Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

suppress false positive cve (#11699) 

* suppress false positive cve

* update comment, dont run tests on changes to owasp-dependency-check-suppressions.xml
This commit is contained in:
Clint Wylie 2021-09-13 20:45:38 -07:00 committed by GitHub
parent 779fe8e6ad
commit 6b959f09e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
check_test_suite.py
View File

@ -29,7 +29,7 @@ always_run_jobs = ['license checks', '(openjdk8) packaging check', '(openjdk11)
ignore_prefixes = ['.github', '.idea', '.asf.yaml', '.backportrc.json', '.codecov.yml', '.dockerignore', '.gitignore',
'.lgtm.yml', 'CONTRIBUTING.md', 'setup-hooks.sh', 'upload.sh', 'dev', 'distribution/docker',
'distribution/asf-release-process-guide.md', '.travis.yml', 'check_test_suite.py',
'check_test_suite_test.py']
'check_test_suite_test.py', 'owasp-dependency-check-suppressions.xml']
# these files are docs changes
# if changes are limited to this set then we can skip web-console and java

2
check_test_suite_test.py
View File

@ -77,7 +77,7 @@ class CheckTestSuite(unittest.TestCase):
['check_test_suite_test.py'],
['website/core/Footer.js'],
['web-console/src/views/index.ts'],
['check_test_suite_test.py', 'website/core/Footer.js', 'web-console/unified-console.html']
['check_test_suite_test.py', 'website/core/Footer.js', 'web-console/unified-console.html', 'owasp-dependency-check-suppressions.xml']
]
some_java_diffs = [
['core/src/main/java/org/apache/druid/math/expr/Expr.java'],

10
owasp-dependency-check-suppressions.xml
View File

@ -26,6 +26,7 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-indexing\-hadoop@.*$</packageUrl>
<cve>CVE-2012-4449</cve>
<cve>CVE-2017-3162</cve>
<cve>CVE-2018-8009</cve>
</suppress>
<suppress>
<!-- druid-processing.jar is mistaken for org.processing:processing -->
@ -387,4 +388,13 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.13.0$</packageUrl>
<cve>CVE-2020-13949</cve>
</suppress>
<suppress>
<!--
the scanner misattributes this to Apache DataSketches
the actual vulnerability affects some collaboration tool called Sketch, and impacts some 'library feeds' feature
which seems to relate to how the tool handles sharing designs or something, so we are doing a blanket ignore
because it seems nearly impossible for us to be affected by this
-->
<cve>CVE-2021-40531</cve>
</suppress>
</suppressions>