Skip to content

Commit

Permalink
Suppress CVE's in master (apache#15231)
Browse files Browse the repository at this point in the history
  • Loading branch information
LakshSingla authored Oct 27, 2023
1 parent e9b7e4a commit 7c8e841
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 3 deletions.
2 changes: 2 additions & 0 deletions distribution/bin/check-licenses.py
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,8 @@ def build_compatible_license_names():
compatible_licenses['Eclipse Public License - Version 1.0'] = 'Eclipse Public License 1.0'
compatible_licenses['Eclipse Public License, Version 1.0'] = 'Eclipse Public License 1.0'
compatible_licenses['Eclipse Public License v1.0'] = 'Eclipse Public License 1.0'
compatible_licenses['Eclipse Public License - v1.0'] = 'Eclipse Public License 1.0'
compatible_licenses['Eclipse Public License - v 1.0'] = 'Eclipse Public License 1.0'
compatible_licenses['EPL 1.0'] = 'Eclipse Public License 1.0'

compatible_licenses['Eclipse Public License 2.0'] = 'Eclipse Public License 2.0'
Expand Down
34 changes: 31 additions & 3 deletions owasp-dependency-check-suppressions.xml
Original file line number Diff line number Diff line change
Expand Up @@ -759,13 +759,15 @@
<cve>CVE-2023-1370</cve>
<cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 -->
<cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo -->
<cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
</suppress>
<suppress>
<!-- from extensions using hadoop-client-api, these dependencies are shaded in the jar -->
<notes><![CDATA[
file name: hadoop-client-api-3.3.6.jar: jquery.dataTables.min.js (pkg:javascript/[email protected])
]]></notes>
<vulnerabilityName>prototype pollution</vulnerabilityName>
<cve>CVE-2020-28458</cve>
</suppress>
<suppress>
<notes><![CDATA[
Expand Down Expand Up @@ -805,10 +807,36 @@

<!-- CVE-2022-4244 is affecting plexus-utils package, plexus-interpolation is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973 -->
<suppress base="true">
<notes><![CDATA[
FP per issue #5973
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
</suppress>

<!-- CVE-2023-5072 has a too broad CPE that seems to be flagging dependencies like json-*. Neither Druid nor any of its
~ transitive dependency use json-java which contains the vulnerability-->
<suppress base="true">
<cve>CVE-2023-5072</cve>
</suppress>

<!--
~ CVE-2023-44981 seems to affect Zookeeper servers. While we ship with a previous version of the Zookeeper, Druid only
~ only uses the client classes of the Zookeeper. We do use the older version in the quickstart & example docker file,
~ however in production it is recomended to use your own Zookeeper server with the CVE patched up, which the Druid's
~ older ZK library is still compatible with.
-->
<suppress>
<notes><![CDATA[
file name: zookeeper-3.5.10.jar
]]></notes>
<cve>CVE-2023-44981</cve>
</suppress>

<!--
~ Hostname verification is disabled by default in Netty 4.x, therefore the version that Druid is using gets flagged,
~ however Druid enables it in ChannelResourceFactory therefore this is a false positive-->
<suppress>
<notes><![CDATA[
file name: netty-transport-4.1.100.Final.jar
]]></notes>
<cve>CVE-2023-4586</cve>
</suppress>
</suppressions>

0 comments on commit 7c8e841

Please sign in to comment.