Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Suppress CVEs for jdom2, kafka-clients, libthrift, solr-solrj (#11572)

This commit is contained in:
Jonathan Wei 2021-08-11 05:16:57 -05:00 committed by GitHub
parent 640f63094a
commit 2a6421d0d9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 40 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
owasp-dependency-check-suppressions.xml
View File

@ -262,6 +262,18 @@
<cve>CVE-2019-12399</cve>
<cve>CVE-2018-17196</cve>
</suppress>
<suppress>
<!--
~ TODO: Fix when Apache Ranger 2.1 is released
- transitive dep from apache-ranger, upgrading to 2.1.0 adds other CVEs, staying at ranger 2.0.0 for now
-->
<notes><![CDATA[
file name: kafka-clients-2.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka-clients@2.0.0$</packageUrl>
<cve>CVE-2019-12399</cve>
<cve>CVE-2018-17196</cve>
</suppress>
<suppress>
<!--
~ TODO: Fix when Apache Ranger is released with updated log4j
@ -344,13 +356,35 @@
</suppress>
<suppress>
<notes><![CDATA[
<!-- Transitive dependency from apache-ranger, latest ranger version 2.1.0 still uses solr 7.7.1-->
<notes><![CDATA[
file name: solr-solrj-7.7.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.solr/solr-solrj@7.7.1$</packageUrl>
<cve>CVE-2020-13957</cve>
<cve>CVE-2019-17558</cve>
<cve>CVE-2019-0193</cve>
<cve>CVE-2020-13941</cve>
<packageUrl regex="true">^pkg:maven/org\.apache\.solr/solr-solrj@7.7.1$</packageUrl>
<cve>CVE-2020-13957</cve>
<cve>CVE-2019-17558</cve>
<cve>CVE-2019-0193</cve>
<cve>CVE-2020-13941</cve>
<cve>CVE-2021-29943</cve>
<cve>CVE-2021-27905</cve>
<cve>CVE-2021-29262</cve>
</suppress>
<suppress>
<!-- Transitive dependency from aliyun-sdk-oss, there is currently no newer version of jdom2 as well-->
<notes><![CDATA[
file name: jdom2-2.0.6.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jdom/jdom2@2.0.6$</packageUrl>
<cve>CVE-2021-33813</cve>
</suppress>
<suppress>
<!-- Upgrading to libthrift-0.14.2 adds many tomcat CVEs, suppress and stay at 0.13.0 for now-->
<notes><![CDATA[
file name: libthrift-0.13.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.13.0$</packageUrl>
<cve>CVE-2020-13949</cve>
</suppress>
</suppressions>