[GitHub] [pulsar] JooHyukKim commented on a diff in pull request #20792: [fix][sec] Suppress already covered CVE-2023-2976 in `clickhouse-jdbc-0.4.6-all.jar` and `canal.client-1.1.5.jar`

Tue, 18 Jul 2023 19:40:48 -0700 


JooHyukKim commented on code in PR #20792:
URL: https://github.com/apache/pulsar/pull/20792#discussion_r1267470282


##########
src/owasp-dependency-check-suppressions.xml:
##########
@@ -181,6 +181,16 @@
         <sha1>fa9a1ccda7d78edb51a3a33d3493566092786a30</sha1>
         <cve>CVE-2021-25263</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+        file name: clickhouse-jdbc-0.4.6-all.jar

Review Comment:
   @tisonkun May I ask you for another Github workflow trigger? Because while 
verifying this PR locally, OWASP check that I ran locally failed on  
   
   - `clickhouse-jdbc-0.4.6-all.jar` and
   - `canal.client-1.1.5.jar`
   
   yesterday, but today we are failing a bunch.
   
   FYI, command used,
   
   ```shell
    mvn -B -ntp verify -PskipDocker,skip-all,owasp-dependency-check 
-Dcheckstyle.skip=true -DskipTests 
       -pl 
'!pulsar-sql,!distribution/server,!distribution/io,!distribution/offloaders,!pulsar-sql/presto-distribution,!tiered-storage/file-system,!pulsar-io/flume,!pulsar-io/hbase,!pulsar-io/hdfs2,!pulsar-io/hdfs3,!pulsar-io/docs,!pulsar-io/jdbc/openmldb'
   ```
   
