[pulsar] 01/02: [fix][build] Upgrade dependency-check-maven plugin to fix broken OWASP check (#19170)

Fri, 27 Jan 2023 03:18:42 -0800 

This is an automated email from the ASF dual-hosted git repository.

nicoloboschi pushed a commit to branch branch-2.11
in repository https://gitbox.apache.org/repos/asf/pulsar.git

commit 392f2f5124cc52a166764b9d2f41bd3f2c51b200
Author: Lari Hotari <[email protected]>
AuthorDate: Tue Jan 10 23:44:23 2023 +0200

    [fix][build] Upgrade dependency-check-maven plugin to fix broken OWASP 
check (#19170)
    
    (cherry picked from commit 82b1357d39700a7ea4924e80c73683bf195d7ded)
---
 pom.xml                                        |  2 +-
 src/owasp-dependency-check-false-positives.xml | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index f1bc4bc9bac..0424ecca72f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -279,7 +279,7 @@ flexible messaging model and an intuitive client 
API.</description>
     <errorprone-slf4j.version>0.1.4</errorprone-slf4j.version>
     <j2objc-annotations.version>1.3</j2objc-annotations.version>
     <lightproto-maven-plugin.version>0.4</lightproto-maven-plugin.version>
-    <dependency-check-maven.version>7.1.0</dependency-check-maven.version>
+    <dependency-check-maven.version>7.4.4</dependency-check-maven.version>
     <roaringbitmap.version>0.9.15</roaringbitmap.version>
     <extra-enforcer-rules.version>1.6.1</extra-enforcer-rules.version>
     <lombok.plugin.version>1.18.20.0</lombok.plugin.version>
diff --git a/src/owasp-dependency-check-false-positives.xml 
b/src/owasp-dependency-check-false-positives.xml
index bda2a8d8c68..cdd2216b40f 100644
--- a/src/owasp-dependency-check-false-positives.xml
+++ b/src/owasp-dependency-check-false-positives.xml
@@ -176,4 +176,19 @@
     <notes>commons-net is not used at all and therefore commons-net 
vulnerability CVE-2021-37533 is a false positive.</notes>
     <cve>CVE-2021-37533</cve>
   </suppress>
+
+  <suppress>
+    <notes>fredsmith utils library is not used at all. CVE-2021-4277 is a 
false positive.</notes>
+    <cve>CVE-2021-4277</cve>
+  </suppress>
+
+  <suppress>
+    <notes>yaml_project is not used at all. Any CVEs reported for yaml_project 
are false positives.</notes>
+    <cpe>cpe:/a:yaml_project:yaml</cpe>
+  </suppress>
+
+  <suppress>
+    <notes>flat_project is not used at all.</notes>
+    <cpe>cpe:/a:flat_project:flat</cpe>
+  </suppress>
 </suppressions>
\ No newline at end of file

Reply via email to