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for [code coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met.
   - [ ] added integration tests.
   - [ ] been tested in a test Druid cluster.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] maytasm merged pull request #11215: Suppressing false positive CVE-2020-7791

Posted by GitBox <gi...@apache.org>.

maytasm merged pull request #11215:
URL: https://github.com/apache/druid/pull/11215


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] jihoonson commented on a change in pull request #11215: Suppressing false positive CVE-2020-7791

Posted by GitBox <gi...@apache.org>.

jihoonson commented on a change in pull request #11215:
URL: https://github.com/apache/druid/pull/11215#discussion_r627774306



##########
File path: owasp-dependency-check-suppressions.xml
##########
@@ -157,6 +157,13 @@
     <packageUrl regex="true">^pkg:maven/com\.nimbusds/nimbus\-jose\-jwt@4.41.1$</packageUrl>
     <cve>CVE-2019-17195</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[

Review comment:
       Can you add a comment that this is false positive?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] maytasm commented on a change in pull request #11215: Suppressing false positive CVE-2020-7791

Posted by GitBox <gi...@apache.org>.

maytasm commented on a change in pull request #11215:
URL: https://github.com/apache/druid/pull/11215#discussion_r627802766



##########
File path: owasp-dependency-check-suppressions.xml
##########
@@ -157,6 +157,13 @@
     <packageUrl regex="true">^pkg:maven/com\.nimbusds/nimbus\-jose\-jwt@4.41.1$</packageUrl>
     <cve>CVE-2019-17195</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[

Review comment:
       Done




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org