Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
druid/owasp-dependency-check-supp...

634 lines
23 KiB
XML
Raw Normal View History

Address security vulnerabilities CVSS >= 7 (#8980) * Address security vulnerabilities CVSS >= 7 Update dependencies to address security vulnerabilities with CVSS scores of 7 or higher. A new Travis CI job is added to prevent new high/critical security vulnerabilities from being added. Updated dependencies: - api-util 1.0.0 -> 1.0.3 - jackson 2.9.10 -> 2.10.1 - kafka 2.1.0 -> 2.1.1 - libthrift 0.10.0 -> 0.13.0 - protobuf 3.2.0 -> 3.11.0 The following high/critical security vulnerabilities are currently suppressed (so that the new Travis CI job can be added now) and are left as future work to fix: - hibernate-validator:5.2.5 - jackson-mapper-asl:1.9.13 - libthrift:0.6.1 - netty:3.10.6 - nimbus-jose-jwt:4.41.1 * Rename EDL1 license file * Fix inspection errors
2019-12-05 17:34:35 -05:00
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Licensed to the Apache Software Foundation (ASF) under one
~ or more contributor license agreements. See the NOTICE file
~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file
~ to you under the Apache License, Version 2.0 (the
~ "License"); you may not use this file except in compliance
~ with the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- False positives -->
Address security vulnerabilities CVSS >= 7 (#8980) * Address security vulnerabilities CVSS >= 7 Update dependencies to address security vulnerabilities with CVSS scores of 7 or higher. A new Travis CI job is added to prevent new high/critical security vulnerabilities from being added. Updated dependencies: - api-util 1.0.0 -> 1.0.3 - jackson 2.9.10 -> 2.10.1 - kafka 2.1.0 -> 2.1.1 - libthrift 0.10.0 -> 0.13.0 - protobuf 3.2.0 -> 3.11.0 The following high/critical security vulnerabilities are currently suppressed (so that the new Travis CI job can be added now) and are left as future work to fix: - hibernate-validator:5.2.5 - jackson-mapper-asl:1.9.13 - libthrift:0.6.1 - netty:3.10.6 - nimbus-jose-jwt:4.41.1 * Rename EDL1 license file * Fix inspection errors
2019-12-05 17:34:35 -05:00
<suppress>
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: json-path-2.3.0.jar jackson-core-2.12.7.jar
]]></notes>
<cve>CVE-2022-45688</cve>
<cve>CVE-2023-35116</cve>
Address security vulnerabilities CVSS >= 7 (#8980) * Address security vulnerabilities CVSS >= 7 Update dependencies to address security vulnerabilities with CVSS scores of 7 or higher. A new Travis CI job is added to prevent new high/critical security vulnerabilities from being added. Updated dependencies: - api-util 1.0.0 -> 1.0.3 - jackson 2.9.10 -> 2.10.1 - kafka 2.1.0 -> 2.1.1 - libthrift 0.10.0 -> 0.13.0 - protobuf 3.2.0 -> 3.11.0 The following high/critical security vulnerabilities are currently suppressed (so that the new Travis CI job can be added now) and are left as future work to fix: - hibernate-validator:5.2.5 - jackson-mapper-asl:1.9.13 - libthrift:0.6.1 - netty:3.10.6 - nimbus-jose-jwt:4.41.1 * Rename EDL1 license file * Fix inspection errors
2019-12-05 17:34:35 -05:00
</suppress>
Fixing security vulnerability check errors (#13956) * Fixing security vulnerability check errors * Updating javax.el to jakarta.el * Adding cron job trigger on changes to suppressions file
2023-03-23 01:40:06 -04:00
<suppress>
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: grpc-context-1.27.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc-context@1.27.2$</packageUrl>
<cve>CVE-2023-4785</cve> <!-- Not applicable to gRPC Java - https://nvd.nist.gov/vuln/detail/CVE-2023-4785 -->
<cve>CVE-2023-33953</cve> <!-- Not applicable to gRPC Java - https://cloud.google.com/support/bulletins#gcp-2023-022 -->
<cve>CVE-2023-32732</cve>
Suppress CVE-2021-27568 from json-smart 2.3 dependency (#11438) Dependency on hadoop 2.8.5 is preventing us form updating this dependency to a later version. We don't believe that this is a major concern since Druid eats uncaught exceptions, and only displays them in logs. This issue also should only affect ingestion jobs, which can only be run by admin type users.
2021-07-12 22:58:06 -04:00
</suppress>
Fixing security vulnerability check errors (#13956) * Fixing security vulnerability check errors * Updating javax.el to jakarta.el * Adding cron job trigger on changes to suppressions file
2023-03-23 01:40:06 -04:00
Suppress Hadoop and jose4j cve (#15425) Changes - Suppress CVE-2023-36478 as there is no newer Hadoop version available that addresses - Suppress CVE-2023-31582 in jose4j. Pulled in by Kubernetes/Kafka but not addressed yet.
2023-11-23 22:55:10 -05:00
<suppress>
<!-- Pulled in by io.kubernetes:client-java and kafka_2.13 but not fixed in either place yet -->
<!-- jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less -->
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: commons-compress-1.23.0.jar
Suppress Hadoop and jose4j cve (#15425) Changes - Suppress CVE-2023-36478 as there is no newer Hadoop version available that addresses - Suppress CVE-2023-31582 in jose4j. Pulled in by Kubernetes/Kafka but not addressed yet.
2023-11-23 22:55:10 -05:00
]]></notes>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<cve>CVE-2023-42503</cve>
Suppress Hadoop and jose4j cve (#15425) Changes - Suppress CVE-2023-36478 as there is no newer Hadoop version available that addresses - Suppress CVE-2023-31582 in jose4j. Pulled in by Kubernetes/Kafka but not addressed yet.
