This is an automated email from the ASF dual-hosted git repository.
pvillard pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new d84f0dabaf NIFI-14208 Removed Dependency Check Plugin
d84f0dabaf is described below
commit d84f0dabaf87b60abd01e8035864922606d092ab
Author: exceptionfactory <[email protected]>
AuthorDate: Wed Jan 29 11:17:09 2025 -0600
NIFI-14208 Removed Dependency Check Plugin
- Removed OWASP Dependency Check in favor of Grype scan in code-compliance
workflow
Signed-off-by: Pierre Villard <[email protected]>
This closes #9673.
---
nifi-dependency-check-maven/suppressions.xml | 248 ---------------------------
pom.xml | 31 ----
2 files changed, 279 deletions(-)
diff --git a/nifi-dependency-check-maven/suppressions.xml
b/nifi-dependency-check-maven/suppressions.xml
deleted file mode 100644
index 86069db3df..0000000000
--- a/nifi-dependency-check-maven/suppressions.xml
+++ /dev/null
@@ -1,248 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<suppressions
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd";>
- <suppress>
- <notes>NiFi packages contain other project names, which can cause
incorrect identification</notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl>
- <cpe regex="true">^cpe:.*$</cpe>
- </suppress>
- <suppress>
- <notes>Elasticsearch Server vulnerabilities do not apply to
elasticsearch-rest-client</notes>
- <packageUrl
regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$</packageUrl>
- <cpe regex="true">^cpe:/a:elastic.*$</cpe>
- </suppress>
- <suppress>
- <notes>Elasticsearch Server vulnerabilities do not apply to
elasticsearch-rest-client-sniffer</notes>
- <packageUrl
regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client-sniffer@.*$</packageUrl>
- <cpe regex="true">^cpe:/a:elastic.*$</cpe>
- </suppress>
- <suppress>
- <notes>CVE-2022-30187 applies to Azure Blob not the EventHubs
Checkpoint Store Blob library</notes>
- <packageUrl
regex="true">^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$</packageUrl>
- <cve>CVE-2022-30187</cve>
- </suppress>
- <suppress>
- <notes>CVE-2018-14335 applies to H2 running with a web server console
enabled</notes>
- <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
- <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
- </suppress>
- <suppress>
- <notes>The Jetty Apache JSP library is not subject to Apache Tomcat
vulnerabilities</notes>
- <packageUrl
regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl>
- <cpe>cpe:/a:apache:tomcat</cpe>
- </suppress>
- <suppress>
- <notes>Google BigQuery Storage is not the same as the gGRPC framework
library</notes>
- <packageUrl
regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-bigquerystorage\-.*$</packageUrl>
- <cpe>cpe:/a:grpc:grpc</cpe>
- </suppress>
- <suppress>
- <notes>Google PubSubLite is not the same as the gRPC framework
library</notes>
- <packageUrl
regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-pubsublite\-v1@.*$</packageUrl>
- <cpe>cpe:/a:grpc:grpc</cpe>
- </suppress>
- <suppress>
- <notes>CVE-2021-34538 applies to Apache Hive server not the Storage
API library</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.hive/hive\-storage\-api@.*$</packageUrl>
- <cve>CVE-2021-34538</cve>
- </suppress>
- <suppress>
- <notes>The Jackson maintainers dispute the applicability of
CVE-2023-35116 based on cyclic nature of reported concern</notes>
- <packageUrl
regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
- <vulnerabilityName>CVE-2023-35116</vulnerabilityName>
- </suppress>
- <suppress>
- <notes>The Square Wire framework is not the same as the Wire secure
communication application</notes>
- <packageUrl
regex="true">^pkg:maven/com\.squareup\.wire/.*$</packageUrl>
- <cpe>cpe:/a:wire:wire</cpe>
- </suppress>
- <suppress>
- <notes>Avro project vulnerabilities do not apply to Parquet
Avro</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.parquet/parquet\-avro@.*$</packageUrl>
- <cpe>cpe:/a:avro_project:avro</cpe>
- </suppress>
- <suppress>
