[pulsar] branch branch-2.10 updated: [Branch 2.10] Fix some OWASP dependency problems. (#16260)

Thu, 14 Jul 2022 20:16:52 -0700 

This is an automated email from the ASF dual-hosted git repository.

mattisonchao pushed a commit to branch branch-2.10
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/branch-2.10 by this push:
     new 880bb53f128 [Branch 2.10] Fix some OWASP dependency problems. (#16260)
880bb53f128 is described below

commit 880bb53f1289ef0853f2c2c8a12663ee6aea1f62
Author: Qiang Zhao <[email protected]>
AuthorDate: Fri Jul 15 11:16:40 2022 +0800

    [Branch 2.10] Fix some OWASP dependency problems. (#16260)
    
    - #16148
    - #15829
    - #15864
    - #14910
---
 pom.xml                                        |  4 +-
 pulsar-io/canal/pom.xml                        |  2 +-
 src/owasp-dependency-check-false-positives.xml |  7 +++
 src/owasp-dependency-check-suppressions.xml    | 69 +++++++-------------------
 4 files changed, 29 insertions(+), 53 deletions(-)

diff --git a/pom.xml b/pom.xml
index 226d275d9fb..543ead3f3b2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -151,7 +151,7 @@ flexible messaging model and an intuitive client 
API.</description>
     <guice.version>5.1.0</guice.version>
     <sqlite-jdbc.version>3.8.11.2</sqlite-jdbc.version>
     <mysql-jdbc.version>8.0.11</mysql-jdbc.version>
-    <postgresql-jdbc.version>42.2.25</postgresql-jdbc.version>
+    <postgresql-jdbc.version>42.3.3</postgresql-jdbc.version>
     <clickhouse-jdbc.version>0.3.2</clickhouse-jdbc.version>
     <mariadb-jdbc.version>2.7.5</mariadb-jdbc.version>
     <hdfs-offload-version3>3.3.3</hdfs-offload-version3>
@@ -161,7 +161,7 @@ flexible messaging model and an intuitive client 
API.</description>
     <scala.binary.version>2.13</scala.binary.version>
     <scala-library.version>2.13.6</scala-library.version>
     <debezium.version>1.7.2.Final</debezium.version>
-    <debezium.postgresql.version>42.2.25</debezium.postgresql.version>
+    <debezium.postgresql.version>42.3.3</debezium.postgresql.version>
     <debezium.mysql.version>8.0.28</debezium.mysql.version>
     <jsonwebtoken.version>0.11.1</jsonwebtoken.version>
     <opencensus.version>0.28.0</opencensus.version>
diff --git a/pulsar-io/canal/pom.xml b/pulsar-io/canal/pom.xml
index 0f9bd2e37f6..d9856f209ca 100644
--- a/pulsar-io/canal/pom.xml
+++ b/pulsar-io/canal/pom.xml
@@ -55,7 +55,7 @@
         <dependency>
             <groupId>com.alibaba</groupId>
             <artifactId>fastjson</artifactId>
-            <version>1.2.73</version>
+            <version>1.2.83</version>
         </dependency>
 
         <dependency>
diff --git a/src/owasp-dependency-check-false-positives.xml 
b/src/owasp-dependency-check-false-positives.xml
index 39589d62fe9..3ea7844b9bd 100644
--- a/src/owasp-dependency-check-false-positives.xml
+++ b/src/owasp-dependency-check-false-positives.xml
@@ -87,6 +87,13 @@
     <cve>CVE-2022-27385</cve>
     <cve>CVE-2022-27386</cve>
     <cve>CVE-2022-27387</cve>
+    <cve>CVE-2022-27444</cve>
+    <cve>CVE-2022-27446</cve>
+    <cve>CVE-2022-27449</cve>
+    <cve>CVE-2022-27451</cve>
+    <cve>CVE-2022-27452</cve>
+    <cve>CVE-2022-27455</cve>
+    <cve>CVE-2022-27457</cve>
   </suppress>
 
