This is an automated email from the ASF dual-hosted git repository.
pvillard pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 50cda9a2e6 NIFI-11371 Upgraded Ranger from 2.3.0 to 2.4.0
50cda9a2e6 is described below
commit 50cda9a2e6edfad281ad827f116f56d103d58977
Author: exceptionfactory <[email protected]>
AuthorDate: Sat Apr 1 18:02:38 2023 -0500
NIFI-11371 Upgraded Ranger from 2.3.0 to 2.4.0
- Updated Elasticsearch client false positive vulnerability suppressions
for new Ranger transitive dependencies
Signed-off-by: Pierre Villard <[email protected]>
This closes #7109.
---
nifi-dependency-check-maven/suppressions.xml | 13 +++++++++----
pom.xml | 2 +-
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/nifi-dependency-check-maven/suppressions.xml
b/nifi-dependency-check-maven/suppressions.xml
index e348670685..83c36fae39 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -106,17 +106,17 @@
</suppress>
<suppress>
<notes>Elasticsearch Server vulnerabilities do not apply to
Elasticsearch Plugin</notes>
- <packageUrl
regex="true">^pkg:maven/org\.elasticsearch\.plugin/.*[email protected]$</packageUrl>
+ <packageUrl
regex="true">^pkg:maven/org\.elasticsearch\.plugin/.*?@7.*$</packageUrl>
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
<notes>Elasticsearch Server vulnerabilities do not apply to
elasticsearch-core</notes>
- <packageUrl
regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\[email protected]$</packageUrl>
+ <packageUrl
regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-core@7.*$</packageUrl>
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
<notes>Elasticsearch Server vulnerabilities do not apply to
elasticsearch</notes>
- <packageUrl
regex="true">^pkg:maven/org\.elasticsearch/[email protected]$</packageUrl>
+ <packageUrl
regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@7.*$</packageUrl>
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
@@ -129,9 +129,14 @@
<packageUrl
regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl>
<cve>CVE-2020-7014</cve>
</suppress>
+ <suppress>
+ <notes>CVE-2021-22145 applies to Elasticsearch Server not client
libraries</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@.*$</packageUrl>
+ <vulnerabilityName>CVE-2021-22145</vulnerabilityName>
+ </suppress>
<suppress>
<notes>Elasticsearch Server vulnerabilities do not apply to
elasticsearch libraries</notes>
- <packageUrl
regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-.*[email protected]$</packageUrl>
+ <packageUrl
regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-.*?@7.*$</packageUrl>
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
diff --git a/pom.xml b/pom.xml
index b1c0003ecb..0416019679 100644
--- a/pom.xml
+++ b/pom.xml
@@ -119,7 +119,7 @@
<org.bouncycastle.version>1.71</org.bouncycastle.version>
<testcontainers.version>1.17.6</testcontainers.version>
<org.slf4j.version>2.0.7</org.slf4j.version>
- <ranger.version>2.3.0</ranger.version>
+ <ranger.version>2.4.0</ranger.version>
<jetty.version>9.4.50.v20221201</jetty.version>
<jackson.bom.version>2.14.2</jackson.bom.version>
<avro.version>1.11.1</avro.version>
