nifi/nifi-dependency-check-maven/suppressions.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements. See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License. You may obtain a copy of the License at
  http://www.apache.org/licenses/LICENSE-2.0
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes>NiFi packages contain other project names, which can cause incorrect identification</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl>
        <cpe regex="true">^cpe:.*$</cpe>
    </suppress>
    <suppress>
        <notes>Jetty SSLEngine is incorrectly identified with Jetty Server</notes>
        <packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/jetty\-sslengine@.*$</packageUrl>
        <cpe regex="true">^cpe:.*$</cpe>
    </suppress>
    <suppress>
        <notes>MySQL Binary Log Connector is incorrectly identified as MySQL server</notes>
        <packageUrl regex="true">^pkg:maven/com\.zendesk/mysql\-binlog\-connector\-java@.*$</packageUrl>
        <cpe>cpe:/a:mysql:mysql</cpe>
    </suppress>
    <suppress>
        <notes>Twill ZooKeeper is incorrectly identified with ZooKeeper server</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.twill/twill\-zookeeper@.*$</packageUrl>
        <cpe>cpe:/a:apache:zookeeper</cpe>
    </suppress>
    <suppress>
        <notes>H2 1.4.200 is shaded and repackaged without vulnerable components in nifi-h2-database for migration</notes>
        <packageUrl>pkg:maven/com.h2database/h2@1.4.200</packageUrl>
        <vulnerabilityName regex="true">^CVE.*$</vulnerabilityName>
    </suppress>
    <suppress>
        <notes>CVE-2022-45868 requires running H2 from a command not applicable to project references</notes>
        <packageUrl regex="true">^pkg:maven/com\.h2database/h2@2.*$</packageUrl>
        <vulnerabilityName>CVE-2022-45868</vulnerabilityName>
    </suppress>
    <suppress>
        <notes>CVE-2016-1000027 does not apply to Spring Web 5.3.20 and later</notes>
        <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-web@.*$</packageUrl>
        <cve>CVE-2016-1000027</cve>
    </suppress>
    <suppress>
        <notes>CVE-2020-5408 does not apply to Spring Security Crypto 5.7.1 and later</notes>
        <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
        <vulnerabilityName>CVE-2020-5408</vulnerabilityName>
    </suppress>
    <suppress>
        <notes>Servlet API 2.5 does not include Jetty Server vulnerabilities</notes>
        <packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/servlet\-api@.*$</packageUrl>
        <cpe regex="true">^cpe:.*$</cpe>
    </suppress>
    <suppress>
        <notes>Spark 2.13 used in nifi-spark-receiver is not impacted by Spark Server vulnerabilities</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.spark/spark\-.+?_2\.13@.*$</packageUrl>
        <cpe>cpe:/a:apache:spark</cpe>
    </suppress>
    <suppress>
        <notes>Apache Hive vulnerabilities do not apply to Flume Hive Sink</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-hive\-sink@.*$</packageUrl>
        <cpe>cpe:/a:apache:hive</cpe>
    </suppress>
    <suppress>
        <notes>Apache Kafka vulnerabilities do not apply to Flume Kafka Sink</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-kafka\-sink@.*$</packageUrl>
        <cpe>cpe:/a:apache:kafka</cpe>
    </suppress>
    <suppress>
        <notes>Apache Kafka vulnerabilities do not apply to Flume Kafka Source</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sources/flume\-kafka\-source@.*$</packageUrl>
        <cpe>cpe:/a:apache:kafka</cpe>
    </suppress>
    <suppress>
        <notes>Apache Kafka vulnerabilities do not apply to Flume Shared Kafka</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-shared/flume\-shared\-kafka@.*$</packageUrl>
        <cpe>cpe:/a:apache:kafka</cpe>
    </suppress>
    <suppress>
        <notes>Apache HBase vulnerabilities do not apply to Flume HBase Sink</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-hbase\-sink@.*$</packageUrl>
        <cpe>cpe:/a:apache:hbase</cpe>
    </suppress>
    <suppress>
        <notes>Apache Solr vulnerabilities do not apply to Flume Solr Sink</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-morphline\-solr\-sink@.*$</packageUrl>
        <cpe>cpe:/a:apache:solr</cpe>
    </suppress>
    <suppress>
        <notes>CVE-2017-10355 does not apply to Xerces 2.12.2</notes>
        <packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
        <cve>CVE-2017-10355</cve>
    </suppress>
    <suppress>
        <notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite Avatica</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.calcite\.avatica/avatica\-core@.*$</packageUrl>
        <cve>CVE-2020-13955</cve>
    </suppress>
    <suppress>
        <notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite Avatica</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.calcite\/calcite-avatica@.*$</packageUrl>
        <cve>CVE-2020-13955</cve>
    </suppress>
    <suppress>
        <notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite Druid</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$</packageUrl>
