NIFI-13148 Excluded unused xmlunit dependency from nifi-registry-test

This closes #8750. - Updated OWASP Dependency Check Suppression configuration to remove non-applicable suppressions Signed-off-by: Joseph Witt <joewitt@apache.org>
2024-05-06 11:23:01 -05:00 · 2024-05-06 11:23:01 -05:00 · 68a885d390
parent 7a6c26fd96
commit 68a885d390
2 changed files with 13 additions and 38 deletions
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@ -24,11 +24,6 @@
        <packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
        <cve>CVE-2017-10355</cve>
    </suppress>
-    <suppress>
-        <notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite Druid</notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$</packageUrl>
-        <cve>CVE-2020-13955</cve>
-    </suppress>
    <suppress>
        <notes>CVE-2007-6465 applies to Ganglia Server not Ganglia client libraries</notes>
        <packageUrl regex="true">^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$</packageUrl>
@ -104,11 +99,6 @@
        <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl>
        <cve>CVE-2023-25194</cve>
    </suppress>
-    <suppress>
-        <notes>CVE-2022-24823 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients</notes>
-        <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl>
-        <cve>CVE-2022-24823</cve>
-    </suppress>
    <suppress>
        <notes>CVE-2022-41915 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients</notes>
        <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl>
@ -189,11 +179,6 @@
        <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
        <cve>CVE-2019-3559</cve>
    </suppress>
-    <suppress>
-        <notes>The jetty-servlet-api is versioned according to the Java Servlet API version not the Jetty version</notes>
-        <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-servlet\-api@.*$</packageUrl>
-        <cpe>cpe:/a:eclipse:jetty</cpe>
-    </suppress>
    <suppress>
        <notes>CVE-2023-37475 applies to Hamba Avro in Go not Apache Avro for Java</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.avro/.*$</packageUrl>
@ -219,11 +204,6 @@
        <packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-(?!mr).*$</packageUrl>
        <cpe>cpe:/a:apache:parquet-mr</cpe>
    </suppress>
-    <suppress>
-        <notes>Apache Hadoop vulnerabilities do not apply to Parquet Hadoop Bundle library</notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-hadoop\-bundle@.*$</packageUrl>
-        <cpe>cpe:/a:apache:hadoop</cpe>
-    </suppress>
    <suppress>
        <notes>CVE-2019-11358 applies to bundled copies of jQuery not used in the project</notes>
        <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
@ -284,29 +264,19 @@
        <packageUrl regex="true">^pkg:maven/com\.azure/.*$</packageUrl>
        <cve>CVE-2023-36052</cve>
    </suppress>
-    <suppress>
-        <notes>software.amazon.ion:ion-java is newer than com.amazonaws.ion:ion-java and does not share the same vulnerabilities</notes>
-        <packageUrl regex="true">^pkg:maven/software\.amazon\.ion/ion\-java@.*$</packageUrl>
-        <cpe>cpe:/a:amazon:ion</cpe>
-    </suppress>
-    <suppress>
-        <notes>CVE-2017-20189 applies to the Clojure library not the spec files which have a different version number</notes>
-        <packageUrl regex="true">^pkg:maven/org\.clojure/spec\.alpha@.*$</packageUrl>
-        <cve>CVE-2017-20189</cve>
-    </suppress>
-    <suppress>
-        <notes>CVE-2017-20189 applies to the Clojure library not the spec files which have a different version number</notes>
-        <packageUrl regex="true">^pkg:maven/org\.clojure/core\.specs\.alpha@.*$</packageUrl>
-        <cve>CVE-2017-20189</cve>
-    </suppress>
    <suppress>
        <notes>Findings for Apache Hadoop do not apply to the shaded Protobuf library</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-protobuf_3_21@.*$</packageUrl>
        <cpe>cpe:/a:apache:hadoop</cpe>
    </suppress>
    <suppress>
-        <notes>CVE-2024-22201 applies to Jetty Server 10.0.19 and not Jetty client usage in Solr</notes>
-        <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.http2/http2\-common@.*$</packageUrl>
-        <vulnerabilityName>CVE-2024-22201</vulnerabilityName>
+        <notes>CVE-2024-23081 applies to threetenbp 1.6.8 and earlier not 1.6.9</notes>
+        <packageUrl regex="true">^pkg:maven/org\.threeten/threetenbp@.*$</packageUrl>
+        <vulnerabilityName>CVE-2024-23081</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>CVE-2024-23082 applies to threetenbp 1.6.8 and earlier not 1.6.9</notes>
+        <packageUrl regex="true">^pkg:maven/org\.threeten/threetenbp@.*$</packageUrl>
+        <vulnerabilityName>CVE-2024-23082</vulnerabilityName>
    </suppress>
 </suppressions>
--- a/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml
+++ b/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml
@ -31,6 +31,11 @@
                    <groupId>org.springframework.boot</groupId>
                    <artifactId>spring-boot-starter-logging</artifactId>
                </exclusion>
+                <!-- XML Unit is not used -->
+                <exclusion>
+                    <groupId>org.xmlunit</groupId>
+                    <artifactId>xmlunit-core</artifactId>
+                </exclusion>
            </exclusions>
        </dependency>
        <dependency>