2023-11-23 22:55:10 -05:00
</suppress>
Address CVE-2020-8570, suppress CVE-2020-8554 (#10826) * Address CVE-2020-8570, suppress CVE-2020-8554 * Update licenses.yaml
2021-02-03 18:17:06 -05:00
<suppress>
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: guava-31.1-jre.jar
]]></notes>
<cve>CVE-2020-8908</cve>
Address CVE-2020-8570, suppress CVE-2020-8554 (#10826) * Address CVE-2020-8570, suppress CVE-2020-8554 * Update licenses.yaml
2021-02-03 18:17:06 -05:00
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- CVE-2022-4244 is affecting plexus-utils package,
plexus-interpolation is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973 -->
<suppress base="true">
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
<cve>CVE-2022-4245</cve>
Port CVE suppressions from 24.0.1 (#13415) * Suppress jackson-databind CVE-2022-42003 and CVE-2022-42004 (cherry picked from commit 1f4d892c9a2dbc3ce6df1481fd4c6d242ba0ea8d) * Suppress CVEs (cherry picked from commit ed55baa8fa7d7f914a0addabb072d9ed47e1cd9f) * Suppress vulnerabilities from druid-website package (cherry picked from commit c0fb364f8049d53cd704e414e2ffeab6c49b012e) * Add more suppressions for website package (cherry picked from commit 9bba569ebd52c5480bf4219c420ed78eb053701f)
2022-11-23 01:05:33 -05:00
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
Suppress false CVEs (#13026) * Suppress CVEs * Add more suppressions
2022-09-06 02:16:56 -04:00
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- This presumably applies to maven build system -->
Suppress false CVEs (#13026) * Suppress CVEs * Add more suppressions
2022-09-06 02:16:56 -04:00
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: maven-settings
]]></notes>
<cve>CVE-2021-26291</cve>
Ignore CVEs from htrace and ambari transitive deps (#10353) * Ignore CVEs from htrace and ambari transitive deps htrace CVEs are suppressed for now as addressing them requires updating the hadoop version. ambari CVEs are suppressed for now since ambari is updated to the latest version and is no longer actively maintained. * Fix compilation issue from ambari upgrade * Add missing test coverage
2020-09-04 18:22:26 -04:00
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
Ignore CVEs from htrace and ambari transitive deps (#10353) * Ignore CVEs from htrace and ambari transitive deps htrace CVEs are suppressed for now as addressing them requires updating the hadoop version. ambari CVEs are suppressed for now since ambari is updated to the latest version and is no longer actively maintained. * Fix compilation issue from ambari upgrade * Add missing test coverage
2020-09-04 18:22:26 -04:00
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- LDAP authentication check bypass FP no exploitability analysis -->
Ignore CVEs from htrace and ambari transitive deps (#10353) * Ignore CVEs from htrace and ambari transitive deps htrace CVEs are suppressed for now as addressing them requires updating the hadoop version. ambari CVEs are suppressed for now since ambari is updated to the latest version and is no longer actively maintained. * Fix compilation issue from ambari upgrade * Add missing test coverage
2020-09-04 18:22:26 -04:00
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: derby-10.14.2.0.jar
]]></notes>
<cve>CVE-2022-46337</cve>
Ignore CVEs from htrace and ambari transitive deps (#10353) * Ignore CVEs from htrace and ambari transitive deps htrace CVEs are suppressed for now as addressing them requires updating the hadoop version. ambari CVEs are suppressed for now since ambari is updated to the latest version and is no longer actively maintained. * Fix compilation issue from ambari upgrade * Add missing test coverage
2020-09-04 18:22:26 -04:00
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
Ignore CVEs from htrace and ambari transitive deps (#10353) * Ignore CVEs from htrace and ambari transitive deps htrace CVEs are suppressed for now as addressing them requires updating the hadoop version. ambari CVEs are suppressed for now since ambari is updated to the latest version and is no longer actively maintained. * Fix compilation issue from ambari upgrade * Add missing test coverage
2020-09-04 18:22:26 -04:00
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- False positive fixed in 9.4.52
https://nvd.nist.gov/vuln/detail/CVE-2023-36479 -->
Ignore CVEs from htrace and ambari transitive deps (#10353) * Ignore CVEs from htrace and ambari transitive deps htrace CVEs are suppressed for now as addressing them requires updating the hadoop version. ambari CVEs are suppressed for now since ambari is updated to the latest version and is no longer actively maintained. * Fix compilation issue from ambari upgrade * Add missing test coverage
2020-09-04 18:22:26 -04:00
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: jetty-servlets-9.4.53.v20231009.jar
]]></notes>
<cve>CVE-2023-36479</cve>
Ignore CVEs from htrace and ambari transitive deps (#10353) * Ignore CVEs from htrace and ambari transitive deps htrace CVEs are suppressed for now as addressing them requires updating the hadoop version. ambari CVEs are suppressed for now since ambari is updated to the latest version and is no longer actively maintained. * Fix compilation issue from ambari upgrade * Add missing test coverage
2020-09-04 18:22:26 -04:00
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
Address security vulnerabilities CVSS >= 7 (#8980) * Address security vulnerabilities CVSS >= 7 Update dependencies to address security vulnerabilities with CVSS scores of 7 or higher. A new Travis CI job is added to prevent new high/critical security vulnerabilities from being added. Updated dependencies: - api-util 1.0.0 -> 1.0.3 - jackson 2.9.10 -> 2.10.1 - kafka 2.1.0 -> 2.1.1 - libthrift 0.10.0 -> 0.13.0 - protobuf 3.2.0 -> 3.11.0 The following high/critical security vulnerabilities are currently suppressed (so that the new Travis CI job can be added now) and are left as future work to fix: - hibernate-validator:5.2.5 - jackson-mapper-asl:1.9.13 - libthrift:0.6.1 - netty:3.10.6 - nimbus-jose-jwt:4.41.1 * Rename EDL1 license file * Fix inspection errors
2019-12-05 17:34:35 -05:00
<suppress>
<!--
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
the suppressions here aren't currently applicable, but can be resolved once we update the version
Address security vulnerabilities CVSS >= 7 (#8980) * Address security vulnerabilities CVSS >= 7 Update dependencies to address security vulnerabilities with CVSS scores of 7 or higher. A new Travis CI job is added to prevent new high/critical security vulnerabilities from being added. Updated dependencies: - api-util 1.0.0 -> 1.0.3 - jackson 2.9.10 -> 2.10.1 - kafka 2.1.0 -> 2.1.1 - libthrift 0.10.0 -> 0.13.0 - protobuf 3.2.0 -> 3.11.0 The following high/critical security vulnerabilities are currently suppressed (so that the new Travis CI job can be added now) and are left as future work to fix: - hibernate-validator:5.2.5 - jackson-mapper-asl:1.9.13 - libthrift:0.6.1 - netty:3.10.6 - nimbus-jose-jwt:4.41.1 * Rename EDL1 license file * Fix inspection errors
2019-12-05 17:34:35 -05:00
-->
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: jackson-databind-2.10.5.1.jar
Address security vulnerabilities CVSS >= 7 (#8980) * Address security vulnerabilities CVSS >= 7 Update dependencies to address security vulnerabilities with CVSS scores of 7 or higher. A new Travis CI job is added to prevent new high/critical security vulnerabilities from being added. Updated dependencies: - api-util 1.0.0 -> 1.0.3 - jackson 2.9.10 -> 2.10.1 - kafka 2.1.0 -> 2.1.1 - libthrift 0.10.0 -> 0.13.0 - protobuf 3.2.0 -> 3.11.0 The following high/critical security vulnerabilities are currently suppressed (so that the new Travis CI job can be added now) and are left as future work to fix: - hibernate-validator:5.2.5 - jackson-mapper-asl:1.9.13 - libthrift:0.6.1 - netty:3.10.6 - nimbus-jose-jwt:4.41.1 * Rename EDL1 license file * Fix inspection errors
2019-12-05 17:34:35 -05:00
]]></notes>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<!-- CVE-2022-42003 and CVE-2022-42004 are related to UNWRAP_SINGLE_VALUE_ARRAYS which we do not use
https://nvd.nist.gov/vuln/detail/CVE-2022-42003
https://nvd.nist.gov/vuln/detail/CVE-2022-42004
-->
<cve>CVE-2022-42003</cve>
<cve>CVE-2022-42004</cve>
Suppress CVEs for htrace-core4 and openstack-swift (#9489) CVE-2013-7109 can be ignored for openstack-swift as it is for the python SDK and druid uses the java SDK. The jackson-databind:2.4.0 CVEs via htrace-core4 are all suppressed for now as fixing them requires updating the hadoop version.
2020-03-10 13:55:41 -04:00
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
Suppress CVEs for htrace-core4 and openstack-swift (#9489) CVE-2013-7109 can be ignored for openstack-swift as it is for the python SDK and druid uses the java SDK. The jackson-databind:2.4.0 CVEs via htrace-core4 are all suppressed for now as fixing them requires updating the hadoop version.
