Fix CVE errors (#16147)

* Fix CVE errors * Update pac4j * Update nimbus.jose.jwt.version * Change pac4j version to 5.7.3 * Change pac4j version to 5.3.1 * Revert pac4j version change * Update pac4j comment
2024-04-05 17:53:09 +05:30 · 2024-04-05 17:53:09 +05:30 · af24cc88ce
parent f55c9e58a8
commit af24cc88ce
1 changed files with 28 additions and 0 deletions
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@ -664,4 +664,32 @@
    ]]></notes>
    <cve>CVE-2023-36415</cve>
  </suppress>
+  <suppress>
+    <!-- Used in Pac4j. Pac4j versions (such as v5.7.3) corresponding
+    to the safe nimbus-jose-jwt v9.37.2 are incompatible with druid as they don't support JDK 8
+    https://www.pac4j.org/docs/alldocs.html -->
+
+    <notes><![CDATA[
+   file name: nimbus-jose-jwt-8.22.1.jar
+   ]]></notes>
+    <cve>CVE-2023-52428</cve>
+  </suppress>
+  <suppress>
+    <!-- Used in Azure dependencies.
+    Current latest version of Azure BOM (1.2.21) still uses 9.30.2, whereas bug resolved in 9.37.2 -->
+    <notes><![CDATA[
+   file name: nimbus-jose-jwt-9.30.2.jar
+   ]]></notes>
+    <cve>CVE-2023-52428</cve>
+  </suppress>
+  <suppress>
+    <!-- Legit issues but currently use the latest ranger-plugins-audit jar v2.4.0 -->
+    <notes><![CDATA[
+     file name: solr-solrj-8.11.2.jar
+     ]]></notes>
+    <cve>CVE-2023-50291</cve>
+    <cve>CVE-2023-50298</cve>
+    <cve>CVE-2023-50386</cve>
+    <cve>CVE-2023-50292</cve>
+  </suppress>
 </suppressions>