- <notes>CVE-2016-5397 applies to Apache Thrift Go not Java</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
- <cve>CVE-2016-5397</cve>
- </suppress>
- <suppress>
- <notes>CVE-2019-0210 applies to Apache Thrift Go server not
Java</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
- <cve>CVE-2019-0210</cve>
- </suppress>
- <suppress>
- <notes>CVE-2018-11798 applies Apache Thrift Node.js not Java</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
- <cve>CVE-2018-11798</cve>
- </suppress>
- <suppress>
- <notes>CVE-2019-11939 applies to Thrift Servers in Go not Java</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
- <cve>CVE-2019-11939</cve>
- </suppress>
- <suppress>
- <notes>CVE-2019-3552 applies to Thrift Servers in CPP not Java</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
- <cve>CVE-2019-3552</cve>
- </suppress>
- <suppress>
- <notes>CVE-2019-3553 applies to Thrift Servers in CPP not Java</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
- <cve>CVE-2019-3553</cve>
- </suppress>
- <suppress>
- <notes>CVE-2019-3558 applies to Thrift Servers in Python not
Java</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
- <cve>CVE-2019-3558</cve>
- </suppress>
- <suppress>
- <notes>CVE-2019-3564 applies to Thrift Servers in Go not Java</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
- <cve>CVE-2019-3564</cve>
- </suppress>
- <suppress>
- <notes>CVE-2019-3565 applies to Thrift Servers in CPP not Java</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
- <cve>CVE-2019-3565</cve>
- </suppress>
- <suppress>
- <notes>CVE-2021-24028 applies to Facebook Thrift CPP</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
- <cve>CVE-2021-24028</cve>
- </suppress>
- <suppress>
- <notes>CVE-2019-11938 applies to Facebook Thrift Servers</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
- <cve>CVE-2019-11938</cve>
- </suppress>
- <suppress>
- <notes>CVE-2019-3559 applies to Facebook Thrift Servers</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
- <cve>CVE-2019-3559</cve>
- </suppress>
- <suppress>
- <notes>CVE-2023-37475 applies to Hamba Avro in Go not Apache Avro for
Java</notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.avro/.*$</packageUrl>
- <cve>CVE-2023-37475</cve>
- </suppress>
- <suppress>
- <notes>CVE-2023-36415 applies to Azure Identity for Python not
Java</notes>
- <packageUrl
regex="true">^pkg:maven/com\.azure/azure\-identity@.*$</packageUrl>
- <cve>CVE-2023-36415</cve>
- </suppress>
- <suppress>
- <notes>CVE-2020-13949 applies to Thrift and not to Hive</notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.hive.*$</packageUrl>
- <cve>CVE-2020-13949</cve>
- </suppress>
- <suppress>
- <notes>Parquet MR vulnerabilities do not apply to other Parquet
libraries</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.parquet/parquet\-(?!mr).*$</packageUrl>
- <cpe>cpe:/a:apache:parquet-mr</cpe>
- </suppress>
- <suppress>
- <notes>CVE-2019-11358 applies to bundled copies of jQuery not used in
the project</notes>
- <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
- <cve>CVE-2019-11358</cve>
- </suppress>
- <suppress>
- <notes>CVE-2020-11022 applies to bundled copies of jQuery not used in
the project</notes>
- <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
- <cve>CVE-2020-11022</cve>
- </suppress>
- <suppress>
- <notes>CVE-2020-11023 applies to bundled copies of jQuery not used in
the project</notes>
- <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
- <cve>CVE-2020-11023</cve>
- </suppress>
- <suppress>
- <notes>CVE-2011-4969 applies to bundled copies of jQUery not used in
the project</notes>
- <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
- <cve>CVE-2011-4969</cve>
- </suppress>
- <suppress>
- <notes>CVE-2012-6708 applies to bundled copies of jQUery not used in
the project</notes>
- <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
- <cve>CVE-2012-6708</cve>
- </suppress>
- <suppress>
- <notes>CVE-2015-9251 applies to bundled copies of jQUery not used in
the project</notes>
- <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
