Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CVE suppression for various dependencies. (#17307)

This commit is contained in:
Karan Kumar 2024-10-09 18:07:09 +05:30 committed by GitHub
parent 88d26e4541
commit 4fdb38118a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
owasp-dependency-check-suppressions.xml
View File

@ -137,6 +137,10 @@
<cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo -->
<cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
<cve>CVE-2023-36478</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
<cve>CVE-2024-7254</cve> <!-- This seems to be a legitimate vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk v2 dependency work to finish -->
<cve>CVE-2024-47554</cve> <!-- This seems to be a legitimate vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk v2 dependency work to finish -->
<cve>CVE-2024-47561</cve> <!-- This seems to be a legitimate vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk v2 dependency work to finish -->
<cve>CVE-2024-29131</cve> <!-- This seems to be a legitimate vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk v2 dependency work to finish -->
</suppress>
<!-- those are false positives, no other tools report any of those CVEs in the hadoop package -->
@ -708,4 +712,38 @@
]]></notes>
<vulnerabilityName>CVE-2022-1271</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: jakarta.el-3.0.4.jar
]]></notes>
<vulnerabilityName>CVE-2024-9329</vulnerabilityName>
</suppress>
<suppress>
<!-- The CVE is present in ORC module which cannot be upgraded since they have dropped support for java 8 -->
<notes><![CDATA[
file name: aircompressor-0.21.jar
]]></notes>
<vulnerabilityName>CVE-2024-36114</vulnerabilityName>
</suppress>
<suppress>
<!-- CVE-2022-4244 is affecting plexus-utils package,
plexus-interpolation is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973 -->
<notes><![CDATA[
file name: plexus-component-annotations-1.7.1.jar
]]></notes>
<vulnerabilityName>CVE-2022-4244</vulnerabilityName>
</suppress>
<suppress>
<!-- Not affected by this CVE since we donot use lucene directly-->
<notes><![CDATA[
file name: lucene-core-8.4.0.jar
]]></notes>
<vulnerabilityName>CVE-2024-45772</vulnerabilityName>
</suppress>
</suppressions>