This is an automated email from the ASF dual-hosted git repository. nicoloboschi pushed a commit to branch branch-2.9 in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit e584c4a6ab88ffd728067b0bc0c9dae1b9259e7f Author: Lari Hotari <[email protected]> AuthorDate: Tue Jan 10 23:44:23 2023 +0200 [fix][build] Upgrade dependency-check-maven plugin to fix broken OWASP check (#19170) (cherry picked from commit 82b1357d39700a7ea4924e80c73683bf195d7ded) (cherry picked from commit 9c29cdb09e80625f083dd90ea8a8995468571acd) --- pom.xml | 2 +- src/owasp-dependency-check-false-positives.xml | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index e07009c6833..3d27afe22c3 100644 --- a/pom.xml +++ b/pom.xml @@ -255,7 +255,7 @@ flexible messaging model and an intuitive client API.</description> <errorprone-slf4j.version>0.1.4</errorprone-slf4j.version> <j2objc-annotations.version>1.3</j2objc-annotations.version> <lightproto-maven-plugin.version>0.4</lightproto-maven-plugin.version> - <dependency-check-maven.version>7.1.0</dependency-check-maven.version> + <dependency-check-maven.version>7.4.4</dependency-check-maven.version> <roaringbitmap.version>0.9.15</roaringbitmap.version> <!-- Used to configure rename.netty.native. Libs --> diff --git a/src/owasp-dependency-check-false-positives.xml b/src/owasp-dependency-check-false-positives.xml index 85ca6046a6f..e8bb58274d9 100644 --- a/src/owasp-dependency-check-false-positives.xml +++ b/src/owasp-dependency-check-false-positives.xml @@ -79,4 +79,19 @@ <notes>commons-net is not used at all and therefore commons-net vulnerability CVE-2021-37533 is a false positive.</notes> <cve>CVE-2021-37533</cve> </suppress> + + <suppress> + <notes>fredsmith utils library is not used at all. CVE-2021-4277 is a false positive.</notes> + <cve>CVE-2021-4277</cve> + </suppress> + + <suppress> + <notes>yaml_project is not used at all. Any CVEs reported for yaml_project are false positives.</notes> + <cpe>cpe:/a:yaml_project:yaml</cpe> + </suppress> + + <suppress> + <notes>flat_project is not used at all.</notes> + <cpe>cpe:/a:flat_project:flat</cpe> + </suppress> </suppressions> \ No newline at end of file
