You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by ni...@apache.org on 2022/05/13 15:56:26 UTC

[pulsar] 02/06: [owasp] suppress debezium-connector-postgres CVE-2021-23214 false positive (#14802)

This is an automated email from the ASF dual-hosted git repository.

nicoloboschi pushed a commit to branch branch-2.10
in repository https://gitbox.apache.org/repos/asf/pulsar.git

commit de9c718c6d36a39f77de69ef3dc03fd41c5db489
Author: Nicolò Boschi <bo...@gmail.com>
AuthorDate: Mon Mar 28 18:16:38 2022 +0200

    [owasp] suppress debezium-connector-postgres CVE-2021-23214 false positive (#14802)
    
    Let's get this in and unblock flaky tests
    
    (cherry picked from commit d03e2d32064d2d52b437c7700078f4a7a4dca2e7)
---
 .github/workflows/ci-owasp-dep-check.yaml      | 2 ++
 src/owasp-dependency-check-false-positives.xml | 9 +++++++++
 2 files changed, 11 insertions(+)

diff --git a/.github/workflows/ci-owasp-dep-check.yaml b/.github/workflows/ci-owasp-dep-check.yaml
index 150156b30ec..bcce2b78368 100644
--- a/.github/workflows/ci-owasp-dep-check.yaml
+++ b/.github/workflows/ci-owasp-dep-check.yaml
@@ -51,6 +51,8 @@ jobs:
             poms:
               - 'pom.xml'
               - '**/pom.xml'
+              - 'src/owasp-dependency-check-false-positives.xml'
+              - 'src/owasp-dependency-check-suppressions.xml'
 
       - name: Cache local Maven repository
         if: ${{ steps.changes.outputs.poms == 'true' }}
diff --git a/src/owasp-dependency-check-false-positives.xml b/src/owasp-dependency-check-false-positives.xml
index 7b945a2bbc9..191f9d6b02f 100644
--- a/src/owasp-dependency-check-false-positives.xml
+++ b/src/owasp-dependency-check-false-positives.xml
@@ -59,4 +59,13 @@
     <packageUrl regex="true">^pkg:maven/io\.netty/netty\-tcnative\-classes@.*$</packageUrl>
     <cpe>cpe:/a:netty:netty</cpe>
   </suppress>
+
+  <!-- CVE-2021-23214 is about PostGre server -->
+  <suppress>
+    <notes><![CDATA[
+   file name: debezium-connector-postgres-1.7.2.Final.jar
+   ]]></notes>
+    <sha1>69c1edfa7d89531af511fcd07e8516fa450f746a</sha1>
+    <cve>CVE-2021-23214</cve>
+  </suppress>
 </suppressions>
\ No newline at end of file