[nifi] branch main updated: NIFI-11046 Upgraded Dependency Check from 7.3.2 to 7.4.4

Sat, 14 Jan 2023 07:47:42 -0800 

This is an automated email from the ASF dual-hosted git repository.

pvillard pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new b107ae1f8c NIFI-11046 Upgraded Dependency Check from 7.3.2 to 7.4.4
b107ae1f8c is described below

commit b107ae1f8c308fed691330d0ee8804789a03170f
Author: exceptionfactory <[email protected]>
AuthorDate: Thu Jan 12 09:16:38 2023 -0600

    NIFI-11046 Upgraded Dependency Check from 7.3.2 to 7.4.4
    
    - Removed false positive suppressions no longer necessary in current version
    
    Signed-off-by: Pierre Villard <[email protected]>
    
    This closes #6839.
---
 nifi-dependency-check-maven/suppressions.xml | 30 ----------------------------
 pom.xml                                      |  2 +-
 2 files changed, 1 insertion(+), 31 deletions(-)

diff --git a/nifi-dependency-check-maven/suppressions.xml 
b/nifi-dependency-check-maven/suppressions.xml
index b2b982eb4d..ee73d03bb0 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -24,16 +24,6 @@
         <packageUrl 
regex="true">^pkg:maven/org\.mortbay\.jetty/jetty\-sslengine@.*$</packageUrl>
         <cpe regex="true">^cpe:.*$</cpe>
     </suppress>
-    <suppress>
-        <notes>MySQL Binary Log Connector is incorrectly identified as MySQL 
server</notes>
-        <packageUrl 
regex="true">^pkg:maven/com\.zendesk/mysql\-binlog\-connector\-java@.*$</packageUrl>
-        <cpe>cpe:/a:mysql:mysql</cpe>
-    </suppress>
-    <suppress>
-        <notes>Twill ZooKeeper is incorrectly identified with ZooKeeper 
server</notes>
-        <packageUrl 
regex="true">^pkg:maven/org\.apache\.twill/twill\-zookeeper@.*$</packageUrl>
-        <cpe>cpe:/a:apache:zookeeper</cpe>
-    </suppress>
     <suppress>
         <notes>H2 1.4.200 is shaded and repackaged without vulnerable 
components in nifi-h2-database for migration</notes>
         <packageUrl>pkg:maven/com.h2database/[email protected]</packageUrl>
@@ -54,11 +44,6 @@
         <packageUrl 
regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
         <vulnerabilityName>CVE-2020-5408</vulnerabilityName>
     </suppress>
-    <suppress>
-        <notes>Servlet API 2.5 does not include Jetty Server 
vulnerabilities</notes>
-        <packageUrl 
regex="true">^pkg:maven/org\.mortbay\.jetty/servlet\-api@.*$</packageUrl>
-        <cpe regex="true">^cpe:.*$</cpe>
-    </suppress>
     <suppress>
         <notes>Spark 2.13 used in nifi-spark-receiver is not impacted by Spark 
Server vulnerabilities</notes>
         <packageUrl 
regex="true">^pkg:maven/org\.apache\.spark/spark\-.+?_2\.13@.*$</packageUrl>
@@ -144,21 +129,11 @@
         <packageUrl 
regex="true">^pkg:maven/com\.sun\.jersey/jersey\-core@.*$</packageUrl>
         <vulnerabilityName>CVE-2014-3643</vulnerabilityName>
     </suppress>
-    <suppress>
-        <notes>Fan Platform vulnerabilities do not apply to JUnit Platform 
libraries</notes>
-        <packageUrl 
regex="true">^pkg:maven/org\.junit\.platform/junit\-platform\-engine@.*$</packageUrl>
-        <cpe>cpe:/a:fan_platform_project:fan_platform</cpe>
-    </suppress>
     <suppress>
         <notes>CVE-2007-6465 applies to Ganglia Server not Ganglia client 
libraries</notes>
         <packageUrl 
regex="true">^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$</packageUrl>
         <cve>CVE-2007-6465</cve>
     </suppress>
-    <suppress>
-        <notes>Pro Search vulnerabilities do not apply to Spatial4j</notes>
-        <packageUrl 
regex="true">^pkg:maven/org\.locationtech\.spatial4j/spatial4j@.*$</packageUrl>
-        <cpe>cpe:/a:pro_search:pro_search</cpe>
-    </suppress>
     <suppress>
         <notes>CVE-2021-43045 applies to the Apache Avro .NET SDK and not to 
the Java SDK</notes>
         <packageUrl 
regex="true">^pkg:maven/org\.apache\.avro/avro@.*$</packageUrl>
@@ -169,11 +144,6 @@
         <packageUrl 
regex="true">^pkg:maven/com\.amazonaws/aws\-java\-sdk\-swf\-libraries@.*$</packageUrl>
         <cve>CVE-2022-31159</cve>
     </suppress>
-    <suppress>
-        <notes>Hive vulnerabilities do not apply to Iceberg Hive 
Metadata</notes>
-        <packageUrl 
regex="true">^pkg:maven/org\.apache\.iceberg/iceberg\-hive\-metastore@.*$</packageUrl>
-        <cpe>cpe:/a:apache:hive</cpe>
-    </suppress>
     <suppress>
         <notes>Elasticsearch Server vulnerabilities do not apply to 
Elasticsearch Plugin</notes>
         <packageUrl 
regex="true">^pkg:maven/org\.elasticsearch\.plugin/.*[email protected]$</packageUrl>
diff --git a/pom.xml b/pom.xml
index c07f8a5949..fe3ce12cdc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1184,7 +1184,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>7.3.2</version>
+                        <version>7.4.4</version>
                         <executions>
                             <execution>
                                 <inherited>false</inherited>

Reply via email to