[pulsar] 02/02: [fix][build] Upgrade dependency-check-maven plugin to fix broken OWASP check (#19170)

Fri, 27 Jan 2023 03:47:05 -0800 

This is an automated email from the ASF dual-hosted git repository.

nicoloboschi pushed a commit to branch branch-2.10
in repository https://gitbox.apache.org/repos/asf/pulsar.git

commit 9c29cdb09e80625f083dd90ea8a8995468571acd
Author: Lari Hotari <[email protected]>
AuthorDate: Tue Jan 10 23:44:23 2023 +0200

    [fix][build] Upgrade dependency-check-maven plugin to fix broken OWASP 
check (#19170)
    
    (cherry picked from commit 82b1357d39700a7ea4924e80c73683bf195d7ded)
---
 pom.xml                                        |  2 +-
 src/owasp-dependency-check-false-positives.xml | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index b08ad7e4cf9..a82f140f768 100644
--- a/pom.xml
+++ b/pom.xml
@@ -262,7 +262,7 @@ flexible messaging model and an intuitive client 
API.</description>
     <errorprone-slf4j.version>0.1.4</errorprone-slf4j.version>
     <j2objc-annotations.version>1.3</j2objc-annotations.version>
     <lightproto-maven-plugin.version>0.4</lightproto-maven-plugin.version>
-    <dependency-check-maven.version>7.1.0</dependency-check-maven.version>
+    <dependency-check-maven.version>7.4.4</dependency-check-maven.version>
     <roaringbitmap.version>0.9.15</roaringbitmap.version>
 
     <!-- Used to configure rename.netty.native. Libs -->
diff --git a/src/owasp-dependency-check-false-positives.xml 
b/src/owasp-dependency-check-false-positives.xml
index 17c44e7385d..9a8a2427928 100644
--- a/src/owasp-dependency-check-false-positives.xml
+++ b/src/owasp-dependency-check-false-positives.xml
@@ -117,4 +117,19 @@
     <notes>commons-net is not used at all and therefore commons-net 
vulnerability CVE-2021-37533 is a false positive.</notes>
     <cve>CVE-2021-37533</cve>
   </suppress>
+
+  <suppress>
+    <notes>fredsmith utils library is not used at all. CVE-2021-4277 is a 
false positive.</notes>
+    <cve>CVE-2021-4277</cve>
+  </suppress>
+
+  <suppress>
+    <notes>yaml_project is not used at all. Any CVEs reported for yaml_project 
are false positives.</notes>
+    <cpe>cpe:/a:yaml_project:yaml</cpe>
+  </suppress>
+
+  <suppress>
+    <notes>flat_project is not used at all.</notes>
+    <cpe>cpe:/a:flat_project:flat</cpe>
+  </suppress>
 </suppressions>
\ No newline at end of file

Reply via email to