[cassandra] branch cassandra-3.0 updated: Upgrade to OWASP 8.3.1

Fri, 07 Jul 2023 08:49:01 -0700 

This is an automated email from the ASF dual-hosted git repository.

brandonwilliams pushed a commit to branch cassandra-3.0
in repository https://gitbox.apache.org/repos/asf/cassandra.git


The following commit(s) were added to refs/heads/cassandra-3.0 by this push:
     new 493d15fffa Upgrade to OWASP 8.3.1
493d15fffa is described below

commit 493d15fffa21e57fcaef7cfb2099cbaa3ab6bb47
Author: Brandon Williams <brandonwilli...@apache.org>
AuthorDate: Thu Jul 6 15:50:26 2023 -0500

    Upgrade to OWASP 8.3.1
    
    Patch by brandonwilliams; reviewed by edimitrova for CASSANDRA-18650
---
 .build/build-owasp.xml                   |  2 +-
 .build/dependency-check-suppressions.xml | 10 ++++++++++
 CHANGES.txt                              |  1 +
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.build/build-owasp.xml b/.build/build-owasp.xml
index f3174999e8..a792730fb9 100644
--- a/.build/build-owasp.xml
+++ b/.build/build-owasp.xml
@@ -17,7 +17,7 @@
   ~ limitations under the License.
   -->
 <project basedir="." name="apache-cassandra-owasp-tasks">
-    <property name="dependency-check.version" value="6.3.2"/>
+    <property name="dependency-check.version" value="8.3.1"/>
     <property name="dependency-check.home" 
value="${build.dir}/dependency-check-ant-${dependency-check.version}"/>
 
     <condition property="is.dependency.check.jar">
diff --git a/.build/dependency-check-suppressions.xml 
b/.build/dependency-check-suppressions.xml
index 96500422d4..dead8f6120 100644
--- a/.build/dependency-check-suppressions.xml
+++ b/.build/dependency-check-suppressions.xml
@@ -116,6 +116,14 @@
         <cve>CVE-2018-11798</cve>
         <cve>CVE-2019-0205</cve>
     </suppress>
+    <suppress>
+        <packageUrl 
regex="true">^pkg:maven/com\.thinkaurelius\.thrift/thrift-server@.*$</packageUrl>
+        <cve>CVE-2015-3254</cve>
+        <cve>CVE-2016-5397</cve>
+        <cve>CVE-2018-1320</cve>
+        <cve>CVE-2018-11798</cve>
+        <cve>CVE-2019-0205</cve>
+    </suppress>
 
     <!-- https://issues.apache.org/jira/browse/CASSANDRA-16056 -->
     <!-- https://issues.apache.org/jira/browse/CASSANDRA-15416 -->
@@ -138,6 +146,8 @@
     <suppress>
         <packageUrl 
regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
         <cve>CVE-2023-35116</cve>
+       <cve>CVE-2022-42003</cve>
+       <cve>CVE-2022-42004</cve>
     </suppress>
 
 </suppressions>
diff --git a/CHANGES.txt b/CHANGES.txt
index cc2eea7a38..fbe5e0751b 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,4 +1,5 @@
 3.0.30
+ * Upgrade OWASP to 8.3.1 (CASSANDRA-18650)
  * Suppress CVE-2023-34462 (CASSANDRA-18649)
  * Add support for AWS Ec2 IMDSv2 (CASSANDRA-16555)
  * Suppress CVE-2023-35116 (CASSANDRA-18630)


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to