This is an automated email from the ASF dual-hosted git repository.
krisden pushed a commit to branch branch_9x
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/branch_9x by this push:
new 4203281 SOLR-16047: Upgrade owasp dependency check plugin to 6.5.3
4203281 is described below
commit 4203281a8f5cbe8d38019bf6d24ef10b1b1d5c71
Author: Kevin Risden <[email protected]>
AuthorDate: Tue Feb 22 18:41:41 2022 -0500
SOLR-16047: Upgrade owasp dependency check plugin to 6.5.3
---
build.gradle | 2 +-
.../owasp-dependency-check/exclusions.xml | 45 ++++++++--------------
2 files changed, 18 insertions(+), 29 deletions(-)
diff --git a/build.gradle b/build.gradle
index b76de5b..3618ca6 100644
--- a/build.gradle
+++ b/build.gradle
@@ -21,7 +21,7 @@ import java.time.format.DateTimeFormatter
plugins {
id "base"
id "com.palantir.consistent-versions" version "2.0.0"
- id "org.owasp.dependencycheck" version "6.4.1.1"
+ id "org.owasp.dependencycheck" version "6.5.3"
id 'ca.cutterslade.analyze' version "1.8.3"
id 'de.thetaphi.forbiddenapis' version '3.2' apply false
id "de.undercouch.download" version "4.0.2" apply false
diff --git a/gradle/validation/owasp-dependency-check/exclusions.xml
b/gradle/validation/owasp-dependency-check/exclusions.xml
index a1d5ec2..261f52d 100644
--- a/gradle/validation/owasp-dependency-check/exclusions.xml
+++ b/gradle/validation/owasp-dependency-check/exclusions.xml
@@ -23,43 +23,32 @@
<suppressions
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd";>
<suppress>
- <notes><![CDATA[
- file name: simple-xml-safe-2.7.1.jar
- We use a safe fork that fixes this
- ]]></notes>
+ <notes><![CDATA[simple-xml-safe is a safe xml-safe fork]]></notes>
<packageUrl
regex="true">^pkg:maven/com\.carrotsearch\.thirdparty/simple\-xml\-safe@.*$</packageUrl>
<cve>CVE-2017-1000190</cve>
</suppress>
<suppress>
- <notes><![CDATA[
- file name: netty-transport-native-epoll-4.1.29.Final.jar
- We only use netty as a client towards Zookeeper
- ]]></notes>
- <packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl>
- <cpe>cpe:/a:netty:netty</cpe>
+ <notes><![CDATA[apache-mime4j has different releases than apache
james]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.james/apache\-mime4j.*@.*$</packageUrl>
+ <cve>CVE-2021-38542</cve>
+ <cve>CVE-2021-40110</cve>
+ <cve>CVE-2021-40111</cve>
+ <cve>CVE-2021-40525</cve>
</suppress>
<suppress>
- <notes><![CDATA[
- file name: dirgra-0.3.jar
- We will sandbox JRuby
- ]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
- <cpe>cpe:/a:jruby:jruby</cpe>
+ <notes><![CDATA[apache-rat-tasks is not tasks]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.rat/apache\-rat\-tasks@.*$</packageUrl>
+ <cpe>cpe:/a:tasks:tasks</cpe>
</suppress>
<suppress>
- <notes><![CDATA[
- file name: carrot2-guava-18.0.jar
- Only used with clustering engine, and the risk is DOS attack
- ]]></notes>
- <packageUrl
regex="true">^pkg:maven/org\.carrot2\.shaded/carrot2\-guava@.*$</packageUrl>
- <cpe>cpe:/a:google:guava</cpe>
+ <notes><![CDATA[zookeeper is not Jetty]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.zookeeper/zookeeper.*@.*$</packageUrl>
+ <cve>CVE-2021-28164</cve>
+ <cve>CVE-2021-34429</cve>
</suppress>
<suppress>
- <notes><![CDATA[
- file name: carrot2-guava-18.0.jar (shaded: com.google.guava:guava:18.0)
- Only used with clustering engine, and the risk is DOS attack
- ]]></notes>
- <packageUrl
regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
- <cve>CVE-2018-10237</cve>
+ <notes><![CDATA[carrot2-guava-.*.jar - Only used with clustering engine,
and the risk is DOS attack]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.carrot2\.shaded/carrot2\-guava@.*$</packageUrl>
+ <cpe>cpe:/a:google:guava</cpe>
</suppress>
</suppressions>
