kezhuw commented on code in PR #2288: URL: https://github.com/apache/zookeeper/pull/2288#discussion_r2248712696
########## owaspSuppressions.xml: ########## @@ -18,6 +18,11 @@ --> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd";> + <suppress> + <!-- ZooKeeper is not affected, because HttpURI is not used in our code. + see: ZOOKEEPER-4876 --> Review Comment: ```suggestion <!-- We have upgraded jetty[1] to 9.4.57.v20241219[2] which includes a fix[3] for CVE-2024-6763[4]. But it is not listed as fixed version since 9.x is EOL[5]. So we still have to suppress this to pass vulnerabilities check. Besides above, ZooKeeper does not use HttpURI[6] thus should not be affected by this CVE anyway. Refs: [1]: https://github.com/apache/zookeeper/pull/2220 [2]: https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.57.v20241219 [3]: https://github.com/jetty/jetty.project/pull/12532 [4]: https://github.com/advisories/GHSA-qh8g-58pp-2wxh [5]: https://gitlab.eclipse.org/security/cve-assignement/-/issues/25#note_2968611 [6]: https://issues.apache.org/jira/browse/ZOOKEEPER-4876 --> ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
