abhishekagarwal87 commented on code in PR #15231:
URL: https://github.com/apache/druid/pull/15231#discussion_r1371154978
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -811,4 +813,25 @@
<packageUrl
regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
</suppress>
+
+ <!-- CVE-2023-5072 has a too broad CPE that flags all versions of json-java
- https://github.com/jeremylong/DependencyCheck/issues/5991 -->
+ <suppress base="true">
+ <notes><![CDATA[
+ FP per issue #5991
Review Comment:
what does this mean? What issue does it refer to?
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -811,4 +813,25 @@
<packageUrl
regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
</suppress>
+
+ <!-- CVE-2023-5072 has a too broad CPE that flags all versions of json-java
- https://github.com/jeremylong/DependencyCheck/issues/5991 -->
Review Comment:
we don't use json-java at all. "flags all versions of json-java" text seems
unrelated to why we are suppressing it.
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -811,4 +813,25 @@
<packageUrl
regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
</suppress>
+
+ <!-- CVE-2023-5072 has a too broad CPE that flags all versions of json-java
- https://github.com/jeremylong/DependencyCheck/issues/5991 -->
+ <suppress base="true">
+ <notes><![CDATA[
+ FP per issue #5991
+ ]]></notes>
+ <cve>CVE-2023-5072</cve>
+ </suppress>
+
+ <!--
+ ~ CVE-2023-44981 seems to affect Zookeeper servers. While we ship with a
previous version of the Zookeeper, Druid only
+ ~ only uses the client classes of the Zookeeper. We do use the older
version in the quickstart & example docker file,
+ ~ however in production it is recomended to use your own Zookeeper server
with the CVE patched up, which the Druid's
+ ~ older ZK library is still compatible with.
Review Comment:
👍
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -811,4 +813,25 @@
<packageUrl
regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
</suppress>
+
+ <!-- CVE-2023-5072 has a too broad CPE that flags all versions of json-java
- https://github.com/jeremylong/DependencyCheck/issues/5991 -->
+ <suppress base="true">
+ <notes><![CDATA[
+ FP per issue #5991
+ ]]></notes>
+ <cve>CVE-2023-5072</cve>
+ </suppress>
+
+ <!--
+ ~ CVE-2023-44981 seems to affect Zookeeper servers. While we ship with a
previous version of the Zookeeper, Druid only
+ ~ only uses the client classes of the Zookeeper. We do use the older
version in the quickstart & example docker file,
+ ~ however in production it is recomended to use your own Zookeeper server
with the CVE patched up, which the Druid's
+ ~ older ZK library is still compatible with.
Review Comment:
👍
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
