This is an automated email from the ASF dual-hosted git repository.
mmerli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new b6da1f564ed [improve][ci] Improve OWASP dependency checks (#21817)
b6da1f564ed is described below
commit b6da1f564edd97cda9484beefa20cac1a5f96d4c
Author: Lari Hotari <[email protected]>
AuthorDate: Fri Dec 29 02:13:24 2023 +0200
[improve][ci] Improve OWASP dependency checks (#21817)
---
.github/workflows/ci-owasp-dependency-check.yaml | 8 ++++----
pom.xml | 2 +-
src/owasp-dependency-check-false-positives.xml | 8 ++++++++
3 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/.github/workflows/ci-owasp-dependency-check.yaml
b/.github/workflows/ci-owasp-dependency-check.yaml
index 0ee1275bdfe..c63bdb29e03 100644
--- a/.github/workflows/ci-owasp-dependency-check.yaml
+++ b/.github/workflows/ci-owasp-dependency-check.yaml
@@ -40,15 +40,12 @@ jobs:
matrix:
include:
- branch: master
+ - branch: branch-3.2
- branch: branch-3.1
- branch: branch-3.0
- branch: branch-2.11
- branch: branch-2.10
jdk: 11
- - branch: branch-2.9
- jdk: 11
- - branch: branch-2.8
- jdk: 11
steps:
- name: checkout
@@ -84,6 +81,9 @@ jobs:
- name: run OWASP Dependency Check for distribution/server
(-DfailBuildOnAnyVulnerability=true)
run: mvn -B -ntp -Pmain,skip-all,skipDocker,owasp-dependency-check
initialize verify -pl distribution/server -DfailBuildOnAnyVulnerability=true
+ - name: run OWASP Dependency Check for distribution/offloaders and
distribution/io
+ run: mvn -B -ntp -Pmain,skip-all,skipDocker,owasp-dependency-check
initialize verify -pl distribution/offloaders,distribution/io
+
- name: Upload OWASP Dependency Check reports
uses: actions/upload-artifact@v3
if: always()
diff --git a/pom.xml b/pom.xml
index eccc8365eb0..f7b1267f9ac 100644
--- a/pom.xml
+++ b/pom.xml
@@ -295,7 +295,7 @@ flexible messaging model and an intuitive client
API.</description>
<errorprone-slf4j.version>0.1.4</errorprone-slf4j.version>
<j2objc-annotations.version>1.3</j2objc-annotations.version>
<lightproto-maven-plugin.version>0.4</lightproto-maven-plugin.version>
- <dependency-check-maven.version>8.2.1</dependency-check-maven.version>
+ <dependency-check-maven.version>9.0.7</dependency-check-maven.version>
<roaringbitmap.version>0.9.44</roaringbitmap.version>
<extra-enforcer-rules.version>1.6.1</extra-enforcer-rules.version>
<oshi.version>6.4.0</oshi.version>
diff --git a/src/owasp-dependency-check-false-positives.xml
b/src/owasp-dependency-check-false-positives.xml
index 345be8f4d2c..5abcae4efd5 100644
--- a/src/owasp-dependency-check-false-positives.xml
+++ b/src/owasp-dependency-check-false-positives.xml
@@ -201,4 +201,12 @@
<notes>flat_project is not used at all.</notes>
<cpe>cpe:/a:flat_project:flat</cpe>
</suppress>
+
+ <suppress>
+ <notes><![CDATA[
+ CVE-2023-36479 has been addressed in jetty-servlets-9.4.53.v20231009.jar
and newer
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-servlets@.*$</packageUrl>
+ <cve>CVE-2023-36479</cve>
+ </suppress>
</suppressions>
\ No newline at end of file
