This is an automated email from the ASF dual-hosted git repository.
pvillard pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 18ecb73441 NIFI-10092 Updated OWASP dependency-check suppressions
18ecb73441 is described below
commit 18ecb73441372f840d7fb34889c48802f2b48962
Author: exceptionfactory <[email protected]>
AuthorDate: Sat Jun 4 11:24:53 2022 -0500
NIFI-10092 Updated OWASP dependency-check suppressions
- Changed Maven profile from owasp to dependency-check
- Configured dependency check plugin to run in validate phase
Signed-off-by: Pierre Villard <[email protected]>
This closes #6100.
---
nifi-dependency-check-maven/suppressions.xml | 30 ++++++++++++++++++++++++++++
pom.xml | 8 +++-----
2 files changed, 33 insertions(+), 5 deletions(-)
diff --git a/nifi-dependency-check-maven/suppressions.xml
b/nifi-dependency-check-maven/suppressions.xml
index 3184dff06b..9b1b2cdf2e 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -29,4 +29,34 @@
<packageUrl
regex="true">^pkg:maven/org\.testcontainers/mysql@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
+ <suppress>
+ <notes>StumbleUpon Async is incorrectly identified as the JavaScript
Async library</notes>
+ <packageUrl
regex="true">^pkg:maven/com\.stumbleupon/async@.*$</packageUrl>
+ <cve>CVE-2021-43138</cve>
+ </suppress>
+ <suppress>
+ <notes>HBase Async is incorrectly identified as the JavaScript Async
library</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.hbase/asynchbase@.*$</packageUrl>
+ <cve>CVE-2021-43138</cve>
+ </suppress>
+ <suppress>
+ <notes>Jetty SSLEngine is incorrectly identified with Jetty
Server</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.mortbay\.jetty/jetty\-sslengine@.*$</packageUrl>
+ <cpe regex="true">^cpe:.*$</cpe>
+ </suppress>
+ <suppress>
+ <notes>MySQL Binary Log Connector is incorrectly identified as MySQL
server</notes>
+ <packageUrl
regex="true">^pkg:maven/com\.github\.shyiko/mysql\-binlog\-connector\-java@.*$</packageUrl>
+ <cpe>cpe:/a:mysql:mysql</cpe>
+ </suppress>
+ <suppress>
+ <notes>Testcontainers MariaDB is incorrectly identified with MariaDB
server</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.testcontainers/mariadb@.*$</packageUrl>
+ <cpe>cpe:/a:mariadb:mariadb</cpe>
+ </suppress>
+ <suppress>
+ <notes>Twill ZooKeeper is incorrectly identified with ZooKeeper
server</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.twill/twill\-zookeeper@.*$</packageUrl>
+ <cpe>cpe:/a:apache:zookeeper</cpe>
+ </suppress>
</suppressions>
diff --git a/pom.xml b/pom.xml
index bdc129c58c..d186969af9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1237,12 +1237,9 @@
</properties>
</profile>
<profile>
- <!-- Run "mvn clean verify -P owasp" to generate
dependency-check-report.html in the target directory -->
+ <!-- Run "mvn validate -P dependency-check" to generate
dependency-check-report.html in the target directory -->
<!-- Report results require detailed analysis to determine whether
the vulnerability impacts the application -->
- <id>owasp</id>
- <properties>
- <skipTests>true</skipTests>
- </properties>
+ <id>dependency-check</id>
<build>
<plugins>
<plugin>
@@ -1252,6 +1249,7 @@
<executions>
<execution>
<inherited>false</inherited>
+ <phase>validate</phase>
<goals>
<goal>aggregate</goal>
</goals>