   <!-- google-http-client-gson getting confused with gson-->
diff --git a/src/owasp-dependency-check-suppressions.xml 
b/src/owasp-dependency-check-suppressions.xml
index 2c729026c27..e48d7441920 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -174,32 +174,9 @@
         <cpe>cpe:/a:apache:rocketmq</cpe>
     </suppress>
     <suppress>
-        <notes><![CDATA[
-     file name: spring-core-3.2.18.RELEASE.jar
-     ]]></notes>
-        <sha1>0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd</sha1>
-        <cpe>cpe:/a:pivotal_software:spring_framework</cpe>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-     file name: spring-core-3.2.18.RELEASE.jar
-     ]]></notes>
-        <sha1>0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd</sha1>
-        <cpe>cpe:/a:springsource:spring_framework</cpe>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-     file name: spring-core-3.2.18.RELEASE.jar
-     ]]></notes>
-        <sha1>0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd</sha1>
-        <cpe>cpe:/a:vmware:spring_framework</cpe>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-     file name: spring-core-3.2.18.RELEASE.jar
-     ]]></notes>
-        <sha1>0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd</sha1>
-        <cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
+        <notes><![CDATA[Ignored since we are not vulnerable]]></notes>
+        <packageUrl 
regex="true">^pkg:maven/org\.springframework/spring.*$</packageUrl>
+        <cve>CVE-2016-1000027</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
@@ -301,66 +278,58 @@
     <!-- jclouds/openswift misdetections -->
     <suppress>
         <notes><![CDATA[
-       file name: openstack-swift-2.4.0.jar
+       file name: openstack-swift-2.5.0.jar
        ]]></notes>
-        <sha1>3f8f54bbcb73608ac8b66f186a824b75065eb413</sha1>
+        <sha1>d99d0eab2e01d69d8a326fc152427fbd759af88a</sha1>
         <cve>CVE-2016-0738</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
-       file name: openstack-swift-2.4.0.jar
+       file name: openstack-swift-2.5.0.jar
        ]]></notes>
-        <sha1>3f8f54bbcb73608ac8b66f186a824b75065eb413</sha1>
+        <sha1>d99d0eab2e01d69d8a326fc152427fbd759af88a</sha1>
         <cve>CVE-2017-16613</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
-       file name: openstack-swift-2.4.0.jar
-       ]]></notes>
-        <sha1>3f8f54bbcb73608ac8b66f186a824b75065eb413</sha1>
-        <cve>CVE-2017-8761</cve>
-    </suppress>
-    
-    <suppress>
-        <notes><![CDATA[
-       file name: openstack-keystone-2.4.0.jar
+       file name: openstack-keystone-2.5.0.jar
        ]]></notes>
-        <sha1>4f47a6b485371d357827b6a517ba54d073dc7b8b</sha1>
+        <sha1>a7e89bd278fa8be9fa604dda66d1606de5530797</sha1>
         <cve>CVE-2018-14432</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
-       file name: openstack-keystone-2.4.0.jar
+       file name: openstack-keystone-2.5.0.jar
        ]]></notes>
-        <sha1>4f47a6b485371d357827b6a517ba54d073dc7b8b</sha1>
+        <sha1>a7e89bd278fa8be9fa604dda66d1606de5530797</sha1>
         <cve>CVE-2018-20170</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
-       file name: openstack-keystone-2.4.0.jar
+       file name: openstack-keystone-2.5.0.jar
        ]]></notes>
-        <sha1>4f47a6b485371d357827b6a517ba54d073dc7b8b</sha1>
+        <sha1>a7e89bd278fa8be9fa604dda66d1606de5530797</sha1>
         <cve>CVE-2020-12689</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
-       file name: openstack-keystone-2.4.0.jar
+       file name: openstack-keystone-2.5.0.jar
        ]]></notes>
-        <sha1>4f47a6b485371d357827b6a517ba54d073dc7b8b</sha1>
+        <sha1>a7e89bd278fa8be9fa604dda66d1606de5530797</sha1>
         <cve>CVE-2020-12690</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
-       file name: openstack-keystone-2.4.0.jar
+       file name: openstack-keystone-2.5.0.jar
        ]]></notes>
-        <sha1>4f47a6b485371d357827b6a517ba54d073dc7b8b</sha1>
+        <sha1>a7e89bd278fa8be9fa604dda66d1606de5530797</sha1>
         <cve>CVE-2020-12691</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
-       file name: openstack-keystone-2.4.0.jar
+       file name: openstack-keystone-2.5.0.jar
        ]]></notes>
-        <sha1>4f47a6b485371d357827b6a517ba54d073dc7b8b</sha1>
+        <sha1>a7e89bd278fa8be9fa604dda66d1606de5530797</sha1>
         <cve>CVE-2020-12692</cve>
     </suppress>

Reply via email to