This is an automated email from the ASF dual-hosted git repository. joewitt pushed a commit to branch support/nifi-1.19 in repository https://gitbox.apache.org/repos/asf/nifi.git
commit 186c85d6eb3cb72c8f111e9cbd5c5ada7e131963 Author: exceptionfactory <[email protected]> AuthorDate: Fri Dec 2 07:57:20 2022 -0600 NIFI-10933 Upgraded OWASP Dependency Check from 7.1.2 to 7.3.2 - Removed non-applicable suppressions - Added suppressions for Elasticsearch client libraries and other false positives Signed-off-by: Pierre Villard <[email protected]> This closes #6751. --- nifi-dependency-check-maven/suppressions.xml | 84 ++++++++++++++++------------ pom.xml | 2 +- 2 files changed, 48 insertions(+), 38 deletions(-) diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml index 90d67d1063..b2b982eb4d 100644 --- a/nifi-dependency-check-maven/suppressions.xml +++ b/nifi-dependency-check-maven/suppressions.xml @@ -19,26 +19,6 @@ <packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl> <cpe regex="true">^cpe:.*$</cpe> </suppress> - <suppress> - <notes>Meta MX HTTP Client is incorrectly identified as Netty</notes> - <packageUrl regex="true">^pkg:maven/com\.metamx/http\-client@.*$</packageUrl> - <cpe>cpe:/a:netty:netty</cpe> - </suppress> - <suppress> - <notes>Testcontainers MySQL is incorrectly identified with MySQL server</notes> - <packageUrl regex="true">^pkg:maven/org\.testcontainers/mysql@.*$</packageUrl> - <cpe>cpe:/a:mysql:mysql</cpe> - </suppress> - <suppress> - <notes>StumbleUpon Async is incorrectly identified as the JavaScript Async library</notes> - <packageUrl regex="true">^pkg:maven/com\.stumbleupon/async@.*$</packageUrl> - <cve>CVE-2021-43138</cve> - </suppress> - <suppress> - <notes>HBase Async is incorrectly identified as the JavaScript Async library</notes> - <packageUrl regex="true">^pkg:maven/org\.hbase/asynchbase@.*$</packageUrl> - <cve>CVE-2021-43138</cve> - </suppress> <suppress> <notes>Jetty SSLEngine is incorrectly identified with Jetty Server</notes> <packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/jetty\-sslengine@.*$</packageUrl> @@ -49,11 +29,6 @@ <packageUrl regex="true">^pkg:maven/com\.zendesk/mysql\-binlog\-connector\-java@.*$</packageUrl> <cpe>cpe:/a:mysql:mysql</cpe> </suppress> - <suppress> - <notes>Testcontainers MariaDB is incorrectly identified with MariaDB server</notes> - <packageUrl regex="true">^pkg:maven/org\.testcontainers/mariadb@.*$</packageUrl> - <cpe>cpe:/a:mariadb:mariadb</cpe> - </suppress> <suppress> <notes>Twill ZooKeeper is incorrectly identified with ZooKeeper server</notes> <packageUrl regex="true">^pkg:maven/org\.apache\.twill/twill\-zookeeper@.*$</packageUrl> @@ -65,14 +40,9 @@ <vulnerabilityName regex="true">^CVE.*$</vulnerabilityName> </suppress> <suppress> - <notes>H2 2 is not vulnerable to CVE-2018-14335</notes> + <notes>CVE-2022-45868 requires running H2 from a command not applicable to project references</notes> <packageUrl regex="true">^pkg:maven/com\.h2database/h2@2.*$</packageUrl> - <vulnerabilityName>CVE-2018-14335</vulnerabilityName> - </suppress> - <suppress> - <notes>Jetty apache-jsp is not part of Apache Tomcat server</notes> - <packageUrl>pkg:maven/org.mortbay.jasper/[email protected]</packageUrl> - <cpe>cpe:/a:apache:tomcat</cpe> + <vulnerabilityName>CVE-2022-45868</vulnerabilityName> </suppress> <suppress> <notes>CVE-2016-1000027 does not apply to Spring Web 5.3.20 and later</notes> @@ -84,11 +54,6 @@ <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl> <vulnerabilityName>CVE-2020-5408</vulnerabilityName> </suppress> - <suppress> - <notes>Spring Security Kerberos Core is an extension of the Spring Security project</notes> - <packageUrl regex="true">^pkg:maven/org\.springframework\.security\.kerberos/spring\-security\-kerberos.*$</packageUrl> - <cpe>cpe:/a:vmware:spring_security</cpe> - </suppress> <suppress> <notes>Servlet API 2.5 does not include Jetty Server vulnerabilities</notes> <packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/servlet\-api@.*$</packageUrl> @@ -204,4 +169,49 @@ <packageUrl regex="true">^pkg:maven/com\.amazonaws/aws\-java\-sdk\-swf\-libraries@.*$</packageUrl> <cve>CVE-2022-31159</cve> </suppress> + <suppress> + <notes>Hive vulnerabilities do not apply to Iceberg Hive Metadata</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.iceberg/iceberg\-hive\-metastore@.*$</packageUrl> + <cpe>cpe:/a:apache:hive</cpe> + </suppress> + <suppress> + <notes>Elasticsearch Server vulnerabilities do not apply to Elasticsearch Plugin</notes> + <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.plugin/.*[email protected]$</packageUrl> + <cpe regex="true">^cpe:/a:elastic.*$</cpe> + </suppress> + <suppress> + <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-core</notes> + <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\[email protected]$</packageUrl> + <cpe regex="true">^cpe:/a:elastic.*$</cpe> + </suppress> + <suppress> + <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch</notes> + <packageUrl regex="true">^pkg:maven/org\.elasticsearch/[email protected]$</packageUrl> + <cpe regex="true">^cpe:/a:elastic.*$</cpe> + </suppress> + <suppress> + <notes>Elasticsearch Server CVE-2020-7009 does not apply to elasticsearch client libraries</notes> + <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl> + <cve>CVE-2020-7009</cve> + </suppress> + <suppress> + <notes>Elasticsearch Server CVE-2020-7014 does not apply to elasticsearch client libraries</notes> + <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl> + <cve>CVE-2020-7014</cve> + </suppress> + <suppress> + <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch libraries</notes> + <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-.*[email protected]$</packageUrl> + <cpe regex="true">^cpe:/a:elastic.*$</cpe> + </suppress> + <suppress> + <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client</notes> + <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$</packageUrl> + <cpe regex="true">^cpe:/a:elastic.*$</cpe> + </suppress> + <suppress> + <notes>HTTP server vulnerabilities do not apply to Apache FTP Server</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl> + <cpe>cpe:/a:apache:apache_http_server</cpe> + </suppress> </suppressions> diff --git a/pom.xml b/pom.xml index a75424cf88..cf0c10bdd9 100644 --- a/pom.xml +++ b/pom.xml @@ -1158,7 +1158,7 @@ <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> - <version>7.1.2</version> + <version>7.3.2</version> <executions> <execution> <inherited>false</inherited>
