Skip to content

Commit

Permalink
Resolve reported CVEs (apache#15081)
Browse files Browse the repository at this point in the history
  • Loading branch information
tejaswini-imply authored and ektravel committed Oct 16, 2023
1 parent fd737b9 commit 7f51cf5
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 1 deletion.
10 changes: 10 additions & 0 deletions owasp-dependency-check-suppressions.xml
Original file line number Diff line number Diff line change
Expand Up @@ -758,6 +758,7 @@
https://github.com/apache/hadoop/commit/ad49ddda0e1d9632c8c9fcdc78fca8244e1248c9 -->
<cve>CVE-2023-1370</cve>
<cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 -->
<cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo -->
</suppress>
<suppress>
<!-- from extensions using hadoop-client-api, these dependencies are shaded in the jar -->
Expand Down Expand Up @@ -801,4 +802,13 @@
<cve>CVE-2023-4785</cve> <!-- Not applicable to gRPC Java - https://nvd.nist.gov/vuln/detail/CVE-2023-4785 -->
<cve>CVE-2023-33953</cve> <!-- Not applicable to gRPC Java - https://cloud.google.com/support/bulletins#gcp-2023-022 -->
</suppress>

<!-- CVE-2022-4244 is affecting plexus-utils package, plexus-interpolation is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973 -->
<suppress base="true">
<notes><![CDATA[
FP per issue #5973
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
</suppress>
</suppressions>
2 changes: 1 addition & 1 deletion pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -810,7 +810,7 @@
<dependency>
<groupId>org.xerial.snappy</groupId>
<artifactId>snappy-java</artifactId>
<version>1.1.10.3</version>
<version>1.1.10.4</version>
</dependency>
<dependency>
<groupId>com.google.protobuf</groupId>
Expand Down

0 comments on commit 7f51cf5

Please sign in to comment.