(druid) branch master updated: Suppress Hadoop and jose4j cve (#15425)

Thu, 23 Nov 2023 19:55:21 -0800 

This is an automated email from the ASF dual-hosted git repository.

kfaraz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git


The following commit(s) were added to refs/heads/master by this push:
     new 75d6993da93 Suppress Hadoop and jose4j cve (#15425)
75d6993da93 is described below

commit 75d6993da93a7459793048095d27c33031c463e2
Author: Kashif Faraz <[email protected]>
AuthorDate: Fri Nov 24 09:25:10 2023 +0530

    Suppress Hadoop and jose4j cve (#15425)
    
    Changes
    - Suppress CVE-2023-36478 as there is no newer Hadoop version available 
that addresses
    - Suppress CVE-2023-31582 in jose4j. Pulled in by Kubernetes/Kafka but not 
addressed yet.
---
 owasp-dependency-check-suppressions.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml 
b/owasp-dependency-check-suppressions.xml
index ab6e6176994..b551607063f 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -87,6 +87,15 @@
     <cve>CVE-2022-42004</cve>
   </suppress>
 
+  <suppress>
+    <!-- Pulled in by io.kubernetes:client-java and kafka_2.13 but not fixed 
in either place yet -->
+    <!-- jose4j before v0.9.3 allows attackers to set a low iteration count of 
1000 or less -->
+    <notes><![CDATA[
+    file name: jose4j-0.7.3.jar
+    ]]></notes>
+    <packageUrl 
regex="true">^pkg:maven/org\.bitbucket\.b_c/jose4j@.*$</packageUrl>
+    <cve>CVE-2023-31582</cve>
+  </suppress>
 
   <suppress>
     <!-- Not much for us to do as a user of the client lib, and no patch is 
available,
@@ -760,6 +769,7 @@
     <cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to 
apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 
-->
     <cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate 
vulnerability. But there is no fix as of yet in Hadoop repo -->
     <cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by 
Jetty, but it hasn't been fixed by Hadoop yet-->
+    <cve>CVE-2023-36478</cve> <!-- Occurs in the version of Hadoop used by 
Jetty, but it hasn't been fixed by Hadoop yet-->
   </suppress>
   <suppress>
     <!-- from extensions using hadoop-client-api, these dependencies are 
shaded in the jar -->


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to