[pulsar] 02/03: [fix][build] Upgrade dependency-check-maven plugin to fix broken OWASP check (#19170)

Thu, 23 Feb 2023 07:02:10 -0800 

This is an automated email from the ASF dual-hosted git repository.

nicoloboschi pushed a commit to branch branch-2.9
in repository https://gitbox.apache.org/repos/asf/pulsar.git

commit e584c4a6ab88ffd728067b0bc0c9dae1b9259e7f
Author: Lari Hotari <[email protected]>
AuthorDate: Tue Jan 10 23:44:23 2023 +0200

    [fix][build] Upgrade dependency-check-maven plugin to fix broken OWASP 
check (#19170)
    
    (cherry picked from commit 82b1357d39700a7ea4924e80c73683bf195d7ded)
    (cherry picked from commit 9c29cdb09e80625f083dd90ea8a8995468571acd)
---
 pom.xml                                        |  2 +-
 src/owasp-dependency-check-false-positives.xml | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index e07009c6833..3d27afe22c3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -255,7 +255,7 @@ flexible messaging model and an intuitive client 
API.</description>
     <errorprone-slf4j.version>0.1.4</errorprone-slf4j.version>
     <j2objc-annotations.version>1.3</j2objc-annotations.version>
     <lightproto-maven-plugin.version>0.4</lightproto-maven-plugin.version>
-    <dependency-check-maven.version>7.1.0</dependency-check-maven.version>
+    <dependency-check-maven.version>7.4.4</dependency-check-maven.version>
     <roaringbitmap.version>0.9.15</roaringbitmap.version>
 
     <!-- Used to configure rename.netty.native. Libs -->
diff --git a/src/owasp-dependency-check-false-positives.xml 
b/src/owasp-dependency-check-false-positives.xml
index 85ca6046a6f..e8bb58274d9 100644
--- a/src/owasp-dependency-check-false-positives.xml
+++ b/src/owasp-dependency-check-false-positives.xml
@@ -79,4 +79,19 @@
     <notes>commons-net is not used at all and therefore commons-net 
vulnerability CVE-2021-37533 is a false positive.</notes>
     <cve>CVE-2021-37533</cve>
   </suppress>
+
+  <suppress>
+    <notes>fredsmith utils library is not used at all. CVE-2021-4277 is a 
false positive.</notes>
+    <cve>CVE-2021-4277</cve>
+  </suppress>
+
+  <suppress>
+    <notes>yaml_project is not used at all. Any CVEs reported for yaml_project 
are false positives.</notes>
+    <cpe>cpe:/a:yaml_project:yaml</cpe>
+  </suppress>
+
+  <suppress>
+    <notes>flat_project is not used at all.</notes>
+    <cpe>cpe:/a:flat_project:flat</cpe>
+  </suppress>
 </suppressions>
\ No newline at end of file

Reply via email to