This is an automated email from the ASF dual-hosted git repository.

mthomsen pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new 26d02fff49 NIFI-11729 Upgraded OWASP Dependency Check from 8.2.1 to 
8.3.1
26d02fff49 is described below

commit 26d02fff490805fb71047afa034d5597c02382d8
Author: exceptionfactory <[email protected]>
AuthorDate: Mon Jun 19 20:52:44 2023 -0500

    NIFI-11729 Upgraded OWASP Dependency Check from 8.2.1 to 8.3.1
    
    - Updated OWASP suppressions to exclude several JSON and Kafka false 
positives
    - Excluded JUnit dependency from Hive 3 JDBC
    
    This closes #7411
    
    Signed-off-by: Mike Thomsen <[email protected]>
---
 nifi-dependency-check-maven/suppressions.xml       | 70 +++++++++++-----------
 .../nifi-hive-bundle/nifi-hive3-processors/pom.xml |  4 ++
 pom.xml                                            |  2 +-
 3 files changed, 40 insertions(+), 36 deletions(-)

diff --git a/nifi-dependency-check-maven/suppressions.xml 
b/nifi-dependency-check-maven/suppressions.xml
index 83c36fae39..e4e0cdac1d 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -19,11 +19,6 @@
         <packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl>
         <cpe regex="true">^cpe:.*$</cpe>
     </suppress>
-    <suppress>
-        <notes>Jetty SSLEngine is incorrectly identified with Jetty 
Server</notes>
-        <packageUrl 
regex="true">^pkg:maven/org\.mortbay\.jetty/jetty\-sslengine@.*$</packageUrl>
-        <cpe regex="true">^cpe:.*$</cpe>
-    </suppress>
     <suppress>
         <notes>CVE-2022-45868 requires running H2 from a command not 
applicable to project references</notes>
         <packageUrl 
regex="true">^pkg:maven/com\.h2database/h2@2.*$</packageUrl>
@@ -149,11 +144,6 @@
         <packageUrl 
regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client-sniffer@.*$</packageUrl>
         <cpe regex="true">^cpe:/a:elastic.*$</cpe>
     </suppress>
-    <suppress>
-        <notes>CVE-2022-34271 applies to Atlas Server not the Atlas client 
library</notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.atlas/.*$</packageUrl>
-        <cve>CVE-2022-34271</cve>
-    </suppress>
     <suppress>
         <notes>CVE-2022-30187 applies to Azure Blob not the EventHubs 
Checkpoint Store Blob library</notes>
         <packageUrl 
regex="true">^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$</packageUrl>
@@ -164,21 +154,11 @@
         <packageUrl 
regex="true">^pkg:maven/org\.apache\.calcite/calcite\-druid@.*$</packageUrl>
         <cve>CVE-2022-39135</cve>
     </suppress>
-    <suppress>
-        <notes>CVE-2018-8016 applies to Apache Cassandra server not the client 
library</notes>
-        <packageUrl 
regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$</packageUrl>
-        <cve>CVE-2018-8016</cve>
-    </suppress>
     <suppress>
         <notes>CVE-2018-1000873 applies to Jackson Java 8 Time modules not 
Jackson Annotations</notes>
         <packageUrl 
regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-annotations@.*$</packageUrl>
         <cve>CVE-2018-1000873</cve>
     </suppress>
-    <suppress>
-        <notes>CVE-2021-34371 applies to Neo4j server not the driver 
library</notes>
-        <packageUrl 
regex="true">^pkg:maven/org\.opencypher\.gremlin/cypher\-gremlin\-neo4j\-driver@.*$</packageUrl>
-        <cve>CVE-2021-34371</cve>
-    </suppress>
     <suppress>
         <notes>CVE-2010-1151 applies to mod_auth_shadow in Apache HTTP Server 
not the FTP server library</notes>
         <packageUrl 
regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl>
@@ -189,21 +169,6 @@
         <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
         <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
     </suppress>
-    <suppress>
-        <notes>CVE-2022-31160 included in hadoop-client-api is not used</notes>
-        <packageUrl regex="true">^pkg:javascript/jquery\-ui@.*$</packageUrl>
-        <cve>CVE-2022-31160</cve>
-    </suppress>
-    <suppress>
-        <notes>CVE-2021-37533 applies to the Commons Net FTP Client which is 
not used in the version bundled with hadoop-client-runtime for Accumulo</notes>
-        <packageUrl 
regex="true">^pkg:maven/commons\-net/commons\-net@.*$</packageUrl>
-        <cve>CVE-2021-37533</cve>
-    </suppress>
-    <suppress>
-        <notes>CVE-2021-0341 applies to Android not OkHttp</notes>
-        <packageUrl 
regex="true">^pkg:maven/com\.squareup\.okhttp/okhttp@.*$</packageUrl>
-        <vulnerabilityName>CVE-2021-0341</vulnerabilityName>
-    </suppress>
     <suppress>
         <notes>CVE-2023-25613 applies to an LDAP backend class for Apache 
Kerby not the Token Provider library</notes>
         <packageUrl 
regex="true">^pkg:maven/org\.apache\.kerby/token\-provider@.*$</packageUrl>
@@ -259,4 +224,39 @@
         <packageUrl 
regex="true">^pkg:maven/org\.apache\.hbase/hbase\-hadoop2\-compat@.*$</packageUrl>
         <cpe>cpe:/a:apache:hadoop</cpe>
     </suppress>
+    <suppress>
+        <notes>CVE-2022-45688 applies to hutools-json not org.json</notes>
+        <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
+        <cve>CVE-2022-45688</cve>
+    </suppress>
+    <suppress>
+        <notes>The Jackson maintainers dispute the applicability of 
CVE-2023-35116 based on cyclic nature of reported concern</notes>
+        <packageUrl 
regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-35116</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>CVE-2023-25194 applies to Kafka Connect workers not client 
libraries</notes>
+        <packageUrl 
regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl>
+        <cve>CVE-2023-25194</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2022-34917 applies to Kafka brokers not client 
libraries</notes>
+        <packageUrl 
regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl>
+        <cve>CVE-2022-34917</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2023-25613 applies to the LDAP Identity Backend for Kerby 
Server which is not used in runtime NiFi configurations</notes>
+        <packageUrl 
regex="true">^pkg:maven/org\.apache\.kerby/kerb.*?@.*$</packageUrl>
+        <cve>CVE-2023-25613</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2022-24823 applies to Netty HTTP decoding which is not 
applicable to Apache Kudu clients</notes>
+        <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl>
+        <cve>CVE-2022-24823</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2022-41915 applies to Netty HTTP decoding which is not 
applicable to Apache Kudu clients</notes>
+        <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl>
+        <cve>CVE-2022-41915</cve>
+    </suppress>
 </suppressions>
diff --git a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml 
b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
index 7778b87691..7629db7eaa 100644
--- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
@@ -129,6 +129,10 @@
                     <groupId>com.google.code.findbugs</groupId>
                     <artifactId>jsr305</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>junit</groupId>
+                    <artifactId>junit</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
diff --git a/pom.xml b/pom.xml
index 81ef2d0d6e..afa8570591 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1154,7 +1154,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>8.2.1</version>
+                        <version>8.3.1</version>
                         <executions>
                             <execution>
                                 <inherited>false</inherited>

Reply via email to