2020-03-10 13:55:41 -04:00
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- Avatica server itself is not affected. Vulnerability exists only on client. -->
Suppress CVEs for htrace-core4 and openstack-swift (#9489) CVE-2013-7109 can be ignored for openstack-swift as it is for the python SDK and druid uses the java SDK. The jackson-databind:2.4.0 CVEs via htrace-core4 are all suppressed for now as fixing them requires updating the hadoop version.
2020-03-10 13:55:41 -04:00
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: avatica-server-1.23.0.jar
Suppress CVEs for htrace-core4 and openstack-swift (#9489) CVE-2013-7109 can be ignored for openstack-swift as it is for the python SDK and druid uses the java SDK. The jackson-databind:2.4.0 CVEs via htrace-core4 are all suppressed for now as fixing them requires updating the hadoop version.
2020-03-10 13:55:41 -04:00
]]></notes>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<cve>CVE-2022-36364</cve>
<cve>CVE-2022-39135</cve>
<cve>CVE-2020-13955</cve>
Address security vulnerabilities CVSS >= 7 (#8980) * Address security vulnerabilities CVSS >= 7 Update dependencies to address security vulnerabilities with CVSS scores of 7 or higher. A new Travis CI job is added to prevent new high/critical security vulnerabilities from being added. Updated dependencies: - api-util 1.0.0 -> 1.0.3 - jackson 2.9.10 -> 2.10.1 - kafka 2.1.0 -> 2.1.1 - libthrift 0.10.0 -> 0.13.0 - protobuf 3.2.0 -> 3.11.0 The following high/critical security vulnerabilities are currently suppressed (so that the new Travis CI job can be added now) and are left as future work to fix: - hibernate-validator:5.2.5 - jackson-mapper-asl:1.9.13 - libthrift:0.6.1 - netty:3.10.6 - nimbus-jose-jwt:4.41.1 * Rename EDL1 license file * Fix inspection errors
2019-12-05 17:34:35 -05:00
</suppress>
Suppress CWE-400 for node-sass:4.13.1 (#9517) The vulnerability is fixed in 4.13.1: https://github.com/sass/node-sass/issues/2816#issuecomment-575136455 But the dependency check plugin thinks its still broken as the affected/fixed versions has not been updated yet on Sonatype OSS Index: https://ossindex.sonatype.org/vuln/c97f4ae7-be1f-4f71-b238-7c095b126e74
2020-03-16 12:42:33 -04:00
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- DoS when using expression evaluator.guess -->
Suppress CVEs for jdom2, kafka-clients, libthrift, solr-solrj (#11572)
2021-08-11 06:16:57 -04:00
<suppress>
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: janino-3.1.9.jar
Suppress CVEs for jdom2, kafka-clients, libthrift, solr-solrj (#11572)
2021-08-11 06:16:57 -04:00
]]></notes>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<cve>CVE-2023-33546</cve>
Support for hadoop 3 via maven profiles (#11794) Add support for hadoop 3 profiles . Most of the details are captured in #11791 . We use a combination of maven profiles and resource filtering to achieve this. Hadoop2 is supported by default and a new maven profile with the name hadoop3 is created. This will allow the user to choose the profile which is best suited for the use case.
2021-10-30 13:16:24 -04:00
</suppress>
suppress (#11002)
2021-03-16 21:17:57 -04:00
Suppress CVEs for Solr and org.codehaus.jackson (#11030) * Suppress CVEs for Solr and org.codehaus.jackson * add a comment
2021-03-24 19:44:05 -04:00
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- from extensions using hadoop-client-runtime, these dependencies are shaded in the jar -->
Suppress CVEs for jdom2, kafka-clients, libthrift, solr-solrj (#11572)
2021-08-11 06:16:57 -04:00
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: hadoop-client-runtime-3.3.6.jar
Suppress CVEs for Solr and org.codehaus.jackson (#11030) * Suppress CVEs for Solr and org.codehaus.jackson * add a comment
2021-03-24 19:44:05 -04:00
]]></notes>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- this one is windows only - https://nvd.nist.gov/vuln/detail/CVE-2022-26612 -->
<cve>CVE-2022-26612</cve>
<!-- this one seems to apply to backend server - https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->
<cve>CVE-2023-25613</cve>
<cve>CVE-2023-2976</cve> <!-- hadoop-client-runtime isn't using com.google.common.io.FileBackedOutputStream -->
<!-- CVE from shaded dependency nimbus-jose-jwt, fixed in upcoming Hadoop release version -
https://github.com/apache/hadoop/commit/ad49ddda0e1d9632c8c9fcdc78fca8244e1248c9 -->
<cve>CVE-2023-1370</cve>
<cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 -->
<cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo -->
<cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
<cve>CVE-2023-36478</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
Suppress CVEs for jdom2, kafka-clients, libthrift, solr-solrj (#11572)
2021-08-11 06:16:57 -04:00
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- those are false positives, no other tools report any of those CVEs in the hadoop package -->
Suppress CVEs for jdom2, kafka-clients, libthrift, solr-solrj (#11572)
2021-08-11 06:16:57 -04:00
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<notes><![CDATA[
file name: hadoop-*-3.3.1.jar
]]></notes>
<cve>CVE-2015-7430</cve>
<cve>CVE-2017-3162</cve>
<cve>CVE-2021-31684</cve>
<cve>CVE-2022-3509</cve>
<cve>CVE-2022-40152</cve>
</suppress>
Suppress CVEs for jdom2, kafka-clients, libthrift, solr-solrj (#11572)
2021-08-11 06:16:57 -04:00
suppress hive-storage-api thrift security vulnerability (#11753)
2021-09-29 02:54:13 -04:00
<suppress>
Suppress some false alarm CVEs (#12812) This commit suppresses the following CVEs: - CVE-2021-43138: false alarm for async-http-client - CVE-2021-34538: applicable to Hive server - CVE-2020-25638: requires hibernate update, which causes Hadoop ingestion failure - CVE-2021-27568: false alarm for accessors-smart which is a dependency of json-smart (already suppressed)
2022-07-22 12:57:31 -04:00
<!--
1. hive-storage-api has the thrift vulnerability too
2. CVE-2021-34538 pertains to Hive server.
Suppress false CVEs (#13026) * Suppress CVEs * Add more suppressions
2022-09-06 02:16:56 -04:00
3. CVE-2021-4125 only applies to the OpenShift Metering hive container images
Suppress some false alarm CVEs (#12812) This commit suppresses the following CVEs: - CVE-2021-43138: false alarm for async-http-client - CVE-2021-34538: applicable to Hive server - CVE-2020-25638: requires hibernate update, which causes Hadoop ingestion failure - CVE-2021-27568: false alarm for accessors-smart which is a dependency of json-smart (already suppressed)
2022-07-22 12:57:31 -04:00
-->
suppress hive-storage-api thrift security vulnerability (#11753)
2021-09-29 02:54:13 -04:00
<notes><![CDATA[
file name: hive-storage-api-2.8.1.jar
]]></notes>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<packageUrl regex="true">^pkg:maven/org\.apache\.hive.*</packageUrl>
suppress hive-storage-api thrift security vulnerability (#11753)
2021-09-29 02:54:13 -04:00
<cve>CVE-2020-13949</cve>
Suppress some false alarm CVEs (#12812) This commit suppresses the following CVEs: - CVE-2021-43138: false alarm for async-http-client - CVE-2021-34538: applicable to Hive server - CVE-2020-25638: requires hibernate update, which causes Hadoop ingestion failure - CVE-2021-27568: false alarm for accessors-smart which is a dependency of json-smart (already suppressed)
2022-07-22 12:57:31 -04:00
<cve>CVE-2021-34538</cve>
Suppress false CVEs (#13026) * Suppress CVEs * Add more suppressions
2022-09-06 02:16:56 -04:00
<cve>CVE-2021-4125</cve>
suppress hive-storage-api thrift security vulnerability (#11753)
2021-09-29 02:54:13 -04:00
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
Support for hadoop 3 via maven profiles (#11794) Add support for hadoop 3 profiles . Most of the details are captured in #11791 . We use a combination of maven profiles and resource filtering to achieve this. Hadoop2 is supported by default and a new maven profile with the name hadoop3 is created. This will allow the user to choose the profile which is best suited for the use case.
