You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by ab...@apache.org on 2022/09/06 06:17:08 UTC
[druid] branch master updated: Suppress false CVEs (#13026)
This is an automated email from the ASF dual-hosted git repository.
abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new 7d332c6f6a Suppress false CVEs (#13026)
7d332c6f6a is described below
commit 7d332c6f6a6359e6656b71d5efccdb86c9222a74
Author: Abhishek Agarwal <14...@users.noreply.github.com>
AuthorDate: Tue Sep 6 11:46:56 2022 +0530
Suppress false CVEs (#13026)
* Suppress CVEs
* Add more suppressions
---
integration-tests-ex/cases/pom.xml | 7 +++++++
integration-tests-ex/image/pom.xml | 7 +++++++
integration-tests-ex/tools/pom.xml | 12 ++++++++++++
owasp-dependency-check-suppressions.xml | 17 +++++++++++++++--
4 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/integration-tests-ex/cases/pom.xml b/integration-tests-ex/cases/pom.xml
index cfb91276c1..86713aec4e 100644
--- a/integration-tests-ex/cases/pom.xml
+++ b/integration-tests-ex/cases/pom.xml
@@ -241,6 +241,13 @@
</ignoredUnusedDeclaredDependencies>
</configuration>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <skip>true</skip>
+ </configuration>
+ </plugin>
</plugins>
</build>
diff --git a/integration-tests-ex/image/pom.xml b/integration-tests-ex/image/pom.xml
index dcd59badbc..649367f056 100644
--- a/integration-tests-ex/image/pom.xml
+++ b/integration-tests-ex/image/pom.xml
@@ -225,6 +225,13 @@ Reference: https://dzone.com/articles/build-docker-image-from-maven
</executions>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <skip>true</skip>
+ </configuration>
+ </plugin>
</plugins>
</build>
</profile>
diff --git a/integration-tests-ex/tools/pom.xml b/integration-tests-ex/tools/pom.xml
index b622221438..fe7777ebf1 100644
--- a/integration-tests-ex/tools/pom.xml
+++ b/integration-tests-ex/tools/pom.xml
@@ -153,4 +153,16 @@
</dependency>
</dependencies>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <skip>true</skip>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+
</project>
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 8518c34a83..f3bb997550 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -49,15 +49,18 @@
<cve>CVE-2017-16613</cve>
</suppress>
<suppress>
- <!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
<notes><![CDATA[
- file name: openstack-keystone-1.9.3.jar
+ file name: openstack-keystone-1.9.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-keystone@.*$</packageUrl>
+ <!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
<cve>CVE-2015-7546</cve>
<cve>CVE-2020-12689</cve>
<cve>CVE-2020-12690</cve>
<cve>CVE-2020-12691</cve>
+
+ <!-- This CVE affects the server -->
+ <cve>CVE-2021-3563</cve>
</suppress>
<suppress>
<!--
@@ -213,6 +216,14 @@
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@1.6$</packageUrl>
<cve>CVE-2017-18640</cve>
+ <cve>CVE-2022-25857</cve>
+ </suppress>
+ <suppress>
+ <!-- We need to wait for 17.0.0 of https://github.com/kubernetes-client/java/releases -->
+ <notes><![CDATA[
+ file name: snakeyaml-1.27.jar
+ ]]></notes>
+ <cve>CVE-2022-25857</cve>
</suppress>
<suppress>
<notes><![CDATA[
@@ -446,6 +457,7 @@
<!--
1. hive-storage-api has the thrift vulnerability too
2. CVE-2021-34538 pertains to Hive server.
+ 3. CVE-2021-4125 only applies to the OpenShift Metering hive container images
-->
<notes><![CDATA[
file name: hive-storage-api-2.8.1.jar
@@ -453,6 +465,7 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.hive/hive-storage-api@2.8.1$</packageUrl>
<cve>CVE-2020-13949</cve>
<cve>CVE-2021-34538</cve>
+ <cve>CVE-2021-4125</cve>
</suppress>
<suppress>
<!--
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org