Re: [PR] CVE Fix: Update json-path version (druid)

Wed, 31 Jan 2024 19:10:03 -0800 


pagrawal10 commented on code in PR #15772:
URL: https://github.com/apache/druid/pull/15772#discussion_r1473743232


##########
owasp-dependency-check-suppressions.xml:
##########
@@ -61,6 +68,35 @@
     <cve>CVE-2022-4245</cve>
   </suppress>
 
+  <suppress>
+    <notes><![CDATA[
+      file name: sketches-java-0.8.2.jar
+    ]]></notes>
+    <cve>CVE-2021-40531</cve>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+      file name: azure-core-1.45.1.jar
+    ]]></notes>
+    <cve>CVE-2023-36052</cve>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+      file name: azure-core-http-netty-1.13.11.jar
+    ]]></notes>
+    <cve>CVE-2023-36052</cve>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+      file name: azure-identity-1.11.1.jar
+    ]]></notes>
+    <cve>CVE-2023-36415</cve>
+    <cve>CVE-2023-36052</cve>
+  </suppress>

Review Comment:
   These are not being added by the json-path version change. These JARs are 
already present in the master branch. Most of these are new CVEs, and it is 
possible that it was not present earlier in the owasp-checklist. They were 
already added before this PR here:
   1. 
[ion-path](https://github.com/apache/druid/blob/5edfa9429f40bbddfd868bcd0d51f106702199d3/licenses.yaml#L2401)
 
   2. 
[azure-core](https://github.com/apache/druid/blob/5edfa9429f40bbddfd868bcd0d51f106702199d3/extensions-core/azure-extensions/pom.xml#L72)
   3. 
[sketches-java](https://github.com/apache/druid/blame/5edfa9429f40bbddfd868bcd0d51f106702199d3/extensions-contrib/ddsketch/pom.xml#L38)
   4. 
[azure-identity](https://github.com/apache/druid/blob/5edfa9429f40bbddfd868bcd0d51f106702199d3/extensions-core/azure-extensions/pom.xml#L56)
   5. 
[azure-core-http-netty](https://github.com/apache/druid/blame/5edfa9429f40bbddfd868bcd0d51f106702199d3/licenses.yaml#L4262)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to