This is an automated email from the ASF dual-hosted git repository.
jlprat pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/trunk by this push:
new 1983ebebc70 MINOR: fix dependencycheck warnings (#14476)
1983ebebc70 is described below
commit 1983ebebc708a5fdd81671646e1ee8b51f0cd571
Author: Arnout Engelen <[email protected]>
AuthorDate: Wed Oct 11 11:18:19 2023 -0300
MINOR: fix dependencycheck warnings (#14476)
Add suppressions and skip benchmarking/testing projects
Reviewers: Josep Prat <[email protected]>
---
build.gradle | 4 ++++
gradle/dependencies.gradle | 3 +++
gradle/resources/dependencycheck-suppressions.xml | 27 +++++++++++++++++++++++
3 files changed, 34 insertions(+)
diff --git a/build.gradle b/build.gradle
index eee62192200..9df240a7433 100644
--- a/build.gradle
+++ b/build.gradle
@@ -39,6 +39,9 @@ plugins {
id 'org.nosphere.apache.rat' version "0.8.1"
id "io.swagger.core.v3.swagger-gradle-plugin" version "${swaggerVersion}"
+ // When updating the spotbugs gradle plugin, check if it already
+ // includes spotbugs version 4.7.4, in which case CVE-2022-42920 can
+ // be dropped from gradle/resources/dependencycheck-suppressions.xml
id "com.github.spotbugs" version '5.1.3' apply false
id 'org.scoverage' version '7.0.1' apply false
id 'com.github.johnrengelman.shadow' version '8.1.1' apply false
@@ -757,6 +760,7 @@ subprojects {
dependencyCheck {
suppressionFile =
"$rootDir/gradle/resources/dependencycheck-suppressions.xml"
+ skipProjects = [ ":jmh-benchmarks", ":trogdor" ]
}
}
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 5ea6aac47cb..9c1db35e6f4 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -93,6 +93,9 @@ versions += [
argparse4j: "0.7.0",
bcpkix: "1.75",
caffeine: "2.9.3", // 3.x supports JDK 11 and above
+ // when updating checkstyle, check whether the exclusion of
+ // CVE-2023-2976 and CVE-2020-8908 can be dropped from
+ // gradle/resources/dependencycheck-suppressions.xml
checkstyle: "8.36.2",
commonsCli: "1.4",
commonsValidator: "1.7",
diff --git a/gradle/resources/dependencycheck-suppressions.xml
b/gradle/resources/dependencycheck-suppressions.xml
index d6a8110595b..2458e85ab2a 100644
--- a/gradle/resources/dependencycheck-suppressions.xml
+++ b/gradle/resources/dependencycheck-suppressions.xml
@@ -23,4 +23,31 @@
]]></notes>
<cve>CVE-2023-35116</cve>
</suppress>
+ <suppress>
+ <notes><![CDATA[
+ This older version of BCEL is only included in spotbugs.
+ CVE-2022-42920 is irrelevant for spotbugs
+ (https://github.com/spotbugs/spotbugs/discussions/2251),
+ This suppression will no longer be needed when spotbugs 4.7.4 is
+ released.
+ ]]></notes>
+ <cve>CVE-2022-42920</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ This older version of Guava is only included in checkstyle.
+ CVE-2023-2976 and CVE-2020-8908 are irrelevant for checkstyle,
+ as it is not executed with elevated privileges.
+ This suppression will no longer be needed when checkstyle
+ is updated to 10.5.0 or later.
+ ]]></notes>
+ <cve>CVE-2020-8908</cve>
+ <cve>CVE-2023-2976</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ Kafka does not use CgiServlet
+ ]]></notes>
+ <cve>CVE-2023-36479</cve>
+ </suppress>
</suppressions>
