Skip to content

Commit

Permalink
CVE suppression for various dependencies. (#17307)
Browse files Browse the repository at this point in the history
  • Loading branch information
cryptoe authored and abhishekagarwal87 committed Oct 9, 2024
1 parent 9b42fb1 commit dee6666
Showing 1 changed file with 38 additions and 0 deletions.
38 changes: 38 additions & 0 deletions owasp-dependency-check-suppressions.xml
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,10 @@
<cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo -->
<cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
<cve>CVE-2023-36478</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
<cve>CVE-2024-7254</cve> <!-- This seems to be a legitimate vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk v2 dependency work to finish -->
<cve>CVE-2024-47554</cve> <!-- This seems to be a legitimate vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk v2 dependency work to finish -->
<cve>CVE-2024-47561</cve> <!-- This seems to be a legitimate vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk v2 dependency work to finish -->
<cve>CVE-2024-29131</cve> <!-- This seems to be a legitimate vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk v2 dependency work to finish -->
</suppress>

<!-- those are false positives, no other tools report any of those CVEs in the hadoop package -->
Expand Down Expand Up @@ -708,4 +712,38 @@
]]></notes>
<vulnerabilityName>CVE-2022-1271</vulnerabilityName>
</suppress>

<suppress>
<notes><![CDATA[
file name: jakarta.el-3.0.4.jar
]]></notes>
<vulnerabilityName>CVE-2024-9329</vulnerabilityName>
</suppress>

<suppress>
<!-- The CVE is present in ORC module which cannot be upgraded since they have dropped support for java 8 -->
<notes><![CDATA[
file name: aircompressor-0.21.jar
]]></notes>
<vulnerabilityName>CVE-2024-36114</vulnerabilityName>
</suppress>

<suppress>
<!-- CVE-2022-4244 is affecting plexus-utils package,
plexus-interpolation is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973 -->
<notes><![CDATA[
file name: plexus-component-annotations-1.7.1.jar
]]></notes>
<vulnerabilityName>CVE-2022-4244</vulnerabilityName>
</suppress>


<suppress>
<!-- Not affected by this CVE since we donot use lucene directly-->
<notes><![CDATA[
file name: lucene-core-8.4.0.jar
]]></notes>
<vulnerabilityName>CVE-2024-45772</vulnerabilityName>
</suppress>

</suppressions>

0 comments on commit dee6666

Please sign in to comment.