You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by ab...@apache.org on 2022/09/06 06:17:08 UTC

[druid] branch master updated: Suppress false CVEs (#13026)

This is an automated email from the ASF dual-hosted git repository.

abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git


The following commit(s) were added to refs/heads/master by this push:
     new 7d332c6f6a Suppress false CVEs (#13026)
7d332c6f6a is described below

commit 7d332c6f6a6359e6656b71d5efccdb86c9222a74
Author: Abhishek Agarwal <14...@users.noreply.github.com>
AuthorDate: Tue Sep 6 11:46:56 2022 +0530

    Suppress false CVEs (#13026)
    
    * Suppress CVEs
    
    * Add more suppressions
---
 integration-tests-ex/cases/pom.xml      |  7 +++++++
 integration-tests-ex/image/pom.xml      |  7 +++++++
 integration-tests-ex/tools/pom.xml      | 12 ++++++++++++
 owasp-dependency-check-suppressions.xml | 17 +++++++++++++++--
 4 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/integration-tests-ex/cases/pom.xml b/integration-tests-ex/cases/pom.xml
index cfb91276c1..86713aec4e 100644
--- a/integration-tests-ex/cases/pom.xml
+++ b/integration-tests-ex/cases/pom.xml
@@ -241,6 +241,13 @@
                     </ignoredUnusedDeclaredDependencies>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 
diff --git a/integration-tests-ex/image/pom.xml b/integration-tests-ex/image/pom.xml
index dcd59badbc..649367f056 100644
--- a/integration-tests-ex/image/pom.xml
+++ b/integration-tests-ex/image/pom.xml
@@ -225,6 +225,13 @@ Reference: https://dzone.com/articles/build-docker-image-from-maven
 
                         </executions>
                     </plugin>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <configuration>
+                            <skip>true</skip>
+                        </configuration>
+                    </plugin>
                 </plugins>
             </build>
         </profile>
diff --git a/integration-tests-ex/tools/pom.xml b/integration-tests-ex/tools/pom.xml
index b622221438..fe7777ebf1 100644
--- a/integration-tests-ex/tools/pom.xml
+++ b/integration-tests-ex/tools/pom.xml
@@ -153,4 +153,16 @@
 		</dependency>
   </dependencies>
 
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.owasp</groupId>
+				<artifactId>dependency-check-maven</artifactId>
+				<configuration>
+					<skip>true</skip>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+
 </project>
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 8518c34a83..f3bb997550 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -49,15 +49,18 @@
     <cve>CVE-2017-16613</cve>
   </suppress>
   <suppress>
-    <!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
     <notes><![CDATA[
-   file name: openstack-keystone-1.9.3.jar
+   file name: openstack-keystone-1.9.1.jar
    ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-keystone@.*$</packageUrl>
+    <!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
     <cve>CVE-2015-7546</cve>
     <cve>CVE-2020-12689</cve>
     <cve>CVE-2020-12690</cve>
     <cve>CVE-2020-12691</cve>
+
+    <!-- This CVE affects the server -->
+    <cve>CVE-2021-3563</cve>
   </suppress>
   <suppress>
     <!--
@@ -213,6 +216,14 @@
     ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@1.6$</packageUrl>
     <cve>CVE-2017-18640</cve>
+    <cve>CVE-2022-25857</cve>
+  </suppress>
+  <suppress>
+    <!-- We need to wait for 17.0.0 of https://github.com/kubernetes-client/java/releases -->
+    <notes><![CDATA[
+    file name: snakeyaml-1.27.jar
+    ]]></notes>
+    <cve>CVE-2022-25857</cve>
   </suppress>
   <suppress>
     <notes><![CDATA[
@@ -446,6 +457,7 @@
     <!--
       1. hive-storage-api has the thrift vulnerability too
       2. CVE-2021-34538 pertains to Hive server.
+      3. CVE-2021-4125 only applies to the OpenShift Metering hive container images
      -->
     <notes><![CDATA[
      file name: hive-storage-api-2.8.1.jar
@@ -453,6 +465,7 @@
     <packageUrl regex="true">^pkg:maven/org\.apache\.hive/hive-storage-api@2.8.1$</packageUrl>
     <cve>CVE-2020-13949</cve>
     <cve>CVE-2021-34538</cve>
+    <cve>CVE-2021-4125</cve>
   </suppress>
   <suppress>
     <!--


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org