        <cve>CVE-2020-13955</cve>
    </suppress>
    <suppress>
        <notes>CVE-2020-13955 applies to Apache Calcite Core not Apache Calcite Avatica subproject</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.calcite\.avatica\/avatica(-metrics)?@.*$</packageUrl>
        <cve>CVE-2020-13955</cve>
    </suppress>
    <suppress>
        <notes>OpenTSDB vulnerabilities do not apply to HBase Async library</notes>
        <packageUrl regex="true">^pkg:maven/org\.hbase/asynchbase@.*$</packageUrl>
        <cpe>cpe:/a:opentsdb:opentsdb</cpe>
    </suppress>
    <suppress>
        <notes>Eclipse Equinox vulnerabilities do not apply to DataNucleus core library</notes>
        <packageUrl regex="true">^pkg:maven/org\.datanucleus/datanucleus\-core@.*$</packageUrl>
        <cpe>cpe:/a:eclipse:equinox</cpe>
    </suppress>
    <suppress>
        <notes>CVE-2018-8025 applies to HBase Server not HBase Client</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-client@.*$</packageUrl>
        <cve>CVE-2018-8025</cve>
    </suppress>
    <suppress>
        <notes>CVE-2019-0212 applies to HBase Server not HBase Client</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-client@.*$</packageUrl>
        <cve>CVE-2019-0212</cve>
    </suppress>
    <suppress>
        <notes>CVE-2014-3643 applies to Jersey Server not Jersey Core</notes>
        <packageUrl regex="true">^pkg:maven/com\.sun\.jersey/jersey\-core@.*$</packageUrl>
        <vulnerabilityName>CVE-2014-3643</vulnerabilityName>
    </suppress>
    <suppress>
        <notes>Fan Platform vulnerabilities do not apply to JUnit Platform libraries</notes>
        <packageUrl regex="true">^pkg:maven/org\.junit\.platform/junit\-platform\-engine@.*$</packageUrl>
        <cpe>cpe:/a:fan_platform_project:fan_platform</cpe>
    </suppress>
    <suppress>
        <notes>CVE-2007-6465 applies to Ganglia Server not Ganglia client libraries</notes>
        <packageUrl regex="true">^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$</packageUrl>
        <cve>CVE-2007-6465</cve>
    </suppress>
    <suppress>
        <notes>Pro Search vulnerabilities do not apply to Spatial4j</notes>
        <packageUrl regex="true">^pkg:maven/org\.locationtech\.spatial4j/spatial4j@.*$</packageUrl>
        <cpe>cpe:/a:pro_search:pro_search</cpe>
    </suppress>
    <suppress>
        <notes>CVE-2021-43045 applies to the Apache Avro .NET SDK and not to the Java SDK</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.avro/avro@.*$</packageUrl>
        <cve>CVE-2021-43045</cve>
    </suppress>
    <suppress>
        <notes>CVE-2022-31159 applies to AWS S3 library not the SWF libraries</notes>
        <packageUrl regex="true">^pkg:maven/com\.amazonaws/aws\-java\-sdk\-swf\-libraries@.*$</packageUrl>
        <cve>CVE-2022-31159</cve>
    </suppress>
    <suppress>
        <notes>Hive vulnerabilities do not apply to Iceberg Hive Metadata</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.iceberg/iceberg\-hive\-metastore@.*$</packageUrl>
        <cpe>cpe:/a:apache:hive</cpe>
    </suppress>
    <suppress>
        <notes>Elasticsearch Server vulnerabilities do not apply to Elasticsearch Plugin</notes>
        <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.plugin/.*?@7.6.0$</packageUrl>
        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
    </suppress>
    <suppress>
        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-core</notes>
        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-core@7.6.0$</packageUrl>
        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
    </suppress>
    <suppress>
        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch</notes>
        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@7.6.0$</packageUrl>
        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
    </suppress>
    <suppress>
        <notes>Elasticsearch Server CVE-2020-7009 does not apply to elasticsearch client libraries</notes>
        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl>
        <cve>CVE-2020-7009</cve>
    </suppress>
    <suppress>
        <notes>Elasticsearch Server CVE-2020-7014 does not apply to elasticsearch client libraries</notes>
        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl>
        <cve>CVE-2020-7014</cve>
    </suppress>
    <suppress>
        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch libraries</notes>
        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-.*?@7.6.0$</packageUrl>
        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
    </suppress>
    <suppress>
        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client</notes>
        <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$</packageUrl>
        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
    </suppress>
    <suppress>
        <notes>HTTP server vulnerabilities do not apply to Apache FTP Server</notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl>
        <cpe>cpe:/a:apache:apache_http_server</cpe>
    </suppress>
</suppressions>