[pulsar] branch branch-3.0 updated: [fix][ci] Fix OWASP dependency check suppressions (#20486)

Mon, 05 Jun 2023 22:50:37 -0700 

This is an automated email from the ASF dual-hosted git repository.

lhotari pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/branch-3.0 by this push:
     new ac5527defeb [fix][ci] Fix OWASP dependency check suppressions (#20486)
ac5527defeb is described below

commit ac5527defebb9e6c9fe2802632d6eab573740c73
Author: Lari Hotari <[email protected]>
AuthorDate: Mon Jun 5 14:48:46 2023 +0300

    [fix][ci] Fix OWASP dependency check suppressions (#20486)
    
    (cherry picked from commit 3b862ae614fae795e3312c0b298cc3c2b33a698f)
    
    # Conflicts:
    #       src/owasp-dependency-check-suppressions.xml
---
 pom.xml                                     |  2 +-
 src/owasp-dependency-check-suppressions.xml | 47 ++++++-----------------------
 2 files changed, 10 insertions(+), 39 deletions(-)

diff --git a/pom.xml b/pom.xml
index 47fa6705f15..58ae756c735 100644
--- a/pom.xml
+++ b/pom.xml
@@ -296,7 +296,7 @@ flexible messaging model and an intuitive client 
API.</description>
     <errorprone-slf4j.version>0.1.4</errorprone-slf4j.version>
     <j2objc-annotations.version>1.3</j2objc-annotations.version>
     <lightproto-maven-plugin.version>0.4</lightproto-maven-plugin.version>
-    <dependency-check-maven.version>8.1.2</dependency-check-maven.version>
+    <dependency-check-maven.version>8.2.1</dependency-check-maven.version>
     <roaringbitmap.version>0.9.44</roaringbitmap.version>
     <extra-enforcer-rules.version>1.6.1</extra-enforcer-rules.version>
     <oshi.version>6.4.0</oshi.version>
diff --git a/src/owasp-dependency-check-suppressions.xml 
b/src/owasp-dependency-check-suppressions.xml
index dd95cbc1025..311204ac370 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -199,49 +199,20 @@
         <cve>CVE-2021-42550</cve>
     </suppress>
 
-    <!-- jetcd matched against ETCD server CVEs-->
     <suppress>
-        <notes><![CDATA[
-       file name: jetcd-core-0.5.11.jar
-       ]]></notes>
-        <sha1>c85851ca3ea8128d480d3f75c568a37e64e8a77b</sha1>
-        <cve>CVE-2020-15106</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-       file name: jetcd-core-0.5.11.jar
-       ]]></notes>
-        <sha1>c85851ca3ea8128d480d3f75c568a37e64e8a77b</sha1>
-        <cve>CVE-2020-15112</cve>
+        <notes>Ignore etdc CVEs in jetcd</notes>
+        <filePath regex="true">.*jetcd.*</filePath>
+        <cpe>cpe:/a:etcd:etcd</cpe>
     </suppress>
     <suppress>
-        <notes><![CDATA[
-       file name: jetcd-core-0.5.11.jar
-       ]]></notes>
-        <sha1>c85851ca3ea8128d480d3f75c568a37e64e8a77b</sha1>
-        <cve>CVE-2020-15113</cve>
+        <notes>Ignore etdc CVEs in jetcd</notes>
+        <filePath regex="true">.*jetcd.*</filePath>
+        <cpe>cpe:/a:redhat:etcd</cpe>
     </suppress>
-
     <suppress>
-        <notes><![CDATA[
-       file name: jetcd-common-0.5.11.jar
-       ]]></notes>
-        <sha1>6dac6efe035a2be9ba299fbf31be5f903401869f</sha1>
-        <cve>CVE-2020-15106</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-       file name: jetcd-common-0.5.11.jar
-       ]]></notes>
-        <sha1>6dac6efe035a2be9ba299fbf31be5f903401869f</sha1>
-        <cve>CVE-2020-15112</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-       file name: jetcd-common-0.5.11.jar
-       ]]></notes>
-        <sha1>6dac6efe035a2be9ba299fbf31be5f903401869f</sha1>
-        <cve>CVE-2020-15113</cve>
+        <notes>Ignore grpc CVEs in jetcd</notes>
+        <filePath regex="true">.*jetcd-grpc.*</filePath>
+        <cpe>cpe:/a:grpc:grpc</cpe>
     </suppress>
 
     <!-- bouncycastle misdetections -->

Reply via email to