2019-12-05 17:34:35 -05:00
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Licensed to the Apache Software Foundation (ASF) under one
~ or more contributor license agreements. See the NOTICE file
~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file
~ to you under the Apache License, Version 2.0 (the
~ "License"); you may not use this file except in compliance
~ with the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<suppressions xmlns= "https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd" >
2023-12-05 00:00:35 -05:00
<!-- False positives -->
2019-12-05 17:34:35 -05:00
<suppress >
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: json-path-2.3.0.jar jackson-core-2.12.7.jar
]]></notes>
<cve > CVE-2022-45688</cve>
<cve > CVE-2023-35116</cve>
2019-12-05 17:34:35 -05:00
</suppress>
2023-03-23 01:40:06 -04:00
<suppress >
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: grpc-context-1.27.2.jar
]]></notes>
<packageUrl regex= "true" > ^pkg:maven/io\.grpc/grpc-context@1.27.2$</packageUrl>
<cve > CVE-2023-4785</cve> <!-- Not applicable to gRPC Java - https://nvd.nist.gov/vuln/detail/CVE - 2023 - 4785 -->
<cve > CVE-2023-33953</cve> <!-- Not applicable to gRPC Java - https://cloud.google.com/support/bulletins#gcp - 2023 - 022 -->
<cve > CVE-2023-32732</cve>
2021-07-12 22:58:06 -04:00
</suppress>
2023-03-23 01:40:06 -04:00
2023-11-23 22:55:10 -05:00
<suppress >
<!-- Pulled in by io.kubernetes:client - java and kafka_2.13 but not fixed in either place yet -->
<!-- jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less -->
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: commons-compress-1.23.0.jar
2023-11-23 22:55:10 -05:00
]]></notes>
2023-12-05 00:00:35 -05:00
<cve > CVE-2023-42503</cve>
2023-11-23 22:55:10 -05:00
</suppress>
2021-02-03 18:17:06 -05:00
<suppress >
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: guava-31.1-jre.jar
]]></notes>
<cve > CVE-2020-8908</cve>
2021-02-03 18:17:06 -05:00
</suppress>
2023-12-05 00:00:35 -05:00
<!-- CVE - 2022 - 4244 is affecting plexus - utils package,
plexus-interpolation is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973 -->
<suppress base= "true" >
<packageUrl regex= "true" > ^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
<cve > CVE-2022-4244</cve>
<cve > CVE-2022-4245</cve>
2022-11-23 01:05:33 -05:00
</suppress>
2023-12-05 00:00:35 -05:00
2022-09-06 02:16:56 -04:00
<suppress >
2023-12-05 00:00:35 -05:00
<!-- This presumably applies to maven build system -->
2022-09-06 02:16:56 -04:00
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: maven-settings
]]></notes>
<cve > CVE-2021-26291</cve>
2020-09-04 18:22:26 -04:00
</suppress>
2023-12-05 00:00:35 -05:00
2020-09-04 18:22:26 -04:00
<suppress >
2023-12-05 00:00:35 -05:00
<!-- LDAP authentication check bypass FP no exploitability analysis -->
2020-09-04 18:22:26 -04:00
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: derby-10.14.2.0.jar
]]></notes>
<cve > CVE-2022-46337</cve>
2020-09-04 18:22:26 -04:00
</suppress>
2023-12-05 00:00:35 -05:00
2020-09-04 18:22:26 -04:00
<suppress >
2023-12-05 00:00:35 -05:00
<!-- False positive fixed in 9.4.52
https://nvd.nist.gov/vuln/detail/CVE-2023-36479 -->
