This is an automated email from the ASF dual-hosted git repository.
lakshsingla pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new 7c8e8413627 Suppress CVE's in master (#15231)
7c8e8413627 is described below
commit 7c8e841362792b1bfc45d8b8d12857f7cad38526
Author: Laksh Singla <[email protected]>
AuthorDate: Fri Oct 27 09:29:18 2023 +0530
Suppress CVE's in master (#15231)
---
distribution/bin/check-licenses.py | 2 ++
owasp-dependency-check-suppressions.xml | 34 ++++++++++++++++++++++++++++++---
2 files changed, 33 insertions(+), 3 deletions(-)
diff --git a/distribution/bin/check-licenses.py
b/distribution/bin/check-licenses.py
index ae07e5a0373..b069d9545b3 100755
--- a/distribution/bin/check-licenses.py
+++ b/distribution/bin/check-licenses.py
@@ -266,6 +266,8 @@ def build_compatible_license_names():
compatible_licenses['Eclipse Public License - Version 1.0'] = 'Eclipse
Public License 1.0'
compatible_licenses['Eclipse Public License, Version 1.0'] = 'Eclipse
Public License 1.0'
compatible_licenses['Eclipse Public License v1.0'] = 'Eclipse Public
License 1.0'
+ compatible_licenses['Eclipse Public License - v1.0'] = 'Eclipse Public
License 1.0'
+ compatible_licenses['Eclipse Public License - v 1.0'] = 'Eclipse Public
License 1.0'
compatible_licenses['EPL 1.0'] = 'Eclipse Public License 1.0'
compatible_licenses['Eclipse Public License 2.0'] = 'Eclipse Public
License 2.0'
diff --git a/owasp-dependency-check-suppressions.xml
b/owasp-dependency-check-suppressions.xml
index e33231ea9ee..ab6e6176994 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -759,6 +759,7 @@
<cve>CVE-2023-1370</cve>
<cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to
apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843
-->
<cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate
vulnerability. But there is no fix as of yet in Hadoop repo -->
+ <cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by
Jetty, but it hasn't been fixed by Hadoop yet-->
</suppress>
<suppress>
<!-- from extensions using hadoop-client-api, these dependencies are
shaded in the jar -->
@@ -766,6 +767,7 @@
file name: hadoop-client-api-3.3.6.jar: jquery.dataTables.min.js
(pkg:javascript/[email protected])
]]></notes>
<vulnerabilityName>prototype pollution</vulnerabilityName>
+ <cve>CVE-2020-28458</cve>
</suppress>
<suppress>
<notes><![CDATA[
@@ -805,10 +807,36 @@
<!-- CVE-2022-4244 is affecting plexus-utils package, plexus-interpolation
is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973
-->
<suppress base="true">
- <notes><![CDATA[
- FP per issue #5973
- ]]></notes>
<packageUrl
regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
</suppress>
+
+ <!-- CVE-2023-5072 has a too broad CPE that seems to be flagging
dependencies like json-*. Neither Druid nor any of its
+ ~ transitive dependency use json-java which contains the vulnerability-->
+ <suppress base="true">
+ <cve>CVE-2023-5072</cve>
+ </suppress>
+
+ <!--
+ ~ CVE-2023-44981 seems to affect Zookeeper servers. While we ship with a
previous version of the Zookeeper, Druid only
+ ~ only uses the client classes of the Zookeeper. We do use the older
version in the quickstart & example docker file,
+ ~ however in production it is recomended to use your own Zookeeper server
with the CVE patched up, which the Druid's
+ ~ older ZK library is still compatible with.
+ -->
+ <suppress>
+ <notes><![CDATA[
+ file name: zookeeper-3.5.10.jar
+ ]]></notes>
+ <cve>CVE-2023-44981</cve>
+ </suppress>
+
+ <!--
+ ~ Hostname verification is disabled by default in Netty 4.x, therefore the
version that Druid is using gets flagged,
+ ~ however Druid enables it in ChannelResourceFactory therefore this is a
false positive-->
+ <suppress>
+ <notes><![CDATA[
+ file name: netty-transport-4.1.100.Final.jar
+ ]]></notes>
+ <cve>CVE-2023-4586</cve>
+ </suppress>
</suppressions>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