2021-10-30 13:16:24 -04:00
<suppress>
<!-- These are for wildfly-openssl. -->
<notes><![CDATA[
file name: wildfly-openssl-1.0.7.Final.jar
]]></notes>
<cve>CVE-2020-10740</cve>
<cve>CVE-2020-25644</cve>
<cve>CVE-2020-10718</cve>
Suppress CVE-2022-1278, CVE-2022-2048, CVE-2022-3509, CVE-2022-40152 (#13590)
2022-12-17 09:39:52 -05:00
<cve>CVE-2022-1278</cve>
Support for hadoop 3 via maven profiles (#11794) Add support for hadoop 3 profiles . Most of the details are captured in #11791 . We use a combination of maven profiles and resource filtering to achieve this. Hadoop2 is supported by default and a new maven profile with the name hadoop3 is created. This will allow the user to choose the profile which is best suited for the use case.
2021-10-30 13:16:24 -04:00
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
Support for hadoop 3 via maven profiles (#11794) Add support for hadoop 3 profiles . Most of the details are captured in #11791 . We use a combination of maven profiles and resource filtering to achieve this. Hadoop2 is supported by default and a new maven profile with the name hadoop3 is created. This will allow the user to choose the profile which is best suited for the use case.
2021-10-30 13:16:24 -04:00
<suppress>
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: kafka-clients-3.2.0.jar
Support for hadoop 3 via maven profiles (#11794) Add support for hadoop 3 profiles . Most of the details are captured in #11791 . We use a combination of maven profiles and resource filtering to achieve this. Hadoop2 is supported by default and a new maven profile with the name hadoop3 is created. This will allow the user to choose the profile which is best suited for the use case.
2021-10-30 13:16:24 -04:00
]]></notes>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka\-clients@.*$</packageUrl>
<cve>CVE-2022-34917</cve>
<cve>CVE-2023-25194</cve>
Support for hadoop 3 via maven profiles (#11794) Add support for hadoop 3 profiles . Most of the details are captured in #11791 . We use a combination of maven profiles and resource filtering to achieve this. Hadoop2 is supported by default and a new maven profile with the name hadoop3 is created. This will allow the user to choose the profile which is best suited for the use case.
2021-10-30 13:16:24 -04:00
</suppress>
<suppress>
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: woodstox-core-6.2.4.jar
Support for hadoop 3 via maven profiles (#11794) Add support for hadoop 3 profiles . Most of the details are captured in #11791 . We use a combination of maven profiles and resource filtering to achieve this. Hadoop2 is supported by default and a new maven profile with the name hadoop3 is created. This will allow the user to choose the profile which is best suited for the use case.
2021-10-30 13:16:24 -04:00
]]></notes>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<cve>CVE-2023-34411</cve>
Support for hadoop 3 via maven profiles (#11794) Add support for hadoop 3 profiles . Most of the details are captured in #11791 . We use a combination of maven profiles and resource filtering to achieve this. Hadoop2 is supported by default and a new maven profile with the name hadoop3 is created. This will allow the user to choose the profile which is best suited for the use case.
2021-10-30 13:16:24 -04:00
</suppress>
CVE fixes - update of multiple dependencies. (#14519) Apache Druid brings multiple direct and transitive dependencies that are affected by plethora of CVEs. This PR attempts to update all the dependencies that did not require code refactoring. This PR modifies pom files, license file and OWASP Dependency Check suppression file.
2023-07-07 10:57:30 -04:00
Suppress CVE-2021-43138 (#12437) * Suppress CVE-2021-43138 * revert netty 3.10.5.Final
2022-04-18 23:00:06 -04:00
<suppress>
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: spatial4j-0.7.jar:
]]></notes>
<cve>CVE-2014-125074</cve>
Suppress CVE-2021-43138 (#12437) * Suppress CVE-2021-43138 * revert netty 3.10.5.Final
2022-04-18 23:00:06 -04:00
</suppress>
Supress CVE 2022 26612 (#12463) * supress CVE-2022-26612 * adding packageUrl * suppressing CVE-2022-26612 * adding packageUrl * moving to hadoop section
2022-04-21 11:48:20 -04:00
Suppress some false alarm CVEs (#12812) This commit suppresses the following CVEs: - CVE-2021-43138: false alarm for async-http-client - CVE-2021-34538: applicable to Hive server - CVE-2020-25638: requires hibernate update, which causes Hadoop ingestion failure - CVE-2021-27568: false alarm for accessors-smart which is a dependency of json-smart (already suppressed)
2022-07-22 12:57:31 -04:00
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- Pulled in by io.kubernetes:client-java and kafka_2.13 but not fixed in either place yet -->
<!-- jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less -->
Suppress some false alarm CVEs (#12812) This commit suppresses the following CVEs: - CVE-2021-43138: false alarm for async-http-client - CVE-2021-34538: applicable to Hive server - CVE-2020-25638: requires hibernate update, which causes Hadoop ingestion failure - CVE-2021-27568: false alarm for accessors-smart which is a dependency of json-smart (already suppressed)
2022-07-22 12:57:31 -04:00
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: jose4j-0.7.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.bitbucket\.b_c/jose4j@.*$</packageUrl>
<cve>CVE-2023-31582</cve>
Suppress some false alarm CVEs (#12812) This commit suppresses the following CVEs: - CVE-2021-43138: false alarm for async-http-client - CVE-2021-34538: applicable to Hive server - CVE-2020-25638: requires hibernate update, which causes Hadoop ingestion failure - CVE-2021-27568: false alarm for accessors-smart which is a dependency of json-smart (already suppressed)
2022-07-22 12:57:31 -04:00
</suppress>
CVE suppression (#12535)
2022-05-19 01:51:48 -04:00
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- okhttp -->
CVE suppression (#12535)
2022-05-19 01:51:48 -04:00
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: okhttp-*.jar
CVE suppression (#12535)
2022-05-19 01:51:48 -04:00
]]></notes>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<cve>CVE-2021-0341</cve> <!-- Suppressed since okhttp requests in Druid are internal, and not user-facing -->
<cve>CVE-2016-2402</cve> <!-- Suppressed since okhttp requests in Druid are internal, and not user-facing -->
<cve>CVE-2023-0833</cve> <!-- Suppressed since okhttp requests in Druid are internal, and not user-facing -->
CVE suppression (#12535)
2022-05-19 01:51:48 -04:00
</suppress>
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- TODO: Fix by updating curator-x-discovery to > 4.2.0 and updating hadoop -->
CVE suppression (#12535)
2022-05-19 01:51:48 -04:00
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: jackson-mapper-asl-1.9.13.jar
CVE suppression (#12535)
2022-05-19 01:51:48 -04:00
]]></notes>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@1.9.13$</packageUrl>
<cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-mapper-asl:1.9.13 ince it is via curator-x-discovery -->
CVE suppression (#12535)
2022-05-19 01:51:48 -04:00
</suppress>
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- TODO: Fix by updating org.apache.druid.java.util.http.client.NettyHttpClient to use netty 4 -->
CVE suppression (#12535)
2022-05-19 01:51:48 -04:00
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: netty-3.10.6.Final.jar
CVE suppression (#12535)
2022-05-19 01:51:48 -04:00
]]></notes>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.6.Final$</packageUrl>