2020-09-04 18:22:26 -04:00
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: jetty-servlets-9.4.53.v20231009.jar
]]></notes>
<cve > CVE-2023-36479</cve>
2020-09-04 18:22:26 -04:00
</suppress>
2023-12-05 00:00:35 -05:00
2019-12-05 17:34:35 -05:00
<suppress >
<!--
2023-12-05 00:00:35 -05:00
the suppressions here aren't currently applicable, but can be resolved once we update the version
2019-12-05 17:34:35 -05:00
-->
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: jackson-databind-2.10.5.1.jar
2019-12-05 17:34:35 -05:00
]]></notes>
2023-12-05 00:00:35 -05:00
<packageUrl regex= "true" > ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<!-- CVE - 2022 - 42003 and CVE - 2022 - 42004 are related to UNWRAP_SINGLE_VALUE_ARRAYS which we do not use
https://nvd.nist.gov/vuln/detail/CVE-2022-42003
https://nvd.nist.gov/vuln/detail/CVE-2022-42004
-->
<cve > CVE-2022-42003</cve>
<cve > CVE-2022-42004</cve>
2020-03-10 13:55:41 -04:00
</suppress>
2023-12-05 00:00:35 -05:00
2020-03-10 13:55:41 -04:00
<suppress >
2023-12-05 00:00:35 -05:00
<!-- Avatica server itself is not affected. Vulnerability exists only on client. -->
2020-03-10 13:55:41 -04:00
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: avatica-server-1.23.0.jar
2020-03-10 13:55:41 -04:00
]]></notes>
2023-12-05 00:00:35 -05:00
<cve > CVE-2022-36364</cve>
<cve > CVE-2022-39135</cve>
<cve > CVE-2020-13955</cve>
2019-12-05 17:34:35 -05:00
</suppress>
2020-03-16 12:42:33 -04:00
2023-12-05 00:00:35 -05:00
<!-- DoS when using expression evaluator.guess -->
2021-08-11 06:16:57 -04:00
<suppress >
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: janino-3.1.9.jar
2021-08-11 06:16:57 -04:00
]]></notes>
2023-12-05 00:00:35 -05:00
<cve > CVE-2023-33546</cve>
2021-10-30 13:16:24 -04:00
</suppress>
2021-03-16 21:17:57 -04:00
2021-03-24 19:44:05 -04:00
<suppress >
2023-12-05 00:00:35 -05:00
<!-- from extensions using hadoop - client - runtime, these dependencies are shaded in the jar -->
2021-08-11 06:16:57 -04:00
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: hadoop-client-runtime-3.3.6.jar
2021-03-24 19:44:05 -04:00
]]></notes>
2023-12-05 00:00:35 -05:00
<!-- this one is windows only - https://nvd.nist.gov/vuln/detail/CVE - 2022 - 26612 -->
<cve > CVE-2022-26612</cve>
<!-- this one seems to apply to backend server - https://nvd.nist.gov/vuln/detail/CVE - 2023 - 25613 -->
<cve > CVE-2023-25613</cve>
<cve > CVE-2023-2976</cve> <!-- hadoop - client - runtime isn't using com.google.common.io.FileBackedOutputStream -->
<!-- CVE from shaded dependency nimbus - jose - jwt, fixed in upcoming Hadoop release version -
https://github.com/apache/hadoop/commit/ad49ddda0e1d9632c8c9fcdc78fca8244e1248c9 -->
<cve > CVE-2023-1370</cve>
<cve > CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 -->
<cve > CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo -->
<cve > CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet -->
<cve > CVE-2023-36478</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet -->
2021-08-11 06:16:57 -04:00
</suppress>
2023-12-05 00:00:35 -05:00
<!-- those are false positives, no other tools report any of those CVEs in the hadoop package -->
