This is an automated email from the ASF dual-hosted git repository.
abhishek pushed a commit to branch 29.0.0
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/29.0.0 by this push:
new a0cc2dcf86f Resolve CVE issues (#15814) (#15825)
a0cc2dcf86f is described below
commit a0cc2dcf86f61541bf1fda015f4aed62649dd787
Author: Laksh Singla <[email protected]>
AuthorDate: Mon Feb 5 15:08:54 2024 +0530
Resolve CVE issues (#15814) (#15825)
* Resolve CVE issues
* Update license.yaml
Co-authored-by: Vishesh Garg <[email protected]>
---
licenses.yaml | 4 ++--
owasp-dependency-check-suppressions.xml | 21 +++++++++++++++++++++
pom.xml | 2 +-
3 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/licenses.yaml b/licenses.yaml
index f1a4cba1159..e48dcf1fb8f 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -191,7 +191,7 @@ name: AWS SDK for Java
license_category: binary
module: java-core
license_name: Apache License version 2.0
-version: 1.12.497
+version: 1.12.638
libraries:
- com.amazonaws: aws-java-sdk-core
- com.amazonaws: aws-java-sdk-ec2
@@ -4632,7 +4632,7 @@ libraries:
name: com.amazonaws aws-java-sdk-bundle
license_category: binary
-version: 1.12.497
+version: 1.12.638
module: druid-ranger-security
license_name: Apache License version 2.0
libraries:
diff --git a/owasp-dependency-check-suppressions.xml
b/owasp-dependency-check-suppressions.xml
index 320a9bcfbc1..cf95771fa14 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -643,4 +643,25 @@
<cve>CVE-2019-0210</cve>
<cve>CVE-2020-13949</cve>
</suppress>
+ <suppress>
+ <notes><![CDATA[
+ FP per issue #6100 - CVE-2023-36052 since it is related to Azure-cli
not to the azure-core libraries
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/com\.azure/azure*@*.*$</packageUrl>
+ <cve>CVE-2023-36052</cve>
+ </suppress>
+ <suppress>
+ <!-- CVE is for a totally unrelated Sketch mac app -->
+ <notes><![CDATA[
+ file name: sketches-java-0.8.2.jar
+ ]]></notes>
+ <cve>CVE-2021-40531</cve>
+ </suppress>
+ <suppress>
+ <!-- CVE reports versions until 1.10.2 affected. The current version
1.11.1 is already greater and the latest. -->
+ <notes><![CDATA[
+ file name: azure-identity-1.11.1.jar
+ ]]></notes>
+ <cve>CVE-2023-36415</cve>
+ </suppress>
</suppressions>
diff --git a/pom.xml b/pom.xml
index d190f405ed1..6c5d019dd30 100644
--- a/pom.xml
+++ b/pom.xml
@@ -118,7 +118,7 @@
however it is required in some cases when running against mockito
4.x (mockito 4.x is required for Java <11.
We use the following property to pick the proper artifact based
on Java version (see pre-java-11 profile) -->
<mockito.inline.artifact>core</mockito.inline.artifact>
- <aws.sdk.version>1.12.497</aws.sdk.version>
+ <aws.sdk.version>1.12.638</aws.sdk.version>
<caffeine.version>2.8.0</caffeine.version>
<jacoco.version>0.8.7</jacoco.version>
<hibernate-validator.version>6.2.5.Final</hibernate-validator.version>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
