(druid) branch master updated: Suppress dependency-check alert of hadoop-client-runtime (#17885)

Mon, 07 Apr 2025 07:11:55 -0700 

This is an automated email from the ASF dual-hosted git repository.

karan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git


The following commit(s) were added to refs/heads/master by this push:
     new 3a8a97ed3b8 Suppress dependency-check alert of hadoop-client-runtime 
(#17885)
3a8a97ed3b8 is described below

commit 3a8a97ed3b890ac463c7e87ef6b6710728bb516a
Author: Zoltan Haindrich <k...@rxd.hu>
AuthorDate: Mon Apr 7 16:10:23 2025 +0200

    Suppress dependency-check alert of hadoop-client-runtime (#17885)
    
    * Add cve supression
    
    * disable .net assembly scan
---
 owasp-dependency-check-suppressions.xml | 1 +
 pom.xml                                 | 1 +
 2 files changed, 2 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml 
b/owasp-dependency-check-suppressions.xml
index 3c634a0df35..02b99779df6 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -141,6 +141,7 @@
     <cve>CVE-2024-47554</cve> <!--  This seems to be a legitimate 
vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk 
v2 dependency work to finish -->
     <cve>CVE-2024-47561</cve> <!--  This seems to be a legitimate 
vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk 
v2 dependency work to finish -->
     <cve>CVE-2024-29131</cve> <!--  This seems to be a legitimate 
vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk 
v2 dependency work to finish -->
+    <cve>CVE-2024-22201</cve> <!--  This seems to be a legitimate 
vulnerability. We would need to go to a hadoop-client which was not yet 
released  -->
   </suppress>
 
   <!-- those are false positives, no other tools report any of those CVEs in 
the hadoop package -->
diff --git a/pom.xml b/pom.xml
index 544831c2510..621f31f446e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1789,6 +1789,7 @@
                     <skipSystemScope>true</skipSystemScope>  <!-- avoid error 
when processing jdk.tools:jdk.tools:jar:1.8:system -->
                     <!-- For node analysis info, see 
https://github.com/jeremylong/DependencyCheck/issues/2482#issuecomment-603755623
 -->
                     <nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>  <!-- 
plugin author (jeremylong) recommends to disable, since this analyzer is 
retired -->
+                    <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
                     
<nodeAuditSkipDevDependencies>true</nodeAuditSkipDevDependencies>
                     
<suppressionFile>owasp-dependency-check-suppressions.xml</suppressionFile>
                 </configuration>


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@druid.apache.org
For additional commands, e-mail: commits-h...@druid.apache.org

Reply via email to