2021-08-11 06:16:57 -04:00
<suppress >
2023-12-05 00:00:35 -05:00
<notes > < ![CDATA[
file name: hadoop-*-3.3.1.jar
]]></notes>
<cve > CVE-2015-7430</cve>
<cve > CVE-2017-3162</cve>
<cve > CVE-2021-31684</cve>
<cve > CVE-2022-3509</cve>
<cve > CVE-2022-40152</cve>
</suppress>
2021-08-11 06:16:57 -04:00
2021-09-29 02:54:13 -04:00
<suppress >
2022-07-22 12:57:31 -04:00
<!--
1. hive-storage-api has the thrift vulnerability too
2. CVE-2021-34538 pertains to Hive server.
2022-09-06 02:16:56 -04:00
3. CVE-2021-4125 only applies to the OpenShift Metering hive container images
2022-07-22 12:57:31 -04:00
-->
2021-09-29 02:54:13 -04:00
<notes > < ![CDATA[
file name: hive-storage-api-2.8.1.jar
]]></notes>
2023-12-05 00:00:35 -05:00
<packageUrl regex= "true" > ^pkg:maven/org\.apache\.hive.*</packageUrl>
2021-09-29 02:54:13 -04:00
<cve > CVE-2020-13949</cve>
2022-07-22 12:57:31 -04:00
<cve > CVE-2021-34538</cve>
2022-09-06 02:16:56 -04:00
<cve > CVE-2021-4125</cve>
2021-09-29 02:54:13 -04:00
</suppress>
2023-12-05 00:00:35 -05:00
2021-10-30 13:16:24 -04:00
<suppress >
<!-- These are for wildfly - openssl. -->
<notes > < ![CDATA[
file name: wildfly-openssl-1.0.7.Final.jar
]]></notes>
<cve > CVE-2020-10740</cve>
<cve > CVE-2020-25644</cve>
<cve > CVE-2020-10718</cve>
2022-12-17 09:39:52 -05:00
<cve > CVE-2022-1278</cve>
2021-10-30 13:16:24 -04:00
</suppress>
2023-12-05 00:00:35 -05:00
2021-10-30 13:16:24 -04:00
<suppress >
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: kafka-clients-3.2.0.jar
2021-10-30 13:16:24 -04:00
]]></notes>
2023-12-05 00:00:35 -05:00
<packageUrl regex= "true" > ^pkg:maven/org\.apache\.kafka/kafka\-clients@.*$</packageUrl>
<cve > CVE-2022-34917</cve>
<cve > CVE-2023-25194</cve>
2021-10-30 13:16:24 -04:00
</suppress>
<suppress >
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: woodstox-core-6.2.4.jar
2021-10-30 13:16:24 -04:00
]]></notes>
2023-12-05 00:00:35 -05:00
<cve > CVE-2023-34411</cve>
2021-10-30 13:16:24 -04:00
</suppress>
2023-07-07 10:57:30 -04:00
2022-04-18 23:00:06 -04:00
<suppress >
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: spatial4j-0.7.jar:
]]></notes>
<cve > CVE-2014-125074</cve>
2022-04-18 23:00:06 -04:00
</suppress>
2022-04-21 11:48:20 -04:00
2022-07-22 12:57:31 -04:00
<suppress >
2023-12-05 00:00:35 -05:00
<!-- Pulled in by io.kubernetes:client - java and kafka_2.13 but not fixed in either place yet -->
<!-- jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less -->
2022-07-22 12:57:31 -04:00
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: jose4j-0.7.3.jar
]]></notes>
<packageUrl regex= "true" > ^pkg:maven/org\.bitbucket\.b_c/jose4j@.*$</packageUrl>
<cve > CVE-2023-31582</cve>
2022-07-22 12:57:31 -04:00
</suppress>
2022-05-19 01:51:48 -04:00
<suppress >
2023-12-05 00:00:35 -05:00
<!-- okhttp -->
2022-05-19 01:51:48 -04:00
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: okhttp-*.jar
2022-05-19 01:51:48 -04:00
]]></notes>
2023-12-05 00:00:35 -05:00
<cve > CVE-2021-0341</cve> <!-- Suppressed since okhttp requests in Druid are internal, and not user - facing -->
<cve > CVE-2016-2402</cve> <!-- Suppressed since okhttp requests in Druid are internal, and not user - facing -->
<cve > CVE-2023-0833</cve> <!-- Suppressed since okhttp requests in Druid are internal, and not user - facing -->
2022-05-19 01:51:48 -04:00
</suppress>
<suppress >
2023-12-05 00:00:35 -05:00
<!-- TODO: Fix by updating curator - x - discovery to > 4.2.0 and updating hadoop -->
