This is an automated email from the ASF dual-hosted git repository.
jiangmaolin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/shardingsphere.git
The following commit(s) were added to refs/heads/master by this push:
new 4035cea8bec Suppress false CVE reports for Elasticjob (#38003)
4035cea8bec is described below
commit 4035cea8bec8a9c0943c38d2e8d377c5450814c7
Author: Raigor <[email protected]>
AuthorDate: Wed Feb 11 14:19:34 2026 +0700
Suppress false CVE reports for Elasticjob (#38003)
* Suppress false CVE reports for Elasticjob
* Fix endline
---
.github/workflows/nightly-check.yml | 2 +-
pom.xml | 7 +++++
src/resources/dependency-check-suppression.xml | 42 ++++++++++++++++++++++++++
3 files changed, 50 insertions(+), 1 deletion(-)
diff --git a/.github/workflows/nightly-check.yml
b/.github/workflows/nightly-check.yml
index 51f95bb04db..e0f3801e99e 100644
--- a/.github/workflows/nightly-check.yml
+++ b/.github/workflows/nightly-check.yml
@@ -180,7 +180,7 @@ jobs:
${{ needs.global-environment.outputs.GLOBAL_CACHE_PREFIX
}}-maven-third-party-
- name: Run OWASP Check
# https://nvd.nist.gov/developers/request-an-api-key
- run: ./mvnw clean dependency-check:aggregate -DnvdApiKey=${{
secrets.NIST_NVD_API_KEY }} -DfailBuildOnCVSS=7 -DskipProvidedScope=true
-DskipRuntimeScope=true
+ run: ./mvnw clean dependency-check:aggregate -DnvdApiKey=${{
secrets.NIST_NVD_API_KEY }}
- uses: actions/upload-artifact@v4
if: always()
with:
diff --git a/pom.xml b/pom.xml
index f5cb52e75db..f7206651804 100644
--- a/pom.xml
+++ b/pom.xml
@@ -961,6 +961,13 @@
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
+ <configuration>
+ <failBuildOnCVSS>7</failBuildOnCVSS>
+ <skipProvidedScope>true</skipProvidedScope>
+ <skipRuntimeScope>true</skipRuntimeScope>
+ <skipTestScope>true</skipTestScope>
+
<suppressionFile>${maven.multiModuleProjectDirectory}/src/resources/dependency-check-suppression.xml</suppressionFile>
+ </configuration>
</plugin>
</plugins>
</pluginManagement>
diff --git a/src/resources/dependency-check-suppression.xml
b/src/resources/dependency-check-suppression.xml
new file mode 100644
index 00000000000..85bbcc6d265
--- /dev/null
+++ b/src/resources/dependency-check-suppression.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<suppressions
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd";>
+ <!-- Apache ShardingSphere -->
+ <suppress>
+ <notes>Elasticjob was incorrectly identified as Apache
ShardingSphere</notes>
+ <cve>CVE-2022-45347</cve>
+ </suppress>
+ <suppress>
+ <notes>Elasticjob was incorrectly identified as Apache
ShardingSphere</notes>
+ <cve>CVE-2023-28754</cve>
+ </suppress>
+ <!-- Apache ZooKeeper -->
+ <suppress>
+ <notes>Elasticjob was incorrectly identified as Apache
ZooKeeper</notes>
+ <cve>CVE-2018-8012</cve>
+ </suppress>
+ <suppress>
+ <notes>Elasticjob was incorrectly identified as Apache
ZooKeeper</notes>
+ <cve>CVE-2023-44981</cve>
+ </suppress>
+ <suppress>
+ <notes>Elasticjob was incorrectly identified as Apache
ZooKeeper</notes>
+ <cve>CVE-2016-5017</cve>
+ </suppress>
+</suppressions>
