Suppress CVE's in master #15231
Merged
Suppress CVE's in master #15231
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- CVE-2023-5072 has a too broad CPE that flags all versions of json-java - https://github.com/jeremylong/DependencyCheck/issues/5991 --> | ||
| <suppress base="true"> | ||
| <notes><
There was a problem hiding this comment.
what does this mean? What issue does it refer to?
There was a problem hiding this comment.
This is picked up from a description in https://github.com/jeremylong/DependencyCheck which suppresses it. There's another suppression in the suppression file here which also does the same, so I assumed that it's standard to add it in the notes.
I'll clean up the suppression.
| @@ -811,4 +813,25 @@ | |||
| <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl> | |||
| <cve>CVE-2022-4244</cve> | |||
| </suppress> | |||
|
|
|||
| <!-- CVE-2023-5072 has a too broad CPE that flags all versions of json-java - https://github.com/jeremylong/DependencyCheck/issues/5991 --> | |||
There was a problem hiding this comment.
we don't use json-java at all. "flags all versions of json-java" text seems unrelated to why we are suppressing it.
Comment on lines
+825
to
+829
| <!-- | ||
| ~ CVE-2023-44981 seems to affect Zookeeper servers. While we ship with a previous version of the Zookeeper, Druid only | ||
| ~ only uses the client classes of the Zookeeper. We do use the older version in the quickstart & example docker file, | ||
| ~ however in production it is recomended to use your own Zookeeper server with the CVE patched up, which the Druid's | ||
| ~ older ZK library is still compatible with. |
|
Cleaned up the CVE notes and addressed the comments |
abhishekagarwal87
approved these changes
Oct 26, 2023
|
Thanks @abhishekagarwal87 for the review. |
LakshSingla
added a commit
to LakshSingla/druid
that referenced
this pull request
Oct 27, 2023
cryptoe
pushed a commit
that referenced
this pull request
Oct 27, 2023
CaseyPan
pushed a commit
to CaseyPan/druid
that referenced
this pull request
Nov 17, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR suppresses the following CVE's
<vulnerabilityName>already, however, it was popping up while trying to build the artifact.json-javathat neither Druid nor any of its dependency is using (verified usingmvn dependency:tree. False positive, looks like the CPE identifier is too generic that it is flagging JARs with json- in their name