2022-05-19 01:51:48 -04:00
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: jackson-mapper-asl-1.9.13.jar
2022-05-19 01:51:48 -04:00
]]></notes>
2023-12-05 00:00:35 -05:00
<packageUrl regex= "true" > ^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@1.9.13$</packageUrl>
<cvssBelow > 10</cvssBelow> <!-- suppress all CVEs for jackson - mapper - asl:1.9.13 ince it is via curator - x - discovery -->
2022-05-19 01:51:48 -04:00
</suppress>
<suppress >
2023-12-05 00:00:35 -05:00
<!-- TODO: Fix by updating org.apache.druid.java.util.http.client.NettyHttpClient to use netty 4 -->
2022-05-19 01:51:48 -04:00
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: netty-3.10.6.Final.jar
2022-05-19 01:51:48 -04:00
]]></notes>
2023-12-05 00:00:35 -05:00
<packageUrl regex= "true" > ^pkg:maven/io\.netty/netty@3.10.6.Final$</packageUrl>
<cve > CVE-2019-16869</cve>
<cve > CVE-2019-20444</cve>
<cve > CVE-2019-20445</cve>
<cve > CVE-2020-11612</cve>
<cve > CVE-2021-21290</cve> <!-- We don't use HttpPostRequestDecoder or HttpPostMultiPartRequestDecoder which uses vulnerable AbstractDiskHttpData - https://github.com/advisories/GHSA - 5mcr - gq6c - 3hq2 -->
<cve > CVE-2021-21295</cve> <!-- We don't use HTTP2MultiplexCodec or Http2FrameCodec or Http2StreamFrameToHttpObjectCodec affected or convert HTTP/2 to HTTP/1.1 requests - https://github.com/advisories/GHSA - wm47 - 8v5p - wjpj -->
<cve > CVE-2021-21409</cve> <!-- We don't use Http2HeaderFrame or convert HTTP/2 to HTTP/1.1 requests https://github.com/advisories/GHSA - f256 - j965 - 7f32 -->
<cve > CVE-2021-37136</cve>
<cve > CVE-2021-37137</cve>
<cve > CVE-2021-43797</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA - wx5j - 54mm - rqqq -->
<cve > CVE-2022-24823</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA - 269q - hmxg - m83q -->
<cve > CVE-2022-41881</cve>
<cve > CVE-2023-34462</cve> <!-- Suppressed since netty requests in Druid are internal, and not user - facing -->
2022-05-19 01:51:48 -04:00
</suppress>
2022-05-23 03:05:23 -04:00
<suppress >
2023-12-05 00:00:35 -05:00
<!-- TODO: Fix by using com.datastax.oss:java - driver - core instead of com.netflix.astyanax:astyanax in extensions - contrib/cassandra - storage -->
2022-05-23 03:05:23 -04:00
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: libthrift-0.6.1.jar
2022-05-23 03:05:23 -04:00
]]></notes>
2023-12-05 00:00:35 -05:00
<packageUrl regex= "true" > ^pkg:maven/org\.apache\.thrift/libthrift@0.6.1$</packageUrl>
<cve > CVE-2018-1320</cve>
<cve > CVE-2019-0205</cve>
2022-05-23 03:05:23 -04:00
</suppress>
2022-06-01 11:52:32 -04:00
<suppress >
2023-12-05 00:00:35 -05:00
<!-- TODO: Fix by using com.datastax.oss:java - driver - core instead of com.netflix.astyanax:astyanax in extensions - contrib/cassandra - storage -->
2022-06-01 11:52:32 -04:00
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: jettison-1.*.jar
]]></notes>
<packageUrl regex= "true" > ^pkg:maven/org\.codehaus\.jettison/jettison@1.*$</packageUrl>
<cve > CVE-2022-40149</cve>
<cve > CVE-2022-40150</cve>
<cve > CVE-2022-45685</cve>
<cve > CVE-2022-45693</cve>
<cve > CVE-2023-1436</cve>
2022-06-01 11:52:32 -04:00
</suppress>
<suppress >
2023-12-05 00:00:35 -05:00
<!-- We need to wait for 17.0.0 of https://github.com/kubernetes - client/java/releases -->
<!-- We need to update several other components to move to Snakeyaml 2.0 to address CVE - 2022 - 1471 -->
