Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nifi/nifi-dependency-check-maven/suppressions.xml

313 lines
16 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes>NiFi packages contain other project names, which can cause incorrect identification</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl>
<cpe regex="true">^cpe:.*$</cpe>
</suppress>
<suppress>
<notes>CVE-2017-10355 does not apply to Xerces 2.12.2</notes>
<packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
<cve>CVE-2017-10355</cve>
</suppress>
<suppress>
<notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite Druid</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$</packageUrl>
<cve>CVE-2020-13955</cve>
</suppress>
<suppress>
<notes>CVE-2007-6465 applies to Ganglia Server not Ganglia client libraries</notes>
<packageUrl regex="true">^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$</packageUrl>
<cve>CVE-2007-6465</cve>
</suppress>
<suppress>
<notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client</notes>
<packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$</packageUrl>
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
<notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client-sniffer</notes>
<packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client-sniffer@.*$</packageUrl>
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
<notes>CVE-2022-30187 applies to Azure Blob not the EventHubs Checkpoint Store Blob library</notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$</packageUrl>
<cve>CVE-2022-30187</cve>
</suppress>
<suppress>
<notes>CVE-2010-1151 applies to mod_auth_shadow in Apache HTTP Server not the FTP server library</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl>
<cve>CVE-2010-1151</cve>
</suppress>
<suppress>
<notes>CVE-2018-14335 applies to H2 running with a web server console enabled</notes>
<packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
<vulnerabilityName>CVE-2018-14335</vulnerabilityName>
</suppress>
<suppress>
<notes>The Jetty Apache JSP library is not subject to Apache Tomcat vulnerabilities</notes>
<packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl>
<cpe>cpe:/a:apache:tomcat</cpe>
</suppress>
<suppress>
<notes>Google BigQuery Storage is not the same as the gGRPC framework library</notes>
<packageUrl regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-bigquerystorage\-.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
<suppress>
<notes>Google PubSubLite is not the same as the gRPC framework library</notes>
<packageUrl regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-pubsublite\-v1@.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
<suppress>
<notes>CVE-2020-9040 applies to Couchbase Server not the client library</notes>
<packageUrl regex="true">^pkg:maven/com\.couchbase\.client/core\-io@.*$</packageUrl>
<vulnerabilityName>CVE-2020-9040</vulnerabilityName>
</suppress>
<suppress>
<notes>CVE-2022-41881 applies to HA Proxy components in Netty which are not used in Couchbase or other components</notes>
<packageUrl regex="true">^pkg:maven/io\.netty/.*$</packageUrl>
<cve>CVE-2022-41881</cve>
</suppress>
<suppress>
<notes>CVE-2021-34538 applies to Apache Hive server not the Storage API library</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hive/hive\-storage\-api@.*$</packageUrl>
<cve>CVE-2021-34538</cve>
</suppress>
<suppress>
<notes>Hadoop vulnerabilities do not apply to HBase Hadoop2 compatibility library</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-hadoop2\-compat@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
<suppress>
<notes>The Jackson maintainers dispute the applicability of CVE-2023-35116 based on cyclic nature of reported concern</notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<vulnerabilityName>CVE-2023-35116</vulnerabilityName>
</suppress>
<suppress>
<notes>CVE-2023-25194 applies to Kafka Connect workers not client libraries</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl>
<cve>CVE-2023-25194</cve>
</suppress>
<suppress>
<notes>CVE-2022-24823 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients</notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl>
<cve>CVE-2022-24823</cve>
</suppress>
<suppress>
<notes>CVE-2022-41915 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients</notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl>
<cve>CVE-2022-41915</cve>
</suppress>
<suppress>
<notes>CVE-2023-34462 applies to Netty servers using SniHandler not Netty 4.1 shaded for Couchbase and HBase 2</notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl>
<cve>CVE-2023-34462</cve>
</suppress>
<suppress>
<notes>The Square Wire framework is not the same as the Wire secure communication application</notes>
<packageUrl regex="true">^pkg:maven/com\.squareup\.wire/.*$</packageUrl>
<cpe>cpe:/a:wire:wire</cpe>
</suppress>
<suppress>
<notes>Avro project vulnerabilities do not apply to Parquet Avro</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-avro@.*$</packageUrl>
<cpe>cpe:/a:avro_project:avro</cpe>
</suppress>
<suppress>
<notes>CVE-2016-5397 applies to Apache Thrift Go not Java</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
<cve>CVE-2016-5397</cve>
</suppress>
<suppress>
<notes>CVE-2019-0210 applies to Apache Thrift Go server not Java</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
<cve>CVE-2019-0210</cve>
</suppress>
<suppress>
<notes>CVE-2018-11798 applies Apache Thrift Node.js not Java</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
<cve>CVE-2018-11798</cve>
</suppress>
<suppress>
<notes>CVE-2019-11939 applies to Thrift Servers in Go not Java</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
<cve>CVE-2019-11939</cve>
</suppress>
<suppress>
<notes>CVE-2019-3552 applies to Thrift Servers in CPP not Java</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
<cve>CVE-2019-3552</cve>