   <details><summary>Error Log</summary>
   ```log
   [ERROR] 
   [ERROR] One or more dependencies were identified with vulnerabilities that 
have a CVSS score greater than or equal to '7.0': 
   [ERROR] 
   [ERROR] api-util-1.0.0-M20.jar: CVE-2018-1337(9.8)
   [ERROR] avro-1.8.2.jar/META-INF/maven/com.google.guava/guava/pom.xml: 
CVE-2023-2976(7.1)
   [ERROR] 
clickhouse-jdbc-0.4.6-all.jar/META-INF/maven/com.google.guava/guava/pom.xml: 
CVE-2023-2976(7.1)
   [ERROR] flume-ng-core-1.9.0.jar: CVE-2022-25167(9.8), CVE-2022-34916(9.8), 
CVE-2022-42468(9.8)
   [ERROR] flume-ng-node-1.9.0.pom: CVE-2022-25167(9.8), CVE-2022-34916(9.8), 
CVE-2022-42468(9.8)
   [ERROR] flume-ng-node-1.9.0.pom: CVE-2022-25167(9.8), CVE-2022-34916(9.8), 
CVE-2022-42468(9.8)
   [ERROR] hadoop-auth-2.10.0.jar: CVE-2022-25168(9.8), CVE-2022-26612(9.8), 
CVE-2020-9492(8.8), CVE-2021-25642(8.8), CVE-2021-33036(8.8), 
CVE-2021-37404(9.8)
   [ERROR] hadoop-common-2.10.0.jar: CVE-2022-25168(9.8), CVE-2022-26612(9.8), 
CVE-2020-9492(8.8), CVE-2021-25642(8.8), CVE-2021-33036(8.8), 
CVE-2018-8009(8.8), CVE-2021-37404(9.8)
   [ERROR] hadoop-common-2.10.2.jar: CVE-2022-26612(9.8), CVE-2018-8009(8.8)
   [ERROR] 
hadoop-shaded-guava-1.1.1.jar/META-INF/maven/com.google.guava/guava/pom.xml: 
CVE-2023-2976(7.1)
   [ERROR] 
hadoop-shaded-protobuf_3_7-1.1.1.jar/META-INF/maven/com.google.protobuf/protobuf-java/pom.xml:
 CVE-2022-3171(7.5), CVE-2022-3509(7.5)
   [ERROR] hadoop-yarn-server-common-2.10.2.jar: CVE-2022-26612(9.8)
   [ERROR] hbase-hadoop2-compat-2.4.16.jar: CVE-2022-25168(9.8), 
CVE-2022-26612(9.8), CVE-2020-9492(8.8), CVE-2018-8029(8.8), 
CVE-2021-33036(8.8), CVE-2016-6811(8.8), CVE-2018-8009(8.8), 
CVE-2017-3162(7.3), CVE-2018-11768(7.5)
   [ERROR] 
hbase-protocol-shaded-2.4.16.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml:
 CVE-2017-17485(9.8), CVE-2019-16942(9.8), CVE-2020-35491(8.1), 
CVE-2020-35490(8.1), CVE-2017-7525(9.8), CVE-2018-11307(9.8), 
CVE-2018-7489(9.8), CVE-2020-36518(7.5), CVE-2020-10650(8.1), 
CVE-2020-8840(9.8), CVE-2022-42003(7.5), CVE-2022-42004(7.5)
   [ERROR] 
hbase-shaded-miscellaneous-4.1.4.jar/META-INF/maven/com.google.guava/guava/pom.xml:
 CVE-2023-2976(7.1)
   [ERROR] jackson-mapper-asl-1.9.13.jar: CVE-2017-7525(9.8), 
CVE-2019-10172(7.5)
   [ERROR] jersey-core-1.9.jar: CVE-2014-3643(7.5)
   [ERROR] json-smart-2.3.jar: CVE-2023-1370(7.5), CVE-2021-31684(7.5)
   [ERROR] json-smart-2.4.7.jar: CVE-2023-1370(7.5)
   [ERROR] kerb-server-1.0.1.jar: CVE-2023-25613(9.8)
   [ERROR] kerby-xdr-1.0.1.jar: CVE-2023-25613(9.8)
   [ERROR] libthrift-0.9.3.jar: CVE-2016-5397(8.8), CVE-2018-1320(7.5), 
CVE-2019-0210(7.5), CVE-2020-13949(7.5), CVE-2019-0205(7.5)
   [ERROR] logback-core-1.2.3.jar: CVE-2021-42550(6.6)
   [ERROR] mina-core-2.0.4.jar: CVE-2019-0231(7.5)
   [ERROR] netty-3.10.6.Final.jar: CVE-2019-16869(7.5), CVE-2021-37136(7.5), 
CVE-2021-37137(7.5), CVE-2019-20445(9.1), CVE-2019-20444(9.1), 
CVE-2020-11612(7.5), CVE-2022-41881(7.5)
   [ERROR] nimbus-jose-jwt-4.41.1.jar: CVE-2019-17195(9.8)
   [ERROR] 
nimbus-jose-jwt-9.8.1.jar/META-INF/maven/net.minidev/json-smart/pom.xml: 
CVE-2023-1370(7.5), CVE-2021-31684(7.5)
   [ERROR] okhttp-2.7.5.jar: CVE-2021-0341(7.5)
   [ERROR] okhttp-3.14.9.jar: CVE-2021-0341(7.5)
   [ERROR] token-provider-1.0.1.jar: CVE-2023-25613(9.8)
   [ERROR] velocity-1.7.jar: CVE-2020-13936(8.8)
   [ERROR] wildfly-elytron-credential-1.15.1.Final.jar: CVE-2022-3143(7.4)
   [ERROR] wildfly-elytron-password-impl-1.15.1.Final.jar: CVE-2022-3143(7.4)
   [ERROR] wildfly-elytron-x500-1.15.1.Final.jar: CVE-2022-3143(7.4)
   [ERROR] 
   [ERROR] See the dependency-check report for more details.
   [ERROR] -> [Help 1]
   
   ```
   </details>



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to