This is an automated email from the ASF dual-hosted git repository.
pvillard pushed a commit to branch support/nifi-1.x
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/support/nifi-1.x by this push:
new e85af8a1cd NIFI-11371 Upgraded Ranger from 2.3.0 to 2.4.0
e85af8a1cd is described below
commit e85af8a1cd039bd285f07b593f1b85670d069468
Author: exceptionfactory <[email protected]>
AuthorDate: Sat Apr 1 18:02:38 2023 -0500
NIFI-11371 Upgraded Ranger from 2.3.0 to 2.4.0
- Updated Elasticsearch client false positive vulnerability suppressions
for new Ranger transitive dependencies
Signed-off-by: Pierre Villard <[email protected]>
This closes #7109.
---
nifi-dependency-check-maven/suppressions.xml | 13 +++++++++----
pom.xml | 2 +-
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/nifi-dependency-check-maven/suppressions.xml
b/nifi-dependency-check-maven/suppressions.xml
index 9fa4a7b6ed..5d36569eaa 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -111,17 +111,17 @@
</suppress>
<suppress>
<notes>Elasticsearch Server vulnerabilities do not apply to
Elasticsearch Plugin</notes>
- <packageUrl
regex="true">^pkg:maven/org\.elasticsearch\.plugin/.*[email protected]$</packageUrl>
+ <packageUrl
regex="true">^pkg:maven/org\.elasticsearch\.plugin/.*?@7.*$</packageUrl>
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
<notes>Elasticsearch Server vulnerabilities do not apply to
elasticsearch-core</notes>
- <packageUrl
regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\[email protected]$</packageUrl>
+ <packageUrl
regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-core@7.*$</packageUrl>
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
<notes>Elasticsearch Server vulnerabilities do not apply to
elasticsearch</notes>
- <packageUrl
regex="true">^pkg:maven/org\.elasticsearch/[email protected]$</packageUrl>
+ <packageUrl
regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@7.*$</packageUrl>
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
@@ -134,9 +134,14 @@
<packageUrl
regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl>
<cve>CVE-2020-7014</cve>
</suppress>
+ <suppress>
+ <notes>CVE-2021-22145 applies to Elasticsearch Server not client
libraries</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@.*$</packageUrl>
+ <vulnerabilityName>CVE-2021-22145</vulnerabilityName>
+ </suppress>
<suppress>
<notes>Elasticsearch Server vulnerabilities do not apply to
elasticsearch libraries</notes>
- <packageUrl
regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-.*[email protected]$</packageUrl>
+ <packageUrl
regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-.*?@7.*$</packageUrl>
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
diff --git a/pom.xml b/pom.xml
index b518dcbbe8..bcdd332141 100644
--- a/pom.xml
+++ b/pom.xml
@@ -119,7 +119,7 @@
<org.bouncycastle.version>1.71</org.bouncycastle.version>
<testcontainers.version>1.17.6</testcontainers.version>
<org.slf4j.version>2.0.7</org.slf4j.version>
- <ranger.version>2.3.0</ranger.version>
+ <ranger.version>2.4.0</ranger.version>
<jetty.version>9.4.50.v20221201</jetty.version>
<jackson.bom.version>2.14.2</jackson.bom.version>
<avro.version>1.11.1</avro.version>