<!-- Snakeyaml 1.33 added to dependencyManagement in main pom file -->
2022-06-01 11:52:32 -04:00
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: snakeyaml-1.33.jar
]]></notes>
<cve > CVE-2022-1471</cve>
<!-- false positive -->
<cve > CVE-2023-2251</cve>
<cve > CVE-2022-3064</cve>
2022-06-01 11:52:32 -04:00
</suppress>
<suppress >
2023-12-05 00:00:35 -05:00
<notes > < ![CDATA[
file name: node-sass:4.13.1
The vulnerability is fixed in 4.13.1: https://github.com/sass/node-sass/issues/2816#issuecomment-575136455
But the dependency check plugin thinks it's still broken as the affected/fixed versions has not been updated on
Sonatype OSS Index: https://ossindex.sonatype.org/vuln/c97f4ae7-be1f-4f71-b238-7c095b126e74
]]></notes>
<packageUrl regex= "true" > ^pkg:npm/node\-sass@.*$</packageUrl>
<vulnerabilityName > CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</vulnerabilityName>
2022-06-01 11:52:32 -04:00
</suppress>
2022-08-10 04:48:19 -04:00
<suppress >
2023-12-05 00:00:35 -05:00
<!-- (ranger, ambari, and aliyun - oss) these vulnerabilities are legit, but their latest releases still use the vulnerable jackson version -->
<notes > < ![CDATA[
file name: jackson-xc-1.9.x.jar or jackson-jaxrs-1.9.x.jar
]]></notes>
<packageUrl regex= "true" > ^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl>
<cve > CVE-2018-14718</cve>
<cve > CVE-2018-7489</cve>
<cve > CVE-2022-42003</cve>
<cve > CVE-2022-42004</cve>
2022-11-23 01:05:33 -05:00
</suppress>
2023-12-05 00:00:35 -05:00
2022-11-23 01:05:33 -05:00
<suppress >
2023-12-05 00:00:35 -05:00
<!-- Upgrading to libthrift - 0.14.2 adds many tomcat CVEs, suppress and stay at 0.13.0 for now -->
<!-- valid issue, worth investigating overhauling to e.g., 0.19.0 -->
2022-11-23 01:05:33 -05:00
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: libthrift-0.13.0.jar
]]></notes>
<packageUrl regex= "true" > ^pkg:maven/org\.apache\.thrift/libthrift@.*</packageUrl>
<cve > CVE-2020-13949</cve>
2022-08-10 04:48:19 -04:00
</suppress>
2023-12-05 00:00:35 -05:00
2022-09-23 06:53:26 -04:00
<suppress >
2023-12-05 00:00:35 -05:00
<!-- Non - applicable CVE for gson -->
2022-09-23 06:53:26 -04:00
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: gson-*.jar
2022-09-23 06:53:26 -04:00
]]></notes>
2023-12-05 00:00:35 -05:00
<cve > CVE-2022-25647</cve>
2022-09-23 06:53:26 -04:00
</suppress>
<suppress >
2023-12-05 00:00:35 -05:00
<!-- pac4j - core - 3.8.3 -->
2022-09-23 06:53:26 -04:00
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: pac4j-core-3.8.3.jar
2022-09-23 06:53:26 -04:00
]]></notes>
2023-12-05 00:00:35 -05:00
<cve > CVE-2021-44878</cve>
2022-09-23 06:53:26 -04:00
</suppress>
2022-11-04 02:17:02 -04:00
<suppress >
<!-- package - lock.json?d3 - color -->
<notes > < ![CDATA[
file name: d3-color:2.0.0
]]></notes>
<!--
2023-02-01 07:18:41 -05:00
Not vulnerable to these as, we use d3-color on the client only.
2022-11-04 02:17:02 -04:00
-->
<packageUrl regex= "true" > ^pkg:npm/d3\-color@.*$</packageUrl>
<vulnerabilityName > 1084597</vulnerabilityName>
2023-02-01 07:18:41 -05:00
<vulnerabilityName > 1088594</vulnerabilityName>
2022-11-04 02:17:02 -04:00
</suppress>
2022-11-23 01:05:33 -05:00
<suppress >
<notes > < ![CDATA[
file name: d3-color:2.0.0
]]></notes>
<packageUrl regex= "true" > ^pkg:npm/d3\-color@.*$</packageUrl>
<vulnerabilityName > 1084597</vulnerabilityName>
</suppress>
2023-12-05 00:00:35 -05:00
2022-11-23 01:05:33 -05:00
<suppress >
<notes > < ![CDATA[
