forked from apache/druid
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Suppress CVE's in master (apache#15231)
- Loading branch information
1 parent
e9b7e4a
commit 7c8e841
Showing
2 changed files
with
33 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -759,13 +759,15 @@ | |
<cve>CVE-2023-1370</cve> | ||
<cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 --> | ||
<cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo --> | ||
<cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet--> | ||
</suppress> | ||
<suppress> | ||
<!-- from extensions using hadoop-client-api, these dependencies are shaded in the jar --> | ||
<notes><![CDATA[ | ||
file name: hadoop-client-api-3.3.6.jar: jquery.dataTables.min.js (pkg:javascript/[email protected]) | ||
]]></notes> | ||
<vulnerabilityName>prototype pollution</vulnerabilityName> | ||
<cve>CVE-2020-28458</cve> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
|
@@ -805,10 +807,36 @@ | |
|
||
<!-- CVE-2022-4244 is affecting plexus-utils package, plexus-interpolation is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973 --> | ||
<suppress base="true"> | ||
<notes><![CDATA[ | ||
FP per issue #5973 | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl> | ||
<cve>CVE-2022-4244</cve> | ||
</suppress> | ||
|
||
<!-- CVE-2023-5072 has a too broad CPE that seems to be flagging dependencies like json-*. Neither Druid nor any of its | ||
~ transitive dependency use json-java which contains the vulnerability--> | ||
<suppress base="true"> | ||
<cve>CVE-2023-5072</cve> | ||
</suppress> | ||
|
||
<!-- | ||
~ CVE-2023-44981 seems to affect Zookeeper servers. While we ship with a previous version of the Zookeeper, Druid only | ||
~ only uses the client classes of the Zookeeper. We do use the older version in the quickstart & example docker file, | ||
~ however in production it is recomended to use your own Zookeeper server with the CVE patched up, which the Druid's | ||
~ older ZK library is still compatible with. | ||
--> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: zookeeper-3.5.10.jar | ||
]]></notes> | ||
<cve>CVE-2023-44981</cve> | ||
</suppress> | ||
|
||
<!-- | ||
~ Hostname verification is disabled by default in Netty 4.x, therefore the version that Druid is using gets flagged, | ||
~ however Druid enables it in ChannelResourceFactory therefore this is a false positive--> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: netty-transport-4.1.100.Final.jar | ||
]]></notes> | ||
<cve>CVE-2023-4586</cve> | ||
</suppress> | ||
</suppressions> |