capistrant commented on code in PR #18259:
URL: https://github.com/apache/druid/pull/18259#discussion_r2299308238
##########
owasp-dependency-check-suppressions.xml:
##########
Review Comment:
Are all of these additions directly tied to the changes in dependencies in
this PR? I don't think we should be modifying suppressions for anything that is
not directly caused by this PRs change in dependencies. New CVEs flagged by the
cron should be addressed individually with attempts to remediate before
suppressing
##########
.github/config/codeql-config.yml:
##########
@@ -1,3 +1,5 @@
query-filters:
- exclude:
id: java/stack-trace-exposure
+ - exclude:
Review Comment:
I wonder if it is better to leave this codeql in and just ignore it for this
PR if it is false positive vs turn it off completely? committers should still
be able to push it through and merge even if there is a codeql fail (I think)
##########
pom.xml:
##########
@@ -1823,7 +1827,7 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
- <version>7.4.4</version>
+ <version>12.1.3</version>
Review Comment:
This is a fairly significant bump for this extension. Are we sure there is
no unintended consequences? I agree that it should be brought up to date, but
perhaps in another PR dedicated to bumping plugin versions?
##########
pom.xml:
##########
@@ -78,7 +78,7 @@
<apache.kafka.version>3.9.1</apache.kafka.version>
<!-- when updating apache ranger, verify the usage of aws-bundle-sdk
vs aws-logs-sdk
and update as needed in extensions-core/druid-ranger-security/pm.xml
-->
- <apache.ranger.version>2.4.0</apache.ranger.version>
+ <apache.ranger.version>2.6.0</apache.ranger.version>
Review Comment:
Is the ranger stuff in this PR required for pac4j or were you
opportunistically trying to update more? same with netty and commons lang3
below? Perhaps it is all tied together, but if not I think this PR should focus
in on just changes required for the pac4j extension work.
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -129,6 +129,10 @@
<cve>CVE-2022-26612</cve>
<!-- this one seems to apply to backend server -
https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->
<cve>CVE-2023-25613</cve>
+ <cve>CVE-2025-48734</cve>
+ <cve>CVE-2024-13009</cve>
+ <cve>CVE-2023-52428</cve>
+ <cve>CVE-2025-48734</cve>
Review Comment:
this is listed twice
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
