lhotari commented on a change in pull request #13716:
URL: https://github.com/apache/pulsar/pull/13716#discussion_r788334656
##########
File path: src/owasp-dependency-check-suppressions.xml
##########
@@ -41,4 +41,96 @@
<gav regex="true">org\.apache\.zookeeper:.*:3\.6\.2</gav>
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
-</suppressions>
\ No newline at end of file
+ <!-- see https://github.com/alibaba/canal/issues/4010 -->
+ <suppress>
+ <notes><![CDATA[
+ file name: canal.client-1.1.4.jar (shaded: com.google.guava:guava:18.0)
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+ <cpe>cpe:/a:google:guava</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: canal.client-1.1.4.jar (shaded: com.google.guava:guava:18.0)
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+ <vulnerabilityName>CVE-2018-10237</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: canal.client-1.1.4.jar (shaded: com.google.guava:guava:18.0)
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+ <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: logback-core-1.1.3.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
+ <cpe>cpe:/a:qos:logback</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: rocketmq-acl-4.5.2.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.rocketmq/rocketmq\-acl@.*$</packageUrl>
+ <cpe>cpe:/a:apache:rocketmq</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: spring-core-3.2.18.RELEASE.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
+ <cpe>cpe:/a:pivotal_software:spring_framework</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: spring-core-3.2.18.RELEASE.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
+ <cpe>cpe:/a:springsource:spring_framework</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: spring-core-3.2.18.RELEASE.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
+ <cpe>cpe:/a:vmware:spring_framework</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: spring-core-3.2.18.RELEASE.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
+ <cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: logback-classic-1.1.3.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/ch\.qos\.logback/logback\-classic@.*$</packageUrl>
+ <cpe>cpe:/a:qos:logback</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: logback-core-1.1.3.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
+ <vulnerabilityName>CVE-2017-5929</vulnerabilityName>
+ </suppress>
Review comment:
Thanks, that looks better with the sha1 information for targeting the
library. Just wondering if it would make sense to target specific CVEs for each
dependency that gets matched by sha1. The reason for this is that it's possible
that some new CVEs show up in the future. Everyone tends to copy the way the
rules are written for new rules, so there's a long standing consequence in the
way the rules are defined in this case.
If there are multiple CVEs for a single sha1/dep, just adding sufficient
amount of suppression rules where the cve element varies?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
