Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Suppress Hadoop and jose4j cve (#15425) 

Changes
- Suppress CVE-2023-36478 as there is no newer Hadoop version available that addresses
- Suppress CVE-2023-31582 in jose4j. Pulled in by Kubernetes/Kafka but not addressed yet.
This commit is contained in:
Kashif Faraz 2023-11-24 09:25:10 +05:30 committed by GitHub
parent 386cdb95e7
commit 75d6993da9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
owasp-dependency-check-suppressions.xml
View File

@ -87,6 +87,15 @@
<cve>CVE-2022-42004</cve> <cve>CVE-2022-42004</cve>
</suppress> </suppress>
<suppress>
<!-- Pulled in by io.kubernetes:client-java and kafka_2.13 but not fixed in either place yet -->
<!-- jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less -->
<notes><![CDATA[
file name: jose4j-0.7.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.bitbucket\.b_c/jose4j@.*$</packageUrl>
<cve>CVE-2023-31582</cve>
</suppress>
<suppress> <suppress>
<!-- Not much for us to do as a user of the client lib, and no patch is available, <!-- Not much for us to do as a user of the client lib, and no patch is available,
@ -760,6 +769,7 @@
<cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 --> <cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 -->
<cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo --> <cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo -->
<cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet--> <cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
<cve>CVE-2023-36478</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
</suppress> </suppress>
<suppress> <suppress>
<!-- from extensions using hadoop-client-api, these dependencies are shaded in the jar --> <!-- from extensions using hadoop-client-api, these dependencies are shaded in the jar -->