This is an automated email from the ASF dual-hosted git repository.
greyp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new d2dbaa3c62 NIFI-10346 Added OWASP Dependency Check Suppressions
d2dbaa3c62 is described below
commit d2dbaa3c62124598e2077c44e81d23d8faa1ffcf
Author: exceptionfactory <[email protected]>
AuthorDate: Thu Aug 11 08:55:41 2022 -0500
NIFI-10346 Added OWASP Dependency Check Suppressions
- Suppressed Apache Calcite vulnerabilities not applicable to Calcite
Avatica subproject
- Suppressed HBase server vulnerabilities not applicable to client libraries
- Suppressed several mismatched product vulnerabilities
This closes #6290
Signed-off-by: Paul Grey <[email protected]>
---
nifi-dependency-check-maven/suppressions.xml | 60 ++++++++++++++++++++++++++++
1 file changed, 60 insertions(+)
diff --git a/nifi-dependency-check-maven/suppressions.xml
b/nifi-dependency-check-maven/suppressions.xml
index 732f01fb3b..02b12ca644 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -134,4 +134,64 @@
<packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
<cve>CVE-2017-10355</cve>
</suppress>
+ <suppress>
+ <notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite
Avatica</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.calcite\.avatica/avatica\-core@.*$</packageUrl>
+ <cve>CVE-2020-13955</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite
Avatica</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.calcite\/calcite-avatica@.*$</packageUrl>
+ <cve>CVE-2020-13955</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite
Druid</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$</packageUrl>
+ <cve>CVE-2020-13955</cve>
+ </suppress>
+ <suppress>
+ <notes>OpenTSDB vulnerabilities do not apply to HBase Async
library</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.hbase/asynchbase@.*$</packageUrl>
+ <cpe>cpe:/a:opentsdb:opentsdb</cpe>
+ </suppress>
+ <suppress>
+ <notes>Eclipse Equinox vulnerabilities do not apply to DataNucleus
core library</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.datanucleus/datanucleus\-core@.*$</packageUrl>
+ <cpe>cpe:/a:eclipse:equinox</cpe>
+ </suppress>
+ <suppress>
+ <notes>CVE-2018-8025 applies to HBase Server not HBase Client</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.hbase/hbase\-client@.*$</packageUrl>
+ <cve>CVE-2018-8025</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2019-0212 applies to HBase Server not HBase Client</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.hbase/hbase\-client@.*$</packageUrl>
+ <cve>CVE-2019-0212</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2014-3643 applies to Jersey Server not Jersey Core</notes>
+ <packageUrl
regex="true">^pkg:maven/com\.sun\.jersey/jersey\-core@.*$</packageUrl>
+ <vulnerabilityName>CVE-2014-3643</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes>Fan Platform vulnerabilities do not apply to JUnit Platform
libraries</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.junit\.platform/junit\-platform\-engine@.*$</packageUrl>
+ <cpe>cpe:/a:fan_platform_project:fan_platform</cpe>
+ </suppress>
+ <suppress>
+ <notes>CVE-2007-6465 applies to Ganglia Server not Ganglia client
libraries</notes>
+ <packageUrl
regex="true">^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$</packageUrl>
+ <cve>CVE-2007-6465</cve>
+ </suppress>
+ <suppress>
+ <notes>Pro Search vulnerabilities do not apply to Spatial4j</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.locationtech\.spatial4j/spatial4j@.*$</packageUrl>
+ <cpe>cpe:/a:pro_search:pro_search</cpe>
+ </suppress>
+ <suppress>
+ <notes>CVE-2021-43045 applies to the Apache Avro .NET SDK and not to
the Java SDK</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.avro/avro@.*$</packageUrl>
+ <cve>CVE-2021-43045</cve>
+ </suppress>
</suppressions>
