This is an automated email from the ASF dual-hosted git repository.
kfaraz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new c26b18c953 Port CVE suppressions from 24.0.1 (#13415)
c26b18c953 is described below
commit c26b18c953e33b3bc886695e45836182357b593e
Author: Rohan Garg <[email protected]>
AuthorDate: Wed Nov 23 11:35:33 2022 +0530
Port CVE suppressions from 24.0.1 (#13415)
* Suppress jackson-databind CVE-2022-42003 and CVE-2022-42004
(cherry picked from commit 1f4d892c9a2dbc3ce6df1481fd4c6d242ba0ea8d)
* Suppress CVEs
(cherry picked from commit ed55baa8fa7d7f914a0addabb072d9ed47e1cd9f)
* Suppress vulnerabilities from druid-website package
(cherry picked from commit c0fb364f8049d53cd704e414e2ffeab6c49b012e)
* Add more suppressions for website package
(cherry picked from commit 9bba569ebd52c5480bf4219c420ed78eb053701f)
---
owasp-dependency-check-suppressions.xml | 100 +++++++++++++++++++++++++++++++-
1 file changed, 97 insertions(+), 3 deletions(-)
diff --git a/owasp-dependency-check-suppressions.xml
b/owasp-dependency-check-suppressions.xml
index 6ffb3b9f2e..a09ed507cc 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -88,6 +88,17 @@
<packageUrl
regex="true">^pkg:maven/net\.minidev/accessors\-smart@.*$</packageUrl>
<cve>CVE-2021-27568</cve>
</suppress>
+ <suppress>
+ <!--
+ Suppressing for patch release 24.0.1
+ -->
+ <notes><![CDATA[
+ file name: jackson-databind-2.10.5.1.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+ <cve>CVE-2022-42003</cve>
+ <cve>CVE-2022-42004</cve>
+ </suppress>
<suppress>
@@ -209,6 +220,15 @@
<cve>CVE-2018-1320</cve>
<cve>CVE-2019-0205</cve>
</suppress>
+ <suppress>
+ <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of
com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
+ <notes><![CDATA[
+ file name: jettison-1.*.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.codehaus\.jettison/jettison@1.*$</packageUrl>
+ <cve>CVE-2022-40149</cve>
+ <cve>CVE-2022-40150</cve>
+ </suppress>
<suppress>
<!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of
com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
<notes><![CDATA[
@@ -304,6 +324,13 @@
<cve>CVE-2019-12399</cve>
<cve>CVE-2018-17196</cve>
</suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: kafka-clients-3.2.0.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.kafka/kafka\-clients@.*$</packageUrl>
+ <cve>CVE-2022-34917</cve>
+ </suppress>
<suppress>
<!--
~ TODO: Fix when Apache Ranger is released with updated log4j
@@ -418,8 +445,17 @@
<packageUrl
regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl>
<cve>CVE-2018-14718</cve>
<cve>CVE-2018-7489</cve>
+ <cve>CVE-2022-42003</cve>
+ <cve>CVE-2022-42004</cve>
+ </suppress>
+ <suppress>
+ <!-- aliyun-oss -->
+ <notes><![CDATA[
+ file name: ini4j-0.5.4.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.ini4j/ini4j@.*$</packageUrl>
+ <vulnerabilityName>CVE-2022-41404</vulnerabilityName>
</suppress>
-
<suppress>
<!-- Transitive dependency from apache-ranger, latest ranger version 2.1.0
still uses solr 7.7.1-->
<notes><![CDATA[
@@ -622,8 +658,15 @@
file name: avatica-server-1.17.0.jar
]]></notes>
<cve>CVE-2022-36364</cve>
+ <cve>CVE-2022-39135</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: calcite-core-1.21.0.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.calcite/calcite\-core@.*$</packageUrl>
+ <cve>CVE-2020-13955</cve>
</suppress>
-
<suppress>
<!-- False positive. 42.3.3 is not affected by the CVE. And we don't use
Resultset.refreshRow method either -->
<notes><![CDATA[
@@ -631,7 +674,6 @@
]]></notes>
<cve>CVE-2022-31197</cve>
</suppress>
-
<suppress>
<!-- avatica-server-1.17.0.jar -->
<notes><![CDATA[
@@ -666,4 +708,56 @@
<vulnerabilityName>1084597</vulnerabilityName>
</suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: d3-color:2.0.0
+ ]]></notes>
+ <packageUrl regex="true">^pkg:npm/d3\-color@.*$</packageUrl>
+ <vulnerabilityName>1084597</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: protobuf-java-3.11.0.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl>
+ <cve>CVE-2022-3171</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: protobuf-java-util-3.11.0.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java\-util@.*$</packageUrl>
+ <cve>CVE-2022-3171</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: ansi-regex:5.0.0
+ ]]></notes>
+ <packageUrl regex="true">^pkg:npm/ansi\-regex@.*$</packageUrl>
+ <vulnerabilityName>1084697</vulnerabilityName>
+ <cve>CVE-2021-3807</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: glob-parent:5.1.1
+ ]]></notes>
+ <packageUrl regex="true">^pkg:npm/glob\-parent@.*$</packageUrl>
+ <vulnerabilityName>1081884</vulnerabilityName>
+ <cve>CVE-2020-28469</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: minimatch:3.0.4
+ ]]></notes>
+ <packageUrl regex="true">^pkg:npm/minimatch@.*$</packageUrl>
+ <vulnerabilityName>1084765</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: y18n:4.0.0
+ ]]></notes>
+ <packageUrl regex="true">^pkg:npm/y18n@.*$</packageUrl>
+ <vulnerabilityName>1070209</vulnerabilityName>
+ <cve>CVE-2020-7774</cve>
+ </suppress>
</suppressions>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
