Fix CVE errors (apache#16147)

* Fix CVE errors * Update pac4j * Update nimbus.jose.jwt.version * Change pac4j version to 5.7.3 * Change pac4j version to 5.3.1 * Revert pac4j version change * Update pac4j comment
monetate · Apr 5, 2024 · af24cc8 · af24cc8
1 parent f55c9e5
commit af24cc8
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
@@ -664,4 +664,32 @@
     ]]></notes>
     <cve>CVE-2023-36415</cve>
   </suppress>
+  <suppress>
+    <!-- Used in Pac4j. Pac4j versions (such as v5.7.3) corresponding
+    to the safe nimbus-jose-jwt v9.37.2 are incompatible with druid as they don't support JDK 8
+    https://www.pac4j.org/docs/alldocs.html -->
+
+    <notes><![CDATA[
+   file name: nimbus-jose-jwt-8.22.1.jar
+   ]]></notes>
+    <cve>CVE-2023-52428</cve>
+  </suppress>
+  <suppress>
+    <!-- Used in Azure dependencies.
+    Current latest version of Azure BOM (1.2.21) still uses 9.30.2, whereas bug resolved in 9.37.2 -->
+    <notes><![CDATA[
+   file name: nimbus-jose-jwt-9.30.2.jar
+   ]]></notes>
+    <cve>CVE-2023-52428</cve>
+  </suppress>
+  <suppress>
+    <!-- Legit issues but currently use the latest ranger-plugins-audit jar v2.4.0 -->
+    <notes><![CDATA[
+     file name: solr-solrj-8.11.2.jar
+     ]]></notes>
+    <cve>CVE-2023-50291</cve>
+    <cve>CVE-2023-50298</cve>
+    <cve>CVE-2023-50386</cve>
+    <cve>CVE-2023-50292</cve>
+  </suppress>
 </suppressions>