[zookeeper] branch branch-3.8.0 updated: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative

Sun, 13 Feb 2022 23:52:13 -0800 

This is an automated email from the ASF dual-hosted git repository.

symat pushed a commit to branch branch-3.8.0
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/branch-3.8.0 by this push:
     new 43255fb  ZOOKEEPER-4469: Suppress OWASP false positives related to 
Netty TCNative
43255fb is described below

commit 43255fbaeae5cc15e1c596a313d2ab56afcb2155
Author: Enrico Olivelli <[email protected]>
AuthorDate: Mon Feb 14 07:50:43 2022 +0000

    ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative
    
    More context here:
    https://issues.apache.org/jira/browse/ZOOKEEPER-4469
    
    I am also updating the OWASP dependency check
    
    Author: Enrico Olivelli <[email protected]>
    
    Reviewers: Norbert Kalmar <[email protected]>, Mate Szalay-Beko 
<[email protected]>
    
    Closes #1817 from eolivelli/ZOOKEEPER-4469
    
    (cherry picked from commit 428e6f92132e19390c81e19f67d5380451acdbe4)
    Signed-off-by: Mate Szalay-Beko <[email protected]>
---
 owaspSuppressions.xml | 12 ++++++++++++
 pom.xml               |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/owaspSuppressions.xml b/owaspSuppressions.xml
index 5c4bc33..4bfec6f 100644
--- a/owaspSuppressions.xml
+++ b/owaspSuppressions.xml
@@ -34,6 +34,18 @@
       <!-- https://github.com/jeremylong/DependencyCheck/issues/1653
            False positive on Netty 4.x-->
       <cve>CVE-2018-12056</cve>
+      <!-- other false positives related to Netty TCNative 4.x -->
+      <cve>CVE-2021-43797</cve>
+      <cve>CVE-2019-16869</cve>
+      <cve>CVE-2015-2156</cve>
+      <cve>CVE-2021-37136</cve>
+      <cve>CVE-2014-3488</cve>
+      <cve>CVE-2021-37137</cve>
+      <cve>CVE-2019-20445</cve>
+      <cve>CVE-2019-20444</cve>
+      <cve>CVE-2021-21295</cve>
+      <cve>CVE-2021-21409</cve>
+      <cve>CVE-2021-21290</cve>
    </suppress>
    <suppress>
       <!-- Seems like false positive - we are not using Prometheus
diff --git a/pom.xml b/pom.xml
index bb6baa9..c4c66c5 100755
--- a/pom.xml
+++ b/pom.xml
@@ -798,7 +798,7 @@
         <plugin>
           <groupId>org.owasp</groupId>
           <artifactId>dependency-check-maven</artifactId>
-          <version>5.3.0</version>
+          <version>6.5.3</version>
         </plugin>
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>

Reply via email to