<cve>CVE-2019-16869</cve>
<cve>CVE-2019-20444</cve>
<cve>CVE-2019-20445</cve>
<cve>CVE-2020-11612</cve>
<cve>CVE-2021-21290</cve> <!-- We don't use HttpPostRequestDecoder or HttpPostMultiPartRequestDecoder which uses vulnerable AbstractDiskHttpData - https://github.com/advisories/GHSA-5mcr-gq6c-3hq2 -->
<cve>CVE-2021-21295</cve> <!-- We don't use HTTP2MultiplexCodec or Http2FrameCodec or Http2StreamFrameToHttpObjectCodec affected or convert HTTP/2 to HTTP/1.1 requests - https://github.com/advisories/GHSA-wm47-8v5p-wjpj -->
<cve>CVE-2021-21409</cve> <!-- We don't use Http2HeaderFrame or convert HTTP/2 to HTTP/1.1 requests https://github.com/advisories/GHSA-f256-j965-7f32 -->
<cve>CVE-2021-37136</cve>
<cve>CVE-2021-37137</cve>
<cve>CVE-2021-43797</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-wx5j-54mm-rqqq -->
<cve>CVE-2022-24823</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-269q-hmxg-m83q -->
<cve>CVE-2022-41881</cve>
<cve>CVE-2023-34462</cve> <!-- Suppressed since netty requests in Druid are internal, and not user-facing -->
CVE suppression (#12535)
2022-05-19 01:51:48 -04:00
</suppress>
Suppress CVEs (#12553)
2022-05-23 03:05:23 -04:00
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
Suppress CVEs (#12553)
2022-05-23 03:05:23 -04:00
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: libthrift-0.6.1.jar
Suppress CVEs (#12553)
2022-05-23 03:05:23 -04:00
]]></notes>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.6.1$</packageUrl>
<cve>CVE-2018-1320</cve>
<cve>CVE-2019-0205</cve>
Suppress CVEs (#12553)
2022-05-23 03:05:23 -04:00
</suppress>
Suppress CVEs (#12590)
2022-06-01 11:52:32 -04:00
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
Suppress CVEs (#12590)
2022-06-01 11:52:32 -04:00
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: jettison-1.*.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.jettison/jettison@1.*$</packageUrl>
<cve>CVE-2022-40149</cve>
<cve>CVE-2022-40150</cve>
<cve>CVE-2022-45685</cve>
<cve>CVE-2022-45693</cve>
<cve>CVE-2023-1436</cve>
Suppress CVEs (#12590)
2022-06-01 11:52:32 -04:00
</suppress>
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- We need to wait for 17.0.0 of https://github.com/kubernetes-client/java/releases -->
<!-- We need to update several other components to move to Snakeyaml 2.0 to address CVE-2022-1471 -->
<!-- Snakeyaml 1.33 added to dependencyManagement in main pom file -->
Suppress CVEs (#12590)
2022-06-01 11:52:32 -04:00
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: snakeyaml-1.33.jar
]]></notes>
<cve>CVE-2022-1471</cve>
<!-- false positive -->
<cve>CVE-2023-2251</cve>
<cve>CVE-2022-3064</cve>
Suppress CVEs (#12590)
2022-06-01 11:52:32 -04:00
</suppress>
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<notes><![CDATA[
file name: node-sass:4.13.1
The vulnerability is fixed in 4.13.1: https://github.com/sass/node-sass/issues/2816#issuecomment-575136455
But the dependency check plugin thinks it's still broken as the affected/fixed versions has not been updated on
Sonatype OSS Index: https://ossindex.sonatype.org/vuln/c97f4ae7-be1f-4f71-b238-7c095b126e74
]]></notes>
<packageUrl regex="true">^pkg:npm/node\-sass@.*$</packageUrl>
<vulnerabilityName>CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</vulnerabilityName>
Suppress CVEs (#12590)
2022-06-01 11:52:32 -04:00
</suppress>
Suppress CVEs - Avatica, Postgres (#12884)
2022-08-10 04:48:19 -04:00
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- (ranger, ambari, and aliyun-oss) these vulnerabilities are legit, but their latest releases still use the vulnerable jackson version -->
<notes><![CDATA[
file name: jackson-xc-1.9.x.jar or jackson-jaxrs-1.9.x.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl>
<cve>CVE-2018-14718</cve>
<cve>CVE-2018-7489</cve>
<cve>CVE-2022-42003</cve>
<cve>CVE-2022-42004</cve>
Port CVE suppressions from 24.0.1 (#13415) * Suppress jackson-databind CVE-2022-42003 and CVE-2022-42004 (cherry picked from commit 1f4d892c9a2dbc3ce6df1481fd4c6d242ba0ea8d) * Suppress CVEs (cherry picked from commit ed55baa8fa7d7f914a0addabb072d9ed47e1cd9f) * Suppress vulnerabilities from druid-website package (cherry picked from commit c0fb364f8049d53cd704e414e2ffeab6c49b012e) * Add more suppressions for website package (cherry picked from commit 9bba569ebd52c5480bf4219c420ed78eb053701f)
2022-11-23 01:05:33 -05:00
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
Port CVE suppressions from 24.0.1 (#13415) * Suppress jackson-databind CVE-2022-42003 and CVE-2022-42004 (cherry picked from commit 1f4d892c9a2dbc3ce6df1481fd4c6d242ba0ea8d) * Suppress CVEs (cherry picked from commit ed55baa8fa7d7f914a0addabb072d9ed47e1cd9f) * Suppress vulnerabilities from druid-website package (cherry picked from commit c0fb364f8049d53cd704e414e2ffeab6c49b012e) * Add more suppressions for website package (cherry picked from commit 9bba569ebd52c5480bf4219c420ed78eb053701f)
2022-11-23 01:05:33 -05:00
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- Upgrading to libthrift-0.14.2 adds many tomcat CVEs, suppress and stay at 0.13.0 for now-->
<!-- valid issue, worth investigating overhauling to e.g., 0.19.0 -->
Port CVE suppressions from 24.0.1 (#13415) * Suppress jackson-databind CVE-2022-42003 and CVE-2022-42004 (cherry picked from commit 1f4d892c9a2dbc3ce6df1481fd4c6d242ba0ea8d) * Suppress CVEs (cherry picked from commit ed55baa8fa7d7f914a0addabb072d9ed47e1cd9f) * Suppress vulnerabilities from druid-website package (cherry picked from commit c0fb364f8049d53cd704e414e2ffeab6c49b012e) * Add more suppressions for website package (cherry picked from commit 9bba569ebd52c5480bf4219c420ed78eb053701f)
2022-11-23 01:05:33 -05:00
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: libthrift-0.13.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*</packageUrl>
<cve>CVE-2020-13949</cve>
Suppress CVEs - Avatica, Postgres (#12884)
2022-08-10 04:48:19 -04:00
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
Suppress Calcite CVE (#13119) * Suppress Calcite CVE * Update comment
2022-09-23 06:53:26 -04:00
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- Non-applicable CVE for gson -->
Suppress Calcite CVE (#13119) * Suppress Calcite CVE * Update comment
2022-09-23 06:53:26 -04:00
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: gson-*.jar
Suppress Calcite CVE (#13119) * Suppress Calcite CVE * Update comment
2022-09-23 06:53:26 -04:00
]]></notes>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<cve>CVE-2022-25647</cve>
Suppress Calcite CVE (#13119) * Suppress Calcite CVE * Update comment
2022-09-23 06:53:26 -04:00
</suppress>
<suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- pac4j-core-3.8.3 -->
Suppress Calcite CVE (#13119) * Suppress Calcite CVE * Update comment
2022-09-23 06:53:26 -04:00
<notes><![CDATA[
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
file name: pac4j-core-3.8.3.jar
Suppress Calcite CVE (#13119) * Suppress Calcite CVE * Update comment
2022-09-23 06:53:26 -04:00
]]></notes>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<cve>CVE-2021-44878</cve>
Suppress Calcite CVE (#13119) * Suppress Calcite CVE * Update comment
2022-09-23 06:53:26 -04:00
</suppress>
Suppressing package-lock.json?d3-color vulnerability (#13301)
2022-11-04 02:17:02 -04:00
<suppress>
<!-- package-lock.json?d3-color -->
<notes><![CDATA[
file name: d3-color:2.0.0
]]></notes>
<!--
Suppress CVEs (#13733)
2023-02-01 07:18:41 -05:00
Not vulnerable to these as, we use d3-color on the client only.
