[druid] branch master updated: suppress kafka-clients CVE (#11562)

Mon, 09 Aug 2021 06:32:56 -0700 

This is an automated email from the ASF dual-hosted git repository.

abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git


The following commit(s) were added to refs/heads/master by this push:
     new 2eff090  suppress kafka-clients CVE (#11562)
2eff090 is described below

commit 2eff0902aa1865d0878dc53a9fca93fb1e5c0afa
Author: Abhishek Agarwal <[email protected]>
AuthorDate: Mon Aug 9 19:02:25 2021 +0530

    suppress kafka-clients CVE (#11562)
    
    The CVE details are here - https://nvd.nist.gov/vuln/detail/CVE-2021-26291. 
I am marking it suppressed since we are only using kafka-clients jar in druid. 
We use maven-artifact jar ourselves but it is only used for comparing versions
---
 owasp-dependency-check-suppressions.xml | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

diff --git a/owasp-dependency-check-suppressions.xml 
b/owasp-dependency-check-suppressions.xml
index a5a5bda..88a1fd3 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -264,17 +264,6 @@
   </suppress>
   <suppress>
     <!--
-      ~ TODO: Fix when Apache Ranger 2.1 is released
-      -->
-    <notes><![CDATA[
-    file name: kafka-clients-2.0.0.jar
-    ]]></notes>
-    <packageUrl 
regex="true">^pkg:maven/org\.apache\.kafka/[email protected]$</packageUrl>
-    <cve>CVE-2019-12399</cve>
-    <cve>CVE-2018-17196</cve>
-  </suppress>
-  <suppress>
-    <!--
       ~ TODO: Fix when Apache Ranger is released with updated log4j
       -->
     <notes><![CDATA[
@@ -322,11 +311,11 @@
      <cve>CVE-2020-9492</cve>
   </suppress>
   <suppress>
-    <!-- We don't use scala compilation daemon. -->
+    <!-- The CVE is not applicable to kafka-clients. -->
     <notes><![CDATA[
-     file name: kafka-clients-2.7.0.jar
+     file name: kafka-clients-2.8.0.jar
      ]]></notes>
-    <cve>CVE-2017-15288</cve>
+    <cve>CVE-2021-26291</cve>
   </suppress>
   <suppress until="2021-05-30">
     <!-- Suppress this until https://github.com/apache/druid/issues/11028 is 
resolved. -->

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to