You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@nifi.apache.org by Mike Thomsen <mi...@gmail.com> on 2023/06/22 14:08:38 UTC

H2 CVE

A colleague found this "CVE" report for H2. I agree with the H2 devs that
it's a big joke of a CVE, but it's something we might want to add something
to the documentation to discuss because it could cause grief for our users.

https://github.com/h2database/h2database/issues/3686

Re: H2 CVE

Posted by David Handermann <ex...@apache.org>.

Hi Mike,

Thanks for noting this finding with H2. Unfortunately there are a large
number of dependencies with associated vulnerability findings, many of
which are false positives.

The OWASP suppressions configuration includes a note for this specific
vulnerability:

https://github.com/apache/nifi/blob/main/nifi-dependency-check-maven/suppressions.xml#L23

I have considered running the OWASP dependency check as a scheduled job in
GitHub Actions, which would highlight findings, and also indicate
suppressions based on project evaluation. It seems like that could be
useful for these types of scenarios.

Regards,
David Handermann

On Thu, Jun 22, 2023 at 9:09 AM Mike Thomsen <mi...@gmail.com> wrote:

> A colleague found this "CVE" report for H2. I agree with the H2 devs that
> it's a big joke of a CVE, but it's something we might want to add something
> to the documentation to discuss because it could cause grief for our users.
>
> https://github.com/h2database/h2database/issues/3686
>