[GitHub] [druid] jihoonson commented on a diff in pull request #12437: Suppress CVE-2021-43138

Mon, 18 Apr 2022 16:41:43 -0700 


jihoonson commented on code in PR #12437:
URL: https://github.com/apache/druid/pull/12437#discussion_r852486219


##########
owasp-dependency-check-suppressions.xml:
##########
@@ -287,20 +287,6 @@
     <packageUrl regex="true">^pkg:maven/log4j/[email protected]$</packageUrl>
     <cve>CVE-2019-17571</cve>
   </suppress>
-  <suppress>
-    <!--
-      - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, 
released in July 2018.
-      -->
-    <notes><![CDATA[
-    file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: 
io.netty:netty:3.10.5.Final)
-    ]]></notes>
-    <packageUrl 
regex="true">^pkg:maven/io\.netty/[email protected]$</packageUrl>
-    <cve>CVE-2019-16869</cve>
-    <cve>CVE-2019-20444</cve>
-    <cve>CVE-2019-20445</cve>
-    <cve>CVE-2021-37136</cve>
-    <cve>CVE-2021-37137</cve>
-  </suppress>

Review Comment:
   I see what's going on. I was using the same command of `mvn 
dependency-check:check` as what we are running on Travis. [This command checks 
only the project 
dependencies](https://jeremylong.github.io/DependencyCheck/dependency-check-maven/plugin-info.html).
 The command @suneet-s ran was `mvn dependency-check:aggregate` which checks 
the project dependencies as well as the dependencies of all child modules. This 
is why I missed the error about the netty 3.10.5.Final in Ambari. I reverted my 
change for the netty.
   
   Looking at the github history, we tried to change the command to `mvn 
dependency-check:aggregate` in https://github.com/apache/druid/pull/10883. But 
we reverted that change in https://github.com/apache/druid/pull/11709 because 
it was not correctly configured and blocking our release. I think we should use 
`mvn dependency-check:aggregate` again with a proper configuration such as 
[skipTestScope](https://jeremylong.github.io/DependencyCheck/dependency-check-maven/aggregate-mojo.html#skipTestScope)
 to skip tests. This should be done in a separate PR.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to