(druid) branch 28.0.1 updated: Suppress CVE-2022-46337 and CVEs below score of 9 for the patch branch (#15524)

Fri, 08 Dec 2023 10:06:45 -0800 

This is an automated email from the ASF dual-hosted git repository.

lakshsingla pushed a commit to branch 28.0.1
in repository https://gitbox.apache.org/repos/asf/druid.git


The following commit(s) were added to refs/heads/28.0.1 by this push:
     new e76b87f0895 Suppress CVE-2022-46337 and CVEs below score of 9 for the 
patch branch (#15524)
e76b87f0895 is described below

commit e76b87f08958db30d18eeb9867a516df73635d83
Author: Laksh Singla <[email protected]>
AuthorDate: Fri Dec 8 23:36:33 2023 +0530

    Suppress CVE-2022-46337 and CVEs below score of 9 for the patch branch 
(#15524)
    
    Suppress CVE-2022-46337 and CVEs below score of 9 for the patch branch
---
 owasp-dependency-check-suppressions.xml | 8 ++++++++
 pom.xml                                 | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/owasp-dependency-check-suppressions.xml 
b/owasp-dependency-check-suppressions.xml
index e5cd33a5ff5..bdfe6c527d2 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -847,4 +847,12 @@
     ]]></notes>
     <cve>CVE-2023-31582</cve>
   </suppress>
+
+  <!--
+  ~ CVE-2022-46337 applies to configurations using authentication for Derby 
and is not applicable to Druid. Also, Derby isn't a suggested
+  ~ metadata store for production clusters.
+  -->
+  <suppress>
+    <cve>CVE-2022-46337</cve>
+  </suppress>
 </suppressions>
diff --git a/pom.xml b/pom.xml
index 5fb1f49b2f2..9d22ef43755 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1630,7 +1630,7 @@
                 <artifactId>dependency-check-maven</artifactId>
                 <version>7.4.4</version>
                 <configuration>
-                    <failBuildOnCVSS>7</failBuildOnCVSS>
+                    <failBuildOnCVSS>9</failBuildOnCVSS>
                     <skipProvidedScope>true</skipProvidedScope>
                     <skipSystemScope>true</skipSystemScope>  <!-- avoid error 
when processing jdk.tools:jdk.tools:jar:1.8:system -->
                     <!-- For node analysis info, see 
https://github.com/jeremylong/DependencyCheck/issues/2482#issuecomment-603755623
 -->


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to