This is an automated email from the ASF dual-hosted git repository.
zachjsh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new 73711a4 Suppress CVE-2021-27568 from json-smart 2.3 dependency
(#11438)
73711a4 is described below
commit 73711a456a03410e942a3464be01a1dea16f0200
Author: zachjsh <[email protected]>
AuthorDate: Mon Jul 12 22:58:06 2021 -0400
Suppress CVE-2021-27568 from json-smart 2.3 dependency (#11438)
Dependency on hadoop 2.8.5 is preventing us form updating this dependency
to a later version. We don't believe that this is a major concern since Druid
eats uncaught exceptions, and only displays them in logs. This issue also
should only affect ingestion jobs, which can only be run by admin type users.
---
owasp-dependency-check-suppressions.xml | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/owasp-dependency-check-suppressions.xml
b/owasp-dependency-check-suppressions.xml
index 777fa9a..a5a5bda 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -57,6 +57,19 @@
<cve>CVE-2020-12690</cve>
<cve>CVE-2020-12691</cve>
</suppress>
+ <suppress>
+ <!--
+ ~ CVE-2021-27568:
+ ~ dependency on hadoop 2.8.5 is blocking us from updating this
dependency. Not a major concern since Druid
+ ~ eats uncaught exceptions, and only displays them in logs. This issue
also should only affect ingestion
+ ~ jobs which can only be run by admin type users.
+ -->
+ <notes><![CDATA[
+ file name: json-smart-2.3.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/net\.minidev/json\-smart@.*$</packageUrl>
+ <cve>CVE-2021-27568</cve>
+ </suppress>
<suppress>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
