This is an automated email from the ASF dual-hosted git repository.
jlprat pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/trunk by this push:
new dcd8c7d05f2 MINOR: suppress dependencycheck warning for CVE-2023-35116
(#14460)
dcd8c7d05f2 is described below
commit dcd8c7d05f2f22f2d815405e7ab3ad7439669239
Author: Arnout Engelen <[email protected]>
AuthorDate: Mon Oct 2 18:38:29 2023 +0200
MINOR: suppress dependencycheck warning for CVE-2023-35116 (#14460)
Like in most projects, this attack cannot be achieved by an external
attacker in Kafka.
Reviewers: Josep Prat <[email protected]>
---
build.gradle | 3 +++
gradle/resources/dependencycheck-suppressions.xml | 26 +++++++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/build.gradle b/build.gradle
index c0d9f077975..c73331bb02f 100644
--- a/build.gradle
+++ b/build.gradle
@@ -755,6 +755,9 @@ subprojects {
task reportCoverage(dependsOn: [coverageGen])
}
+ dependencyCheck {
+ suppressionFile =
"$rootDir/gradle/resources/dependencycheck-suppressions.xml"
+ }
}
gradle.taskGraph.whenReady { taskGraph ->
diff --git a/gradle/resources/dependencycheck-suppressions.xml
b/gradle/resources/dependencycheck-suppressions.xml
new file mode 100644
index 00000000000..d6a8110595b
--- /dev/null
+++ b/gradle/resources/dependencycheck-suppressions.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<suppressions
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd";>
+ <suppress>
+ <notes><![CDATA[
+ The attack described in CVE-2023-35116, like in most application, cannot
+ be achieved by an external attacker.
+ ]]></notes>
+ <cve>CVE-2023-35116</cve>
+ </suppress>
+</suppressions>
