LakshSingla opened a new pull request, #15231: URL: https://github.com/apache/druid/pull/15231
This PR suppresses the following CVE's * CVE-2023-44487 - Suppressing the CVE since it hasn't been fixed in the latest version of Hadoop * CVE-2020-28458 - Pretty old CVE that was suppressed using` <vulnerabilityName>` already, however, it was popping up while trying to build the artifact. * CVE-2023-5072 - Affects `json-java` that neither Druid nor any of its dependency is using (verified using `mvn dependency:tree`. False positive, looks like the CPE identifier is too generic that it is flagging JARs with json- in their name * CVE-2023-44981 - Genuine CVE, this should be resolved once we upgrade ZK, since the ZK version Druid is using doesn't have a patch for this CVE. This seems to affect ZK servers, and Druid uses that in quickstart/docker-compose. In production, users are supposed to use their own ZK (containing a later & patched version of ZK), with which the client libraries Druid is using would be compatible. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
