You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2020/09/03 23:51:42 UTC

[GitHub] [druid] ccaominh opened a new pull request #10353: Ignore CVEs from htrace and ambari transitive deps

ccaominh opened a new pull request #10353:
URL: https://github.com/apache/druid/pull/10353


   htrace CVEs are suppressed for now as addressing them requires updating the hadoop version.
   
   ambari CVEs are suppressed for now since ambari is updated to the latest version and is no longer actively maintained.
   
   After this suppressions, the security scan passes.
   
   <hr>
   
   This PR has:
   - [x] been self-reviewed.
   - [x] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
   - [x] been manually tested by running `mvn dependency-check:check`.
   
   <!-- Check the items by putting "x" in the brackets for the done things. Not all of these items apply to every PR. Remove the items which are not done or not relevant to the PR. None of the items from the checklist above are strictly necessary, but it would be very helpful if you at least self-review the PR. -->


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] suneet-s commented on a change in pull request #10353: Ignore CVEs from htrace and ambari transitive deps

Posted by GitBox <gi...@apache.org>.

suneet-s commented on a change in pull request #10353:
URL: https://github.com/apache/druid/pull/10353#discussion_r483323216



##########
File path: owasp-dependency-check-suppressions.xml
##########
@@ -156,6 +156,28 @@
       <cve>CVE-2018-1320</cve>
       <cve>CVE-2019-0205</cve>
   </suppress>
+  <suppress>
+    <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-stroage -->

Review comment:
       Can you create a github issue for this so we don't forget.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] ccaominh commented on a change in pull request #10353: Ignore CVEs from htrace and ambari transitive deps

Posted by GitBox <gi...@apache.org>.

ccaominh commented on a change in pull request #10353:
URL: https://github.com/apache/druid/pull/10353#discussion_r483802950



##########
File path: owasp-dependency-check-suppressions.xml
##########
@@ -156,6 +156,28 @@
       <cve>CVE-2018-1320</cve>
       <cve>CVE-2019-0205</cve>
   </suppress>
+  <suppress>
+    <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-stroage -->

Review comment:
       Created https://github.com/apache/druid/issues/10358




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] ccaominh merged pull request #10353: Ignore CVEs from htrace and ambari transitive deps

Posted by GitBox <gi...@apache.org>.

ccaominh merged pull request #10353:
URL: https://github.com/apache/druid/pull/10353


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org