file name: protobuf-java-3.11.0.jar
]]></notes>
<packageUrl regex= "true" > ^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl>
<cve > CVE-2022-3171</cve>
</suppress>
2023-12-05 00:00:35 -05:00
2022-11-23 01:05:33 -05:00
<suppress >
<notes > < ![CDATA[
file name: protobuf-java-util-3.11.0.jar
]]></notes>
<packageUrl regex= "true" > ^pkg:maven/com\.google\.protobuf/protobuf\-java\-util@.*$</packageUrl>
<cve > CVE-2022-3171</cve>
</suppress>
2023-12-05 00:00:35 -05:00
2022-11-23 01:05:33 -05:00
<suppress >
<notes > < ![CDATA[
file name: ansi-regex:5.0.0
]]></notes>
<packageUrl regex= "true" > ^pkg:npm/ansi\-regex@.*$</packageUrl>
<vulnerabilityName > 1084697</vulnerabilityName>
<cve > CVE-2021-3807</cve>
</suppress>
2023-12-05 00:00:35 -05:00
2022-11-23 01:05:33 -05:00
<suppress >
<notes > < ![CDATA[
file name: glob-parent:5.1.1
]]></notes>
<packageUrl regex= "true" > ^pkg:npm/glob\-parent@.*$</packageUrl>
<vulnerabilityName > 1081884</vulnerabilityName>
<cve > CVE-2020-28469</cve>
</suppress>
2023-12-05 00:00:35 -05:00
2022-11-23 01:05:33 -05:00
<suppress >
<notes > < ![CDATA[
file name: minimatch:3.0.4
]]></notes>
<packageUrl regex= "true" > ^pkg:npm/minimatch@.*$</packageUrl>
<vulnerabilityName > 1084765</vulnerabilityName>
</suppress>
2023-12-05 00:00:35 -05:00
2023-05-11 02:08:05 -04:00
<suppress >
<!-- from extensions using hadoop - client - runtime, these dependencies are shaded in the jar -->
<notes > < ![CDATA[
2023-06-28 05:33:10 -04:00
file name: hadoop-client-runtime-3.3.6.jar
2023-05-11 02:08:05 -04:00
]]></notes>
<!-- this one is windows only - https://nvd.nist.gov/vuln/detail/CVE - 2022 - 26612 -->
<cve > CVE-2022-26612</cve>
<!-- this one seems to apply to backend server - https://nvd.nist.gov/vuln/detail/CVE - 2023 - 25613 -->
<cve > CVE-2023-25613</cve>
2023-07-10 05:49:26 -04:00
<cve > CVE-2023-2976</cve> <!-- hadoop - client - runtime isn't using com.google.common.io.FileBackedOutputStream -->
2023-08-24 09:58:55 -04:00
<!-- CVE from shaded dependency nimbus - jose - jwt, fixed in upcoming Hadoop release version -
https://github.com/apache/hadoop/commit/ad49ddda0e1d9632c8c9fcdc78fca8244e1248c9 -->
<cve > CVE-2023-1370</cve>
<cve > CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 -->
2023-10-04 02:29:01 -04:00
<cve > CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo -->
2023-10-26 23:59:18 -04:00
<cve > CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet -->
2023-11-23 22:55:10 -05:00
<cve > CVE-2023-36478</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet -->
2023-07-10 05:49:26 -04:00
</suppress>
2023-12-05 00:00:35 -05:00
2023-07-10 05:49:26 -04:00
<suppress >
<!-- from extensions using hadoop - client - api, these dependencies are shaded in the jar -->
<notes > < ![CDATA[
file name: hadoop-client-api-3.3.6.jar: jquery.dataTables.min.js (pkg:javascript/jquery.datatables@1.10.18)
]]></notes>
<vulnerabilityName > prototype pollution</vulnerabilityName>
2023-10-26 23:59:18 -04:00
<cve > CVE-2020-28458</cve>
2023-05-11 02:08:05 -04:00
</suppress>
2023-12-05 00:00:35 -05:00
2023-07-10 05:49:26 -04:00
<!-- filed against random script set, doesn't apply to any Maven artifacts - https://github.com/jeremylong/DependencyCheck/issues/5213 -->
<suppress >
<notes > < ![CDATA[
file name: plexus-utils-3.0.24.jar
file name: async-http-client-netty-utils-2.5.3.jar
]]></notes>
<packageUrl regex= "true" > ^pkg:maven/.*/.*@.*$</packageUrl>
<cve > CVE-2021-4277</cve>
