Suppress CVE-2021-27568 from json-smart 2.3 dependency (#11438)

Dependency on hadoop 2.8.5 is preventing us form updating this dependency to a later version. We don't believe that this is a major concern since Druid eats uncaught exceptions, and only displays them in logs. This issue also should only affect ingestion jobs, which can only be run by admin type users.
This commit is contained in:
zachjsh 2021-07-12 22:58:06 -04:00 committed by GitHub
parent 05d5dd9289
commit 73711a456a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 0 deletions

View File

@ -57,6 +57,19 @@
<cve>CVE-2020-12690</cve> <cve>CVE-2020-12690</cve>
<cve>CVE-2020-12691</cve> <cve>CVE-2020-12691</cve>
</suppress> </suppress>
<suppress>
<!--
~ CVE-2021-27568:
~ dependency on hadoop 2.8.5 is blocking us from updating this dependency. Not a major concern since Druid
~ eats uncaught exceptions, and only displays them in logs. This issue also should only affect ingestion
~ jobs which can only be run by admin type users.
-->
<notes><![CDATA[
file name: json-smart-2.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/net\.minidev/json\-smart@.*$</packageUrl>
<cve>CVE-2021-27568</cve>
</suppress>
<suppress> <suppress>