diff --git a/.github/workflows/cron-job-its.yml b/.github/workflows/cron-job-its.yml
index cc4e9d198f7..3752b6c60ea 100644
--- a/.github/workflows/cron-job-its.yml
+++ b/.github/workflows/cron-job-its.yml
@@ -27,7 +27,7 @@ on:
jobs:
build:
- if: github.event_name == 'schedule'
+ if: (github.event_name == 'schedule' && github.repository == 'apache/druid')
name: build (jdk8)
runs-on: ubuntu-latest
steps:
@@ -107,10 +107,12 @@ jobs:
group: other
security_vulnerabilities:
+ if: github.repository == 'apache/druid'
name: security vulnerabilities
strategy:
+ fail-fast: false
matrix:
- HADOOP_PROFILE: [ '', '-Phadoop3' ]
+ HADOOP_PROFILE: [ '', '-Phadoop2' ]
runs-on: ubuntu-latest
steps:
- name: Checkout branch
@@ -123,9 +125,11 @@ jobs:
distribution: 'zulu'
cache: maven
+ - name: maven build # needed to rebuild incase of maven snapshot resolution fails
+ run: mvn clean install dependency:go-offline -P dist -P skip-static-checks,skip-tests -Dmaven.javadoc.skip=true -Dcyclonedx.skip=true -Dweb.console.skip=true
+
- name: security vulnerabilities check
env:
- MVN: mvn --no-snapshot-updates
HADOOP_PROFILE: ${{ matrix.HADOOP_PROFILE }}
run: |
mvn dependency-check:purge dependency-check:check ${HADOOP_PROFILE} || { echo "
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 207cafb3bf7..465d4cb0b1c 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -122,6 +122,8 @@
https://github.com/FasterXML/jackson-databind/issues/3328
-->
CVE-2021-46877
+
+ CVE-2023-35116
@@ -192,10 +194,14 @@
~ ... 27 more
-->
^pkg:maven/org\.hibernate/hibernate\-validator@.*$
CVE-2017-7536
+ CVE-2019-10219
+ CVE-2019-14900
+ CVE-2020-10693
CVE-2020-25638
@@ -216,8 +222,13 @@
CVE-2019-20444
CVE-2019-20445
CVE-2020-11612
+ CVE-2021-21290
+ CVE-2021-21295
+ CVE-2021-21409
CVE-2021-37136
CVE-2021-37137
+ CVE-2021-43797
+ CVE-2022-24823
CVE-2022-41881
@@ -799,6 +810,14 @@
CVE-2022-26612
CVE-2023-25613
+ CVE-2023-2976
+
+
+
+
+ prototype pollution
CVE-2021-40331
+
+
+
+
+ ^pkg:maven/.*/.*@.*$
+ CVE-2021-4277
+
+
+
+
+ ^pkg:maven/com\.google\.guava/guava@16.0.1$
+
+ CVE-2018-10237
+ CVE-2020-8908
+ CVE-2023-2976
+