</suppress>
2023-08-24 09:58:55 -04:00
<suppress >
<notes > < ![CDATA[
2023-12-05 00:00:35 -05:00
file name: okio-1.17.2.jar, okio-1.15.0.jar okio 2.8.0
2023-08-24 09:58:55 -04:00
]]></notes>
2023-12-05 00:00:35 -05:00
<packageUrl regex= "true" > ^pkg:maven/com\.squareup\.okio/okio@..*$</packageUrl>
2023-08-24 09:58:55 -04:00
<cve > CVE-2023-3635</cve> <!-- Suppressed since okio requests in Druid are internal, and not user - facing -->
</suppress>
2023-09-25 02:44:42 -04:00
2023-10-04 02:29:01 -04:00
<!-- CVE - 2022 - 4244 is affecting plexus - utils package, plexus - interpolation is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973 -->
<suppress base= "true" >
<packageUrl regex= "true" > ^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
<cve > CVE-2022-4244</cve>
</suppress>
2023-10-26 23:59:18 -04:00
<!-- CVE - 2023 - 5072 has a too broad CPE that seems to be flagging dependencies like json - *. Neither Druid nor any of its
~ transitive dependency use json-java which contains the vulnerability-->
<suppress base= "true" >
<cve > CVE-2023-5072</cve>
</suppress>
<!--
~ CVE-2023-44981 seems to affect Zookeeper servers. While we ship with a previous version of the Zookeeper, Druid only
~ only uses the client classes of the Zookeeper. We do use the older version in the quickstart & example docker file,
~ however in production it is recomended to use your own Zookeeper server with the CVE patched up, which the Druid's
~ older ZK library is still compatible with.
-->
<suppress >
<notes > < ![CDATA[
2023-12-05 08:27:56 -05:00
file name: zookeeper-3.8.3.jar
2023-10-26 23:59:18 -04:00
]]></notes>
<cve > CVE-2023-44981</cve>
</suppress>
<!--
~ Hostname verification is disabled by default in Netty 4.x, therefore the version that Druid is using gets flagged,
~ however Druid enables it in ChannelResourceFactory therefore this is a false positive-->
<suppress >
<notes > < ![CDATA[
file name: netty-transport-4.1.100.Final.jar
]]></notes>
<cve > CVE-2023-4586</cve>
</suppress>
2023-12-05 00:00:35 -05:00
<!-- druid cassandra storage exclusions -->
<suppress >
<!-- TODO: Fix by using com.datastax.oss:java - driver - core instead of com.netflix.astyanax:astyanax in extensions - contrib/cassandra - storage -->
<notes > < ![CDATA[
file name: libthrift-0.6.1.jar
]]></notes>
<packageUrl regex= "true" > ^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
<cve > CVE-2016-5397</cve>
<cve > CVE-2018-1320</cve>
<cve > CVE-2019-0205</cve>
<cve > CVE-2015-3254</cve>
</suppress>
<!-- mostly false positives, need to use dependencies from current decade -->
<suppress >
<notes > < ![CDATA[
file name: avro-1.4.0-cassandra-1.jar cassandra-all-1.0.8.jar
]]></notes>
<cve > CVE-2012-6708</cve>
<cve > CVE-2015-9251</cve>
<cve > CVE-2019-11358</cve>
<cve > CVE-2020-11022</cve>
<cve > CVE-2020-11023</cve>
<cve > CVE-2020-7656</cve>
<cve > CVE-2011-4969</cve>
<cve > CVE-2020-17516</cve>
<cve > CVE-2020-13946</cve>
</suppress>
<!-- end of druid cassandra storage exclusions -->
<!-- druid - cloudfiles - extensions exclusions -->
<suppress >
<!-- CVEs added for completeness in pretty much dead extension -->
<notes > < ![CDATA[
file name: openstack*-2.5.0.jar
]]></notes>
<cve > CVE-2020-12689</cve>
<cve > CVE-2020-12691</cve>
<cve > CVE-2020-12690</cve>
<cve > CVE-2021-3563</cve>
<cve > CVE-2016-0738</cve>
<cve > CVE-2017-16613</cve>
</suppress>
<!-- end of druid - cloudfiles - extensions exclusions -->
