Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Suppress false CVEs (#13026) 

* Suppress CVEs

* Add more suppressions
This commit is contained in:
Abhishek Agarwal 2022-09-06 11:46:56 +05:30 committed by GitHub
parent 6805a7f9c2
commit 7d332c6f6a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 41 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
integration-tests-ex/cases/pom.xml
View File

@ -241,6 +241,13 @@
</ignoredUnusedDeclaredDependencies> </ignoredUnusedDeclaredDependencies>
</configuration> </configuration>
</plugin> </plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
</plugins> </plugins>
</build> </build>

7
integration-tests-ex/image/pom.xml
View File

@ -225,6 +225,13 @@ Reference: https://dzone.com/articles/build-docker-image-from-maven
</executions> </executions>
</plugin> </plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
</plugins> </plugins>
</build> </build>
</profile> </profile>

12
integration-tests-ex/tools/pom.xml
View File

@ -153,4 +153,16 @@
</dependency> </dependency>
</dependencies> </dependencies>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
</plugins>
</build>
</project> </project>

17
owasp-dependency-check-suppressions.xml
View File

@ -49,15 +49,18 @@
<cve>CVE-2017-16613</cve> <cve>CVE-2017-16613</cve>
</suppress> </suppress>
<suppress> <suppress>
<!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
<notes><![CDATA[ <notes><![CDATA[
file name: openstack-keystone-1.9.3.jar file name: openstack-keystone-1.9.1.jar
]]></notes> ]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-keystone@.*$</packageUrl> <packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-keystone@.*$</packageUrl>
<!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
<cve>CVE-2015-7546</cve> <cve>CVE-2015-7546</cve>
<cve>CVE-2020-12689</cve> <cve>CVE-2020-12689</cve>
<cve>CVE-2020-12690</cve> <cve>CVE-2020-12690</cve>
<cve>CVE-2020-12691</cve> <cve>CVE-2020-12691</cve>
<!-- This CVE affects the server -->
<cve>CVE-2021-3563</cve>
</suppress> </suppress>
<suppress> <suppress>
<!-- <!--
@ -213,6 +216,14 @@
]]></notes> ]]></notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@1.6$</packageUrl> <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@1.6$</packageUrl>
<cve>CVE-2017-18640</cve> <cve>CVE-2017-18640</cve>
<cve>CVE-2022-25857</cve>
</suppress>
<suppress>
<!-- We need to wait for 17.0.0 of https://github.com/kubernetes-client/java/releases -->
<notes><![CDATA[
file name: snakeyaml-1.27.jar
]]></notes>
<cve>CVE-2022-25857</cve>
</suppress> </suppress>
<suppress> <suppress>
<notes><![CDATA[ <notes><![CDATA[
@ -446,6 +457,7 @@
<!-- <!--
1. hive-storage-api has the thrift vulnerability too 1. hive-storage-api has the thrift vulnerability too
2. CVE-2021-34538 pertains to Hive server. 2. CVE-2021-34538 pertains to Hive server.
3. CVE-2021-4125 only applies to the OpenShift Metering hive container images
--> -->
<notes><![CDATA[ <notes><![CDATA[
file name: hive-storage-api-2.8.1.jar file name: hive-storage-api-2.8.1.jar
@ -453,6 +465,7 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.hive/hive-storage-api@2.8.1$</packageUrl> <packageUrl regex="true">^pkg:maven/org\.apache\.hive/hive-storage-api@2.8.1$</packageUrl>
<cve>CVE-2020-13949</cve> <cve>CVE-2020-13949</cve>
<cve>CVE-2021-34538</cve> <cve>CVE-2021-34538</cve>
<cve>CVE-2021-4125</cve>
</suppress> </suppress>
<suppress> <suppress>
<!-- <!--