- <cve>CVE-2015-9251</cve>
- </suppress>
- <suppress>
- <notes>CVE-2020-7656 applies to bundled copies of jQUery not used in
the project</notes>
- <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
- <cve>CVE-2020-7656</cve>
- </suppress>
- <suppress>
- <notes>CVE-2023-44487 references gRPC for Go</notes>
- <packageUrl regex="true">^pkg:maven/io\.grpc/grpc.*$</packageUrl>
- <cve>CVE-2023-44487</cve>
- </suppress>
- <suppress>
- <notes>Guava temporary directory file creation is not used</notes>
- <packageUrl
regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
- <cve>CVE-2023-2976</cve>
- </suppress>
- <suppress>
- <notes>Guava temporary directory file creation is not used</notes>
- <packageUrl
regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
- <cve>CVE-2020-8908</cve>
- </suppress>
- <suppress>
- <notes>Findings for Apache Hadoop do not apply to the shaded Protobuf
library</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-protobuf_3_25@.*$</packageUrl>
- <cpe>cpe:/a:apache:hadoop</cpe>
- </suppress>
- <suppress>
- <notes>CVE-2024-23081 applies to threetenbp 1.6.8 and earlier not
1.6.9</notes>
- <packageUrl
regex="true">^pkg:maven/org\.threeten/threetenbp@.*$</packageUrl>
- <vulnerabilityName>CVE-2024-23081</vulnerabilityName>
- </suppress>
- <suppress>
- <notes>CVE-2024-23082 applies to threetenbp 1.6.8 and earlier not
1.6.9</notes>
- <packageUrl
regex="true">^pkg:maven/org\.threeten/threetenbp@.*$</packageUrl>
- <vulnerabilityName>CVE-2024-23082</vulnerabilityName>
- </suppress>
- <suppress>
- <notes>CVE-2023-7272 applies to Eclipse Parrson not javax.json</notes>
- <packageUrl
regex="true">^pkg:maven/org\.glassfish/javax\.json@.*$</packageUrl>
- <vulnerabilityName>CVE-2023-7272</vulnerabilityName>
- </suppress>
- <suppress>
- <notes>CVE-2024-43591 applies to Azure CLI not azure-core-amqp</notes>
- <packageUrl regex="true">^pkg:maven/com\.azure/.*$</packageUrl>
- <cpe>cpe:/a:microsoft:azure_cli</cpe>
- <cve>CVE-2024-43591</cve>
- </suppress>
- <suppress>
- <notes>jquery is not used although bundled in Hadoop avro-ipc
libraries</notes>
- <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
- <vulnerabilityName>jquery issue: 162</vulnerabilityName>
- </suppress>
- <suppress>
- <notes>Google OpenTelemetry shared-resourcemapping versions do not
align with base OpenTelemetry versions leading to false positives</notes>
- <packageUrl
regex="true">^pkg:maven/com\.google\.cloud\.opentelemetry/.*$</packageUrl>
- <cpe>cpe:/a:opentelemetry:opentelemetry</cpe>
- </suppress>
- <suppress>
- <notes>CVE-2024-35255 is resolved in msal4j 1.15.1 and the CPE for
other languages does not apply</notes>
- <cve>CVE-2024-35255</cve>
- <cpe>cpe:/a:microsoft:authentication_library:*:*:*:*:*:.net:*:*</cpe>
- </suppress>
-</suppressions>
diff --git a/pom.xml b/pom.xml
index a9d8912899..728d86ab32 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1154,36 +1154,5 @@
</plugins>
</build>
</profile>
- <profile>
- <!-- Run "mvn validate -P dependency-check" to generate
dependency-check-report.html in the target directory -->
- <!-- Report results require detailed analysis to determine whether
the vulnerability impacts the application -->
- <id>dependency-check</id>
- <build>
- <plugins>
- <plugin>
- <groupId>org.owasp</groupId>
- <artifactId>dependency-check-maven</artifactId>
- <version>11.1.0</version>
- <executions>
- <execution>
- <inherited>false</inherited>
- <phase>validate</phase>
- <goals>
- <goal>aggregate</goal>
- </goals>
- <configuration>
-
<suppressionFiles>nifi-dependency-check-maven/suppressions.xml</suppressionFiles>
- <!-- Skip System Scope to avoid dependency
resolution errors with jdk.tools on Java 8 -->
- <skipSystemScope>true</skipSystemScope>
- <!-- Disable .NET Assembly Analyzer to
avoid non-applicable errors -->
-
<assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
- <skipProvidedScope>true</skipProvidedScope>
- </configuration>
- </execution>
- </executions>
- </plugin>
- </plugins>
- </build>
- </profile>
</profiles>
</project>