<!-- graphite - emitter exclusions -->
<suppress >
<!-- CVEs added for completeness -->
<notes > < ![CDATA[
file name: amqp-client-5.17.0.jar
]]></notes>
<cve > CVE-2023-46120</cve>
</suppress>
<!-- end of graphite - emitter exclusions -->
<!-- ambari - metics - emitter exclusions -->
<suppress >
<!--
- TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
-->
<notes > < ![CDATA[
file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: org.apache.hadoop:hadoop-annotations:2.6.0)
]]></notes>
<packageUrl regex= "true" > ^pkg:maven/org\.apache\.hadoop/hadoop\-annotations@.*$</packageUrl>
<cve > CVE-2015-1776</cve>
<cve > CVE-2016-3086</cve>
<cve > CVE-2016-5393</cve>
<cve > CVE-2016-6811</cve>
<cve > CVE-2017-3162</cve>
<cve > CVE-2018-11768</cve>
<cve > CVE-2018-1296</cve>
<cve > CVE-2018-8009</cve>
<cve > CVE-2018-8029</cve>
</suppress>
<suppress >
<notes > < ![CDATA[
file name: log4j-1.2.17.jar
]]></notes>
<packageUrl regex= "true" > ^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
<cve > CVE-2019-17571</cve>
<cve > CVE-2021-4104</cve>
<cve > CVE-2020-9493</cve>
<cve > CVE-2022-23307</cve>
<cve > CVE-2022-23305</cve>
<cve > CVE-2022-23302</cve>
<cve > CVE-2023-26464</cve>
</suppress>
<suppress >
<!--
- TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
-->
<notes > < ![CDATA[
file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
]]></notes>
<packageUrl regex= "true" > ^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
<cve > CVE-2019-16869</cve>
<cve > CVE-2019-20444</cve>
<cve > CVE-2019-20445</cve>
<cve > CVE-2021-37136</cve>
<cve > CVE-2021-37137</cve>
<cve > CVE-2021-4104</cve>
<cve > CVE-2020-9493</cve>
<cve > CVE-2022-23307</cve>
<cve > CVE-2022-23305</cve>
<cve > CVE-2022-23302</cve>
<cve > CVE-2022-41881</cve>
<cve > CVE-2020-11612</cve>
</suppress>
<suppress >
<notes > < ![CDATA[
file name: ambari-metrics-common-2.7.0.0.0.jar
]]></notes>
<cve > CVE-2022-45855</cve>
<cve > CVE-2022-42009</cve>
<!-- Suppress hadoop CVEs that not applicable to hadoop - annotations -->
<cve > CVE-2022-25168</cve> <!-- Affected FileUtil.unTar(File, File) API isn't present in hadoop - annotations -->
<cve > CVE-2021-33036</cve> <!-- Only applicable to hadoop - yarn - server -->
<cve > CVE-2020-9492</cve> <!-- Applicable to webHDFS client -->
</suppress>
<!-- end of ambari - metics - emitter exclusions -->
<!-- aliyun - oss exclusions -->
<suppress >
<!-- Transitive dependency from aliyun - sdk - oss, -->
<notes > < ![CDATA[
file name: ini4j-0.5.4.jar
]]></notes>
<packageUrl regex= "true" > ^pkg:maven/org\.ini4j/ini4j@.*$</packageUrl>
<vulnerabilityName > CVE-2022-41404</vulnerabilityName>
</suppress>
<suppress >
<!-- Transitive dependency from aliyun - sdk - oss, there is currently no newer version of jdom2 as well -->
<notes > < ![CDATA[
file name: jdom2-2.0.6.jar
]]></notes>
<packageUrl regex= "true" > ^pkg:maven/org\.jdom/jdom2@2.0.6$</packageUrl>
<cve > CVE-2021-33813</cve>
</suppress>
<!-- end of aliyun - oss exclusions -->
<!-- iceberg exclusions -->
<suppress >
<!-- Transitive dependency from aliyun - sdk - oss, there is currently no newer version of jdom2 as well -->
<notes > < ![CDATA[
file name: libfb303-0.9.3.jar libthrift-0.9.3.jar
]]></notes>
<cve > CVE-2016-5397</cve>
<cve > CVE-2018-1320</cve>
<cve > CVE-2019-0210</cve>
<cve > CVE-2020-13949</cve>
<cve > CVE-2019-0205</cve>
<cve > CVE-2019-0210</cve>
<cve > CVE-2020-13949</cve>
</suppress>
2019-12-05 17:34:35 -05:00
</suppressions>