NIFI-10118 Upgraded OWASP Dependency Check from 7.1.0 to 7.1.1

This closes #6127 Signed-off-by: David Handermann <exceptionfactory@apache.org>
2025-02-28 22:49:10 +00:00 · 2022-06-14 15:51:22 -05:00 · 2022-06-14 15:51:22 -05:00 · 6c6cb99b38
commit 6c6cb99b38
parent d298a3ab83
2 changed files with 36 additions and 1 deletions
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@ -59,4 +59,39 @@
        <packageUrl regex="true">^pkg:maven/org\.apache\.twill/twill\-zookeeper@.*$</packageUrl>
        <cpe>cpe:/a:apache:zookeeper</cpe>
    </suppress>
+    <suppress>
+        <notes>H2 1.4.200 is shaded and repackaged without vulnerable components in nifi-h2-database for migration</notes>
+        <packageUrl>pkg:maven/com.h2database/h2@1.4.200</packageUrl>
+        <vulnerabilityName regex="true">^CVE.*$</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>H2 2 is not vulnerable to CVE-2018-14335</notes>
+        <packageUrl regex="true">^pkg:maven/com\.h2database/h2@2.*$</packageUrl>
+        <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>Jetty apache-jsp is not part of Apache Tomcat server</notes>
+        <packageUrl>pkg:maven/org.mortbay.jasper/apache-jsp@8.5.70</packageUrl>
+        <cpe>cpe:/a:apache:tomcat</cpe>
+    </suppress>
+    <suppress>
+        <notes>CVE-2016-1000027 does not apply to Spring Web 5.3.20 and later</notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-web@.*$</packageUrl>
+        <cve>CVE-2016-1000027</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2020-5408 does not apply to Spring Security Crypto 5.7.1 and later</notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
+        <vulnerabilityName>CVE-2020-5408</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>Spring Security Kerberos Core is an extension of the Spring Security project</notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.security\.kerberos/spring\-security\-kerberos.*$</packageUrl>
+        <cpe>cpe:/a:vmware:spring_security</cpe>
+    </suppress>
+    <suppress>
+        <notes>Servlet API 2.5 does not include Jetty Server vulnerabilities</notes>
+        <packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/servlet\-api@.*$</packageUrl>
+        <cpe regex="true">^cpe:.*$</cpe>
+    </suppress>
 </suppressions>
--- a/pom.xml
+++ b/pom.xml
@ -1245,7 +1245,7 @@
                    <plugin>
                        <groupId>org.owasp</groupId>
                        <artifactId>dependency-check-maven</artifactId>
-                        <version>7.1.0</version>
+                        <version>7.1.1</version>
                        <executions>
                            <execution>
                                <inherited>false</inherited>