Suppress CVEs (#14648)

CVE-2023-34462 - (Allows malicious allocation of resources without throttling) Not applicable as the Netty requests in Druid are internal, and not user facing. CVE-2016-2402 - (Man in the middle with okhttp by sending certificate chains) Not applicable as okhttp requests in Druid are also internal
2023-07-25 13:37:50 +05:30 · 2023-07-25 13:37:50 +05:30 · 6566bda57c
parent 2f9619a96f
commit 6566bda57c
1 changed files with 2 additions and 0 deletions
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@ -230,6 +230,7 @@
    <cve>CVE-2021-43797</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-wx5j-54mm-rqqq -->
    <cve>CVE-2022-24823</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-269q-hmxg-m83q -->
    <cve>CVE-2022-41881</cve>
+    <cve>CVE-2023-34462</cve>	<!-- Suppressed since netty requests in Druid are internal, and not user-facing -->
  </suppress>
  <suppress>
    <!-- TODO: Fix by upgrading hadoop-auth version -->
@ -688,6 +689,7 @@
   file name: okhttp-*.jar
   ]]></notes>
    <cve>CVE-2021-0341</cve>
+    <cve>CVE-2016-2402</cve>	<!-- Suppressed since okhttp requests in Druid are internal, and not user-facing -->
  </suppress>

  <suppress>