Suppress CVE-2021-27568 from json-smart 2.3 dependency (#11438)

Dependency on hadoop 2.8.5 is preventing us form updating this dependency to a later version. We don't believe that this is a major concern since Druid eats uncaught exceptions, and only displays them in logs. This issue also should only affect ingestion jobs, which can only be run by admin type users.
2021-07-12 22:58:06 -04:00 · 2021-07-12 22:58:06 -04:00 · 73711a456a
parent 05d5dd9289
commit 73711a456a
1 changed files with 13 additions and 0 deletions
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@ -57,6 +57,19 @@
    <cve>CVE-2020-12690</cve>
    <cve>CVE-2020-12691</cve>
  </suppress>
+  <suppress>
+    <!--
+      ~ CVE-2021-27568:
+      ~ dependency on hadoop 2.8.5 is blocking us from updating this dependency. Not a major concern since Druid
+      ~ eats uncaught exceptions, and only displays them in logs. This issue also should only affect ingestion
+      ~ jobs which can only be run by admin type users.
+      -->
+    <notes><![CDATA[
+   file name: json-smart-2.3.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/net\.minidev/json\-smart@.*$</packageUrl>
+    <cve>CVE-2021-27568</cve>
+  </suppress>


  <suppress>