svn commit: r1885644 - in /db/torque/trunk: suppression-owasp-fp.xml torque-maven-plugin/pom.xml

Mon, 18 Jan 2021 04:40:11 -0800 

Author: gk
Date: Mon Jan 18 12:40:07 2021
New Revision: 1885644

URL: http://svn.apache.org/viewvc?rev=1885644&view=rev
Log:
- fixed another and suppressed another vulnerability

Modified:
    db/torque/trunk/suppression-owasp-fp.xml
    db/torque/trunk/torque-maven-plugin/pom.xml

Modified: db/torque/trunk/suppression-owasp-fp.xml
URL: 
http://svn.apache.org/viewvc/db/torque/trunk/suppression-owasp-fp.xml?rev=1885644&r1=1885643&r2=1885644&view=diff
==============================================================================
--- db/torque/trunk/suppression-owasp-fp.xml (original)
+++ db/torque/trunk/suppression-owasp-fp.xml Mon Jan 18 12:40:07 2021
@@ -18,7 +18,7 @@
  under the License.
 -->
 <!-- general cft. 
https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
-<suppressions 
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd";>
+<suppressions 
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd";>
   <!-- https://issues.apache.org/jira/browse/LOG4J2-1863 i.e. log4j 2.8.2 
fixes, but affected versions match only log4j2 2.x, not log4j 1.x -->
   <suppress>
      <notes><![CDATA[
@@ -35,4 +35,13 @@
      <gav regex="true">^org\.codehaus\.groovy:groovy-.*:.*$</gav>
      <cve>CVE-2016-6497</cve>
   </suppress>
+   <!-- fixed: updated log4j2 to 2.14.0 (2.13.2 or later) -->
+    <suppress>
+       <notes><![CDATA[
+       file name: failureaccess-1.0.1.jar
+       ]]></notes>
+       <packageUrl 
regex="true">^pkg:maven/com\.google\.guava/failureaccess@.*$</packageUrl>
+       <cve>CVE-2020-8908</cve>
+    </suppress>
+    <!-- fixed: updated to guava 30.0 or later -->
 </suppressions>
\ No newline at end of file

Modified: db/torque/trunk/torque-maven-plugin/pom.xml
URL: 
http://svn.apache.org/viewvc/db/torque/trunk/torque-maven-plugin/pom.xml?rev=1885644&r1=1885643&r2=1885644&view=diff
==============================================================================
--- db/torque/trunk/torque-maven-plugin/pom.xml (original)
+++ db/torque/trunk/torque-maven-plugin/pom.xml Mon Jan 18 12:40:07 2021
@@ -94,7 +94,7 @@
     <dependency>
         <groupId>org.apache.logging.log4j</groupId>
         <artifactId>log4j-slf4j-impl</artifactId>
-        <version>2.13.0</version>
+        <version>${log4j2.version}</version>
     </dependency>
     
      <dependency>



---------------------------------------------------------------------
To unsubscribe, e-mail: torque-dev-unsubscr...@db.apache.org
For additional commands, e-mail: torque-dev-h...@db.apache.org

Reply via email to