Suppressing package-lock.json?d3-color vulnerability (#13301)
2022-11-04 02:17:02 -04:00
-->
<packageUrl regex="true">^pkg:npm/d3\-color@.*$</packageUrl>
<vulnerabilityName>1084597</vulnerabilityName>
Suppress CVEs (#13733)
2023-02-01 07:18:41 -05:00
<vulnerabilityName>1088594</vulnerabilityName>
Suppressing package-lock.json?d3-color vulnerability (#13301)
2022-11-04 02:17:02 -04:00
</suppress>
Port CVE suppressions from 24.0.1 (#13415) * Suppress jackson-databind CVE-2022-42003 and CVE-2022-42004 (cherry picked from commit 1f4d892c9a2dbc3ce6df1481fd4c6d242ba0ea8d) * Suppress CVEs (cherry picked from commit ed55baa8fa7d7f914a0addabb072d9ed47e1cd9f) * Suppress vulnerabilities from druid-website package (cherry picked from commit c0fb364f8049d53cd704e414e2ffeab6c49b012e) * Add more suppressions for website package (cherry picked from commit 9bba569ebd52c5480bf4219c420ed78eb053701f)
2022-11-23 01:05:33 -05:00
<suppress>
<notes><![CDATA[
file name: d3-color:2.0.0
]]></notes>
<packageUrl regex="true">^pkg:npm/d3\-color@.*$</packageUrl>
<vulnerabilityName>1084597</vulnerabilityName>
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
Port CVE suppressions from 24.0.1 (#13415) * Suppress jackson-databind CVE-2022-42003 and CVE-2022-42004 (cherry picked from commit 1f4d892c9a2dbc3ce6df1481fd4c6d242ba0ea8d) * Suppress CVEs (cherry picked from commit ed55baa8fa7d7f914a0addabb072d9ed47e1cd9f) * Suppress vulnerabilities from druid-website package (cherry picked from commit c0fb364f8049d53cd704e414e2ffeab6c49b012e) * Add more suppressions for website package (cherry picked from commit 9bba569ebd52c5480bf4219c420ed78eb053701f)
2022-11-23 01:05:33 -05:00
<suppress>
<notes><![CDATA[
file name: protobuf-java-3.11.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl>
<cve>CVE-2022-3171</cve>
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
Port CVE suppressions from 24.0.1 (#13415) * Suppress jackson-databind CVE-2022-42003 and CVE-2022-42004 (cherry picked from commit 1f4d892c9a2dbc3ce6df1481fd4c6d242ba0ea8d) * Suppress CVEs (cherry picked from commit ed55baa8fa7d7f914a0addabb072d9ed47e1cd9f) * Suppress vulnerabilities from druid-website package (cherry picked from commit c0fb364f8049d53cd704e414e2ffeab6c49b012e) * Add more suppressions for website package (cherry picked from commit 9bba569ebd52c5480bf4219c420ed78eb053701f)
2022-11-23 01:05:33 -05:00
<suppress>
<notes><![CDATA[
file name: protobuf-java-util-3.11.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java\-util@.*$</packageUrl>
<cve>CVE-2022-3171</cve>
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
Port CVE suppressions from 24.0.1 (#13415) * Suppress jackson-databind CVE-2022-42003 and CVE-2022-42004 (cherry picked from commit 1f4d892c9a2dbc3ce6df1481fd4c6d242ba0ea8d) * Suppress CVEs (cherry picked from commit ed55baa8fa7d7f914a0addabb072d9ed47e1cd9f) * Suppress vulnerabilities from druid-website package (cherry picked from commit c0fb364f8049d53cd704e414e2ffeab6c49b012e) * Add more suppressions for website package (cherry picked from commit 9bba569ebd52c5480bf4219c420ed78eb053701f)
2022-11-23 01:05:33 -05:00
<suppress>
<notes><![CDATA[
file name: ansi-regex:5.0.0
]]></notes>
<packageUrl regex="true">^pkg:npm/ansi\-regex@.*$</packageUrl>
<vulnerabilityName>1084697</vulnerabilityName>
<cve>CVE-2021-3807</cve>
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
Port CVE suppressions from 24.0.1 (#13415) * Suppress jackson-databind CVE-2022-42003 and CVE-2022-42004 (cherry picked from commit 1f4d892c9a2dbc3ce6df1481fd4c6d242ba0ea8d) * Suppress CVEs (cherry picked from commit ed55baa8fa7d7f914a0addabb072d9ed47e1cd9f) * Suppress vulnerabilities from druid-website package (cherry picked from commit c0fb364f8049d53cd704e414e2ffeab6c49b012e) * Add more suppressions for website package (cherry picked from commit 9bba569ebd52c5480bf4219c420ed78eb053701f)
2022-11-23 01:05:33 -05:00
<suppress>
<notes><![CDATA[
file name: glob-parent:5.1.1
]]></notes>
<packageUrl regex="true">^pkg:npm/glob\-parent@.*$</packageUrl>
<vulnerabilityName>1081884</vulnerabilityName>
<cve>CVE-2020-28469</cve>
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
Port CVE suppressions from 24.0.1 (#13415) * Suppress jackson-databind CVE-2022-42003 and CVE-2022-42004 (cherry picked from commit 1f4d892c9a2dbc3ce6df1481fd4c6d242ba0ea8d) * Suppress CVEs (cherry picked from commit ed55baa8fa7d7f914a0addabb072d9ed47e1cd9f) * Suppress vulnerabilities from druid-website package (cherry picked from commit c0fb364f8049d53cd704e414e2ffeab6c49b012e) * Add more suppressions for website package (cherry picked from commit 9bba569ebd52c5480bf4219c420ed78eb053701f)
2022-11-23 01:05:33 -05:00
<suppress>
<notes><![CDATA[
file name: minimatch:3.0.4
]]></notes>
<packageUrl regex="true">^pkg:npm/minimatch@.*$</packageUrl>
<vulnerabilityName>1084765</vulnerabilityName>
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
suppress hadoop3 cve that seem not applicable to us (#14252)
2023-05-11 02:08:05 -04:00
<suppress>
<!-- from extensions using hadoop-client-runtime, these dependencies are shaded in the jar -->
<notes><![CDATA[
update hadoop version to 3.3.6 (#14489)
2023-06-28 05:33:10 -04:00
file name: hadoop-client-runtime-3.3.6.jar
suppress hadoop3 cve that seem not applicable to us (#14252)
2023-05-11 02:08:05 -04:00
]]></notes>
<!-- this one is windows only - https://nvd.nist.gov/vuln/detail/CVE-2022-26612 -->
<cve>CVE-2022-26612</cve>
<!-- this one seems to apply to backend server - https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->
<cve>CVE-2023-25613</cve>
Suppress CVEs (#14291) Address various CVEs by upgrading dependencies or adding suppression with a justification
