suppress false positive cve (#11699)

* suppress false positive cve

* update comment, dont run tests on changes to owasp-dependency-check-suppressions.xml
This commit is contained in:
Clint Wylie 2021-09-13 20:45:38 -07:00 committed by GitHub
parent 779fe8e6ad
commit 6b959f09e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 2 deletions

View File

@ -29,7 +29,7 @@ always_run_jobs = ['license checks', '(openjdk8) packaging check', '(openjdk11)
ignore_prefixes = ['.github', '.idea', '.asf.yaml', '.backportrc.json', '.codecov.yml', '.dockerignore', '.gitignore', ignore_prefixes = ['.github', '.idea', '.asf.yaml', '.backportrc.json', '.codecov.yml', '.dockerignore', '.gitignore',
'.lgtm.yml', 'CONTRIBUTING.md', 'setup-hooks.sh', 'upload.sh', 'dev', 'distribution/docker', '.lgtm.yml', 'CONTRIBUTING.md', 'setup-hooks.sh', 'upload.sh', 'dev', 'distribution/docker',
'distribution/asf-release-process-guide.md', '.travis.yml', 'check_test_suite.py', 'distribution/asf-release-process-guide.md', '.travis.yml', 'check_test_suite.py',
'check_test_suite_test.py'] 'check_test_suite_test.py', 'owasp-dependency-check-suppressions.xml']
# these files are docs changes # these files are docs changes
# if changes are limited to this set then we can skip web-console and java # if changes are limited to this set then we can skip web-console and java

View File

@ -77,7 +77,7 @@ class CheckTestSuite(unittest.TestCase):
['check_test_suite_test.py'], ['check_test_suite_test.py'],
['website/core/Footer.js'], ['website/core/Footer.js'],
['web-console/src/views/index.ts'], ['web-console/src/views/index.ts'],
['check_test_suite_test.py', 'website/core/Footer.js', 'web-console/unified-console.html'] ['check_test_suite_test.py', 'website/core/Footer.js', 'web-console/unified-console.html', 'owasp-dependency-check-suppressions.xml']
] ]
some_java_diffs = [ some_java_diffs = [
['core/src/main/java/org/apache/druid/math/expr/Expr.java'], ['core/src/main/java/org/apache/druid/math/expr/Expr.java'],

View File

@ -26,6 +26,7 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-indexing\-hadoop@.*$</packageUrl> <packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-indexing\-hadoop@.*$</packageUrl>
<cve>CVE-2012-4449</cve> <cve>CVE-2012-4449</cve>
<cve>CVE-2017-3162</cve> <cve>CVE-2017-3162</cve>
<cve>CVE-2018-8009</cve>
</suppress> </suppress>
<suppress> <suppress>
<!-- druid-processing.jar is mistaken for org.processing:processing --> <!-- druid-processing.jar is mistaken for org.processing:processing -->
@ -387,4 +388,13 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.13.0$</packageUrl> <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.13.0$</packageUrl>
<cve>CVE-2020-13949</cve> <cve>CVE-2020-13949</cve>
</suppress> </suppress>
<suppress>
<!--
the scanner misattributes this to Apache DataSketches
the actual vulnerability affects some collaboration tool called Sketch, and impacts some 'library feeds' feature
which seems to relate to how the tool handles sharing designs or something, so we are doing a blanket ignore
because it seems nearly impossible for us to be affected by this
-->
<cve>CVE-2021-40531</cve>
</suppress>
</suppressions> </suppressions>