[GitHub] [pulsar] lhotari commented on a change in pull request #13716: Updating dependencies (guava and what brought in older guava) to get rid of the guava-related CVE-2018-10237 and CVE-2020-8908

Mon, 17 Jan 2022 01:22:50 -0800 


lhotari commented on a change in pull request #13716:
URL: https://github.com/apache/pulsar/pull/13716#discussion_r785771348



##########
File path: src/owasp-dependency-check-suppressions.xml
##########
@@ -41,4 +41,96 @@
     <gav regex="true">org\.apache\.zookeeper:.*:3\.6\.2</gav>
     <vulnerabilityName regex="true">.*</vulnerabilityName>
   </suppress>
-</suppressions>
\ No newline at end of file
+  <!-- see https://github.com/alibaba/canal/issues/4010 -->
+  <suppress>
+     <notes><![CDATA[
+       file name: canal.client-1.1.4.jar (shaded: com.google.guava:guava:18.0)
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+     <cpe>cpe:/a:google:guava</cpe>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: canal.client-1.1.4.jar (shaded: com.google.guava:guava:18.0)
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+     <vulnerabilityName>CVE-2018-10237</vulnerabilityName>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: canal.client-1.1.4.jar (shaded: com.google.guava:guava:18.0)
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+     <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: logback-core-1.1.3.jar
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
+     <cpe>cpe:/a:qos:logback</cpe>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: rocketmq-acl-4.5.2.jar
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/org\.apache\.rocketmq/rocketmq\-acl@.*$</packageUrl>
+     <cpe>cpe:/a:apache:rocketmq</cpe>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: spring-core-3.2.18.RELEASE.jar
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
+     <cpe>cpe:/a:pivotal_software:spring_framework</cpe>
+   </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: spring-core-3.2.18.RELEASE.jar
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
+     <cpe>cpe:/a:springsource:spring_framework</cpe>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: spring-core-3.2.18.RELEASE.jar
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
+     <cpe>cpe:/a:vmware:spring_framework</cpe>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: spring-core-3.2.18.RELEASE.jar
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
+     <cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: logback-classic-1.1.3.jar
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/ch\.qos\.logback/logback\-classic@.*$</packageUrl>
+     <cpe>cpe:/a:qos:logback</cpe>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: logback-core-1.1.3.jar
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
+     <vulnerabilityName>CVE-2017-5929</vulnerabilityName>
+   </suppress>

Review comment:
       Please revisit the suppression rules since a lot of the rules would also 
match any future CVEs.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to