2023-07-10 05:49:26 -04:00
<cve>CVE-2023-2976</cve> <!-- hadoop-client-runtime isn't using com.google.common.io.FileBackedOutputStream -->
Fix reported CVEs (#14882) Suppress CVEs from dependencies with no available fix or false positives hadoop-annotations: CVE-2022-25168, CVE-2021-33036 hadoop-client-runtime: CVE-2023-1370, CVE-2023-37475 okio: CVE-2023-3635 Upgrade grpc version to fix CVE-2023-33953
2023-08-24 09:58:55 -04:00
<!-- CVE from shaded dependency nimbus-jose-jwt, fixed in upcoming Hadoop release version -
https://github.com/apache/hadoop/commit/ad49ddda0e1d9632c8c9fcdc78fca8244e1248c9 -->
<cve>CVE-2023-1370</cve>
<cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 -->
Resolve reported CVEs (#15081)
2023-10-04 02:29:01 -04:00
<cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo -->
Suppress CVE's in master (#15231)
2023-10-26 23:59:18 -04:00
<cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
Suppress Hadoop and jose4j cve (#15425) Changes - Suppress CVE-2023-36478 as there is no newer Hadoop version available that addresses - Suppress CVE-2023-31582 in jose4j. Pulled in by Kubernetes/Kafka but not addressed yet.
2023-11-23 22:55:10 -05:00
<cve>CVE-2023-36478</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
Suppress CVEs (#14291) Address various CVEs by upgrading dependencies or adding suppression with a justification
2023-07-10 05:49:26 -04:00
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
Suppress CVEs (#14291) Address various CVEs by upgrading dependencies or adding suppression with a justification
2023-07-10 05:49:26 -04:00
<suppress>
<!-- from extensions using hadoop-client-api, these dependencies are shaded in the jar -->
<notes><![CDATA[
file name: hadoop-client-api-3.3.6.jar: jquery.dataTables.min.js (pkg:javascript/jquery.datatables@1.10.18)
]]></notes>
<vulnerabilityName>prototype pollution</vulnerabilityName>
Suppress CVE's in master (#15231)
2023-10-26 23:59:18 -04:00
<cve>CVE-2020-28458</cve>
suppress hadoop3 cve that seem not applicable to us (#14252)
2023-05-11 02:08:05 -04:00
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
Suppress CVEs (#14291) Address various CVEs by upgrading dependencies or adding suppression with a justification
2023-07-10 05:49:26 -04:00
<!-- filed against random script set, doesn't apply to any Maven artifacts - https://github.com/jeremylong/DependencyCheck/issues/5213 -->
<suppress>
<notes><![CDATA[
file name: plexus-utils-3.0.24.jar
file name: async-http-client-netty-utils-2.5.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/.*/.*@.*$</packageUrl>
<cve>CVE-2021-4277</cve>
</suppress>
Fix reported CVEs (#14882) Suppress CVEs from dependencies with no available fix or false positives hadoop-annotations: CVE-2022-25168, CVE-2021-33036 hadoop-client-runtime: CVE-2023-1370, CVE-2023-37475 okio: CVE-2023-3635 Upgrade grpc version to fix CVE-2023-33953
2023-08-24 09:58:55 -04:00
update kubernetes java client to 19.0.0 and docker-java to 3.3.4 (#15449) Update of direct dependencies: * kubernetes java-client to 19.0.0 * docker-java-bom to 3.3.4 In order to update transitive dependencies: * okio to 3.6.0 * bcjava to 1.76 To address CVES: - CVE-2023-3635 in okio - CVE-2023-33201 in bcjava --------- Co-authored-by: Xavier Léauté <xvrl@apache.org>
2023-12-12 17:27:57 -05:00
<!-- the remaining uses of vulnerable okio are in contrib-extensions -->
Fix reported CVEs (#14882) Suppress CVEs from dependencies with no available fix or false positives hadoop-annotations: CVE-2022-25168, CVE-2021-33036 hadoop-client-runtime: CVE-2023-1370, CVE-2023-37475 okio: CVE-2023-3635 Upgrade grpc version to fix CVE-2023-33953
2023-08-24 09:58:55 -04:00
<suppress>
<notes><![CDATA[
update kubernetes java client to 19.0.0 and docker-java to 3.3.4 (#15449) Update of direct dependencies: * kubernetes java-client to 19.0.0 * docker-java-bom to 3.3.4 In order to update transitive dependencies: * okio to 3.6.0 * bcjava to 1.76 To address CVES: - CVE-2023-3635 in okio - CVE-2023-33201 in bcjava --------- Co-authored-by: Xavier Léauté <xvrl@apache.org>
2023-12-12 17:27:57 -05:00
file name: okio-1.17.2.jar, okio-1.15.0.jar
Fix reported CVEs (#14882) Suppress CVEs from dependencies with no available fix or false positives hadoop-annotations: CVE-2022-25168, CVE-2021-33036 hadoop-client-runtime: CVE-2023-1370, CVE-2023-37475 okio: CVE-2023-3635 Upgrade grpc version to fix CVE-2023-33953
2023-08-24 09:58:55 -04:00
]]></notes>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio@..*$</packageUrl>
Fix reported CVEs (#14882) Suppress CVEs from dependencies with no available fix or false positives hadoop-annotations: CVE-2022-25168, CVE-2021-33036 hadoop-client-runtime: CVE-2023-1370, CVE-2023-37475 okio: CVE-2023-3635 Upgrade grpc version to fix CVE-2023-33953
2023-08-24 09:58:55 -04:00
<cve>CVE-2023-3635</cve> <!-- Suppressed since okio requests in Druid are internal, and not user-facing -->
</suppress>
skip org.owasp:dependency-check on extensions-contrib modules and suppress false-positive gRPC CVEs (#15026)
2023-09-25 02:44:42 -04:00
Resolve reported CVEs (#15081)
2023-10-04 02:29:01 -04:00
<!-- CVE-2022-4244 is affecting plexus-utils package, plexus-interpolation is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973 -->
<suppress base="true">
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
<cve>CVE-2022-4244</cve>
</suppress>
Suppress CVE's in master (#15231)
2023-10-26 23:59:18 -04:00
<!-- CVE-2023-5072 has a too broad CPE that seems to be flagging dependencies like json-*. Neither Druid nor any of its
~ transitive dependency use json-java which contains the vulnerability-->
