Suppress false CVEs (#13026)

* Suppress CVEs

* Add more suppressions
This commit is contained in:
Abhishek Agarwal 2022-09-06 11:46:56 +05:30 committed by GitHub
parent 6805a7f9c2
commit 7d332c6f6a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 41 additions and 2 deletions

View File

@ -241,6 +241,13 @@
</ignoredUnusedDeclaredDependencies>
</configuration>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
</plugins>
</build>

View File

@ -225,6 +225,13 @@ Reference: https://dzone.com/articles/build-docker-image-from-maven
</executions>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
</plugins>
</build>
</profile>

View File

@ -153,4 +153,16 @@
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
</plugins>
</build>
</project>

View File

@ -49,15 +49,18 @@
<cve>CVE-2017-16613</cve>
</suppress>
<suppress>
<!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
<notes><![CDATA[
file name: openstack-keystone-1.9.3.jar
file name: openstack-keystone-1.9.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-keystone@.*$</packageUrl>
<!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
<cve>CVE-2015-7546</cve>
<cve>CVE-2020-12689</cve>
<cve>CVE-2020-12690</cve>
<cve>CVE-2020-12691</cve>
<!-- This CVE affects the server -->
<cve>CVE-2021-3563</cve>
</suppress>
<suppress>
<!--
@ -213,6 +216,14 @@
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@1.6$</packageUrl>
<cve>CVE-2017-18640</cve>
<cve>CVE-2022-25857</cve>
</suppress>
<suppress>
<!-- We need to wait for 17.0.0 of https://github.com/kubernetes-client/java/releases -->
<notes><![CDATA[
file name: snakeyaml-1.27.jar
]]></notes>
<cve>CVE-2022-25857</cve>
</suppress>
<suppress>
<notes><![CDATA[
@ -446,6 +457,7 @@
<!--
1. hive-storage-api has the thrift vulnerability too
2. CVE-2021-34538 pertains to Hive server.
3. CVE-2021-4125 only applies to the OpenShift Metering hive container images
-->
<notes><![CDATA[
file name: hive-storage-api-2.8.1.jar
@ -453,6 +465,7 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.hive/hive-storage-api@2.8.1$</packageUrl>
<cve>CVE-2020-13949</cve>
<cve>CVE-2021-34538</cve>
<cve>CVE-2021-4125</cve>
</suppress>
<suppress>
<!--