</suppress>
<suppress>
<notes>CVE-2019-3553 applies to Thrift Servers in CPP not Java</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
<cve>CVE-2019-3553</cve>
</suppress>
<suppress>
<notes>CVE-2019-3558 applies to Thrift Servers in Python not Java</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
<cve>CVE-2019-3558</cve>
</suppress>
<suppress>
<notes>CVE-2019-3564 applies to Thrift Servers in Go not Java</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
<cve>CVE-2019-3564</cve>
</suppress>
<suppress>
<notes>CVE-2019-3565 applies to Thrift Servers in CPP not Java</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
<cve>CVE-2019-3565</cve>
</suppress>
<suppress>
<notes>CVE-2021-24028 applies to Facebook Thrift CPP</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
<cve>CVE-2021-24028</cve>
</suppress>
<suppress>
<notes>CVE-2019-11938 applies to Facebook Thrift Servers</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
<cve>CVE-2019-11938</cve>
</suppress>
<suppress>
<notes>CVE-2019-3559 applies to Facebook Thrift Servers</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
<cve>CVE-2019-3559</cve>
</suppress>
<suppress>
<notes>The jetty-servlet-api is versioned according to the Java Servlet API version not the Jetty version</notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-servlet\-api@.*$</packageUrl>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>
<suppress>
<notes>CVE-2023-37475 applies to Hamba Avro in Go not Apache Avro for Java</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.avro/.*$</packageUrl>
<cve>CVE-2023-37475</cve>
</suppress>
<suppress>
<notes>CVE-2023-36415 applies to Azure Identity for Python not Java</notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@.*$</packageUrl>
<cve>CVE-2023-36415</cve>
</suppress>
<suppress>
<notes>CVE-2020-13949 applies to Thrift and not to Hive</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hive.*$</packageUrl>
<cve>CVE-2020-13949</cve>
</suppress>
<suppress>
<notes>CVE-2023-44487 applies to netty-codec-http2 as a Server</notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl>
<cve>CVE-2023-44487</cve>
</suppress>
<suppress>
<notes>Parquet MR vulnerabilities do not apply to other Parquet libraries</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-(?!mr).*$</packageUrl>
<cpe>cpe:/a:apache:parquet-mr</cpe>
</suppress>
<suppress>
<notes>Apache Hadoop vulnerabilities do not apply to Parquet Hadoop Bundle library</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-hadoop\-bundle@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
<suppress>
<notes>CVE-2019-11358 applies to bundled copies of jQuery not used in the project</notes>
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
<cve>CVE-2019-11358</cve>
</suppress>
<suppress>
<notes>CVE-2020-11022 applies to bundled copies of jQuery not used in the project</notes>
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
<cve>CVE-2020-11022</cve>
</suppress>
<suppress>
<notes>CVE-2020-11023 applies to bundled copies of jQuery not used in the project</notes>
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
<cve>CVE-2020-11023</cve>
</suppress>
<suppress>
<notes>CVE-2011-4969 applies to bundled copies of jQUery not used in the project</notes>
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
<cve>CVE-2011-4969</cve>
</suppress>
<suppress>
<notes>CVE-2012-6708 applies to bundled copies of jQUery not used in the project</notes>
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
<cve>CVE-2012-6708</cve>
</suppress>
<suppress>
<notes>CVE-2015-9251 applies to bundled copies of jQUery not used in the project</notes>
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
<cve>CVE-2015-9251</cve>
</suppress>
<suppress>
<notes>CVE-2020-7656 applies to bundled copies of jQUery not used in the project</notes>
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
<cve>CVE-2020-7656</cve>
</suppress>
<suppress>
<notes>jQuery vulnerability warning for historical versions</notes>
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
<vulnerabilityName>jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates</vulnerabilityName>
</suppress>
<suppress>
<notes>CVE-2023-44487 references gRPC for Go</notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc.*$</packageUrl>
<cve>CVE-2023-44487</cve>
</suppress>
<suppress>
<notes>Guava temporary directory file creation is not used</notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
<cve>CVE-2023-2976</cve>
</suppress>
<suppress>
<notes>Guava temporary directory file creation is not used</notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
<cve>CVE-2020-8908</cve>
</suppress>
<suppress>
<notes>CVE-2023-36052 applies to Azure CLI not Azure Java libraries</notes>
<packageUrl regex="true">^pkg:maven/com\.azure/.*$</packageUrl>
<cve>CVE-2023-36052</cve>
</suppress>
<suppress>
<notes>software.amazon.ion:ion-java is newer than com.amazonaws.ion:ion-java and does not share the same vulnerabilities</notes>
<packageUrl regex="true">^pkg:maven/software\.amazon\.ion/ion\-java@.*$</packageUrl>
<cpe>cpe:/a:amazon:ion</cpe>
</suppress>
<suppress>
<notes>CVE-2017-20189 applies to the Clojure library not the spec files which have a different version number</notes>
<packageUrl regex="true">^pkg:maven/org\.clojure/spec\.alpha@.*$</packageUrl>
<cve>CVE-2017-20189</cve>
</suppress>
<suppress>
<notes>CVE-2017-20189 applies to the Clojure library not the spec files which have a different version number</notes>
<packageUrl regex="true">^pkg:maven/org\.clojure/core\.specs\.alpha@.*$</packageUrl>
<cve>CVE-2017-20189</cve>
</suppress>
<suppress>
<notes>Findings for Apache Hadoop do not apply to the shaded Protobuf library</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-protobuf_3_21@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
<suppress>
<notes>CVE-2024-