<suppress base="true">
<cve>CVE-2023-5072</cve>
</suppress>
<!--
~ Hostname verification is disabled by default in Netty 4.x, therefore the version that Druid is using gets flagged,
~ however Druid enables it in ChannelResourceFactory therefore this is a false positive-->
<suppress>
<notes><![CDATA[
file name: netty-transport-4.1.100.Final.jar
]]></notes>
<cve>CVE-2023-4586</cve>
</suppress>
cleanup already resolved CVEs (#15447) Remove the crud from the dependency-check suppression file
2023-12-05 00:00:35 -05:00
<!-- druid cassandra storage exclusions -->
<suppress>
<!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
<notes><![CDATA[
file name: libthrift-0.6.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
<cve>CVE-2016-5397</cve>
<cve>CVE-2018-1320</cve>
<cve>CVE-2019-0205</cve>
<cve>CVE-2015-3254</cve>
</suppress>
<!-- mostly false positives, need to use dependencies from current decade -->
<suppress>
<notes><![CDATA[
file name: avro-1.4.0-cassandra-1.jar cassandra-all-1.0.8.jar
]]></notes>
<cve>CVE-2012-6708</cve>
<cve>CVE-2015-9251</cve>
<cve>CVE-2019-11358</cve>
<cve>CVE-2020-11022</cve>
<cve>CVE-2020-11023</cve>
<cve>CVE-2020-7656</cve>
<cve>CVE-2011-4969</cve>
<cve>CVE-2020-17516</cve>
<cve>CVE-2020-13946</cve>
</suppress>
<!-- end of druid cassandra storage exclusions -->
<!-- druid-cloudfiles-extensions exclusions -->
<suppress>
<!-- CVEs added for completeness in pretty much dead extension -->
<notes><![CDATA[
file name: openstack*-2.5.0.jar
]]></notes>
<cve>CVE-2020-12689</cve>
<cve>CVE-2020-12691</cve>
<cve>CVE-2020-12690</cve>
<cve>CVE-2021-3563</cve>
<cve>CVE-2016-0738</cve>
<cve>CVE-2017-16613</cve>
</suppress>
<!-- end of druid-cloudfiles-extensions exclusions -->
<!-- graphite-emitter exclusions -->
<suppress>
<!-- CVEs added for completeness -->
<notes><![CDATA[
file name: amqp-client-5.17.0.jar
]]></notes>
<cve>CVE-2023-46120</cve>
</suppress>
<!-- end of graphite-emitter exclusions -->
<!-- ambari-metics-emitter exclusions -->
<suppress>
<!--
- TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
-->
<notes><![CDATA[
file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: org.apache.hadoop:hadoop-annotations:2.6.0)
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-annotations@.*$</packageUrl>
<cve>CVE-2015-1776</cve>
<cve>CVE-2016-3086</cve>
<cve>CVE-2016-5393</cve>
<cve>CVE-2016-6811</cve>
<cve>CVE-2017-3162</cve>
<cve>CVE-2018-11768</cve>
<cve>CVE-2018-1296</cve>
<cve>CVE-2018-8009</cve>
<cve>CVE-2018-8029</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: log4j-1.2.17.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
<cve>CVE-2019-17571</cve>
<cve>CVE-2021-4104</cve>
<cve>CVE-2020-9493</cve>
<cve>CVE-2022-23307</cve>
<cve>CVE-2022-23305</cve>
<cve>CVE-2022-23302</cve>
<cve>CVE-2023-26464</cve>
</suppress>
<suppress>
<!--
- TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
-->
<notes><![CDATA[
file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
<cve>CVE-2019-16869</cve>
<cve>CVE-2019-20444</cve>
<cve>CVE-2019-20445</cve>
<cve>CVE-2021-37136</cve>
<cve>CVE-2021-37137</cve>
<cve>CVE-2021-4104</cve>
<cve>CVE-2020-9493</cve>
<cve>CVE-2022-23307</cve>
<cve>CVE-2022-23305</cve>
<cve>CVE-2022-23302</cve>
<cve>CVE-2022-41881</cve>
<cve>CVE-2020-11612</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: ambari-metrics-common-2.7.0.0.0.jar
]]></notes>
<cve>CVE-2022-45855</cve>
<cve>CVE-2022-42009</cve>
<!-- Suppress hadoop CVEs that not applicable to hadoop-annotations -->
<cve>CVE-2022-25168</cve> <!-- Affected FileUtil.unTar(File, File) API isn't present in hadoop-annotations -->
<cve>CVE-2021-33036</cve> <!-- Only applicable to hadoop-yarn-server -->
<cve>CVE-2020-9492</cve> <!-- Applicable to webHDFS client -->
</suppress>
<!-- end of ambari-metics-emitter exclusions -->
<!-- aliyun-oss exclusions -->
<suppress>
<!-- Transitive dependency from aliyun-sdk-oss, -->
<notes><![CDATA[
file name: ini4j-0.5.4.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.ini4j/ini4j@.*$</packageUrl>
<vulnerabilityName>CVE-2022-41404</vulnerabilityName>
</suppress>
<suppress>
<!-- Transitive dependency from aliyun-sdk-oss, there is currently no newer version of jdom2 as well-->
<notes><![CDATA[
file name: jdom2-2.0.6.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jdom/jdom2@2.0.6$</packageUrl>
<cve>CVE-2021-33813</cve>
</suppress>
<!-- end of aliyun-oss exclusions -->
<!-- iceberg exclusions -->
<suppress>
<!-- Transitive dependency from aliyun-sdk-oss, there is currently no newer version of jdom2 as well-->
<notes><![CDATA[
file name: libfb303-0.9.3.jar libthrift-0.9.3.jar
]]></notes>
<cve>CVE-2016-5397</cve>
<cve>CVE-2018-1320</cve>
<cve>CVE-2019-0210</cve>
<cve>CVE-2020-13949</cve>
<cve>CVE-2019-0205</cve>
<cve>CVE-2019-0210</cve>
<cve>CVE-2020-13949</cve>
</suppress>
Address security vulnerabilities CVSS >= 7 (#8980) * Address security vulnerabilities CVSS >= 7 Update dependencies to address security vulnerabilities with CVSS scores of 7 or higher. A new Travis CI job is added to prevent new high/critical security vulnerabilities from being added. Updated dependencies: - api-util 1.0.0 -> 1.0.3 - jackson 2.9.10 -> 2.10.1 - kafka 2.1.0 -> 2.1.1 - libthrift 0.10.0 -> 0.13.0 - protobuf 3.2.0 -> 3.11.0 The following high/critical security vulnerabilities are currently suppressed (so that the new Travis CI job can be added now) and are left as future work to fix: - hibernate-validator:5.2.5 - jackson-mapper-asl:1.9.13 - libthrift:0.6.1 - netty:3.10.6 - nimbus-jose-jwt:4.41.1 * Rename EDL1 license file * Fix inspection errors
2019-12-05 17:34:35 -05:00
</suppressions>