[GitHub] [pulsar] dlg99 commented on a change in pull request #13716: Updating dependencies (guava and what brought in older guava) to get rid of the guava-related CVE-2018-10237 and CVE-2020-8908

Tue, 18 Jan 2022 14:00:54 -0800 


dlg99 commented on a change in pull request #13716:
URL: https://github.com/apache/pulsar/pull/13716#discussion_r787185300



##########
File path: src/owasp-dependency-check-suppressions.xml
##########
@@ -41,4 +41,96 @@
     <gav regex="true">org\.apache\.zookeeper:.*:3\.6\.2</gav>
     <vulnerabilityName regex="true">.*</vulnerabilityName>
   </suppress>
-</suppressions>
\ No newline at end of file
+  <!-- see https://github.com/alibaba/canal/issues/4010 -->
+  <suppress>
+     <notes><![CDATA[
+       file name: canal.client-1.1.4.jar (shaded: com.google.guava:guava:18.0)
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+     <cpe>cpe:/a:google:guava</cpe>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: canal.client-1.1.4.jar (shaded: com.google.guava:guava:18.0)
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+     <vulnerabilityName>CVE-2018-10237</vulnerabilityName>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: canal.client-1.1.4.jar (shaded: com.google.guava:guava:18.0)
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+     <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: logback-core-1.1.3.jar
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
+     <cpe>cpe:/a:qos:logback</cpe>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: rocketmq-acl-4.5.2.jar
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/org\.apache\.rocketmq/rocketmq\-acl@.*$</packageUrl>
+     <cpe>cpe:/a:apache:rocketmq</cpe>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: spring-core-3.2.18.RELEASE.jar
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
+     <cpe>cpe:/a:pivotal_software:spring_framework</cpe>
+   </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: spring-core-3.2.18.RELEASE.jar
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
+     <cpe>cpe:/a:springsource:spring_framework</cpe>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: spring-core-3.2.18.RELEASE.jar
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
+     <cpe>cpe:/a:vmware:spring_framework</cpe>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: spring-core-3.2.18.RELEASE.jar
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
+     <cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: logback-classic-1.1.3.jar
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/ch\.qos\.logback/logback\-classic@.*$</packageUrl>
+     <cpe>cpe:/a:qos:logback</cpe>
+  </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: logback-core-1.1.3.jar
+     ]]></notes>
+     <packageUrl 
regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
+     <vulnerabilityName>CVE-2017-5929</vulnerabilityName>
+   </suppress>

Review comment:
       @lhotari Ended up upgrading canal and spring; excluded lgback, guava is 
shaded with canal but I set packageUrl to match specific guava version. 
   I don't think I can do anything else with the matcher there. We can consider 
using something like `suppress until="2023-01-01Z"` to force review of the 
suppressions but this can go as a separate PR if we agree on this approach.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to