Re: [PR] Suppress CVE's in master (druid)

via GitHub Wed, 25 Oct 2023 02:12:45 -0700


LakshSingla commented on code in PR #15231:
URL: https://github.com/apache/druid/pull/15231#discussion_r1371419221



##########
owasp-dependency-check-suppressions.xml:
##########
@@ -811,4 +813,25 @@
     <packageUrl 
regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
     <cve>CVE-2022-4244</cve>
   </suppress>
+
+  <!-- CVE-2023-5072 has a too broad CPE that flags all versions of json-java 
- https://github.com/jeremylong/DependencyCheck/issues/5991 -->
+  <suppress base="true">
+    <notes><![CDATA[
+   FP per issue #5991

Review Comment:
   This is picked up from a description in 
https://github.com/jeremylong/DependencyCheck which suppresses it. There's 
another suppression in the suppression file 
[here](https://github.com/apache/druid/blob/5840e2df6bf88f8a5996691e1513d4d6890e2579/owasp-dependency-check-suppressions.xml#L811)
 which also does the same, so I assumed that it's standard to add it in the 
notes. 
   I'll clean up the suppression. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [PR] Suppress CVE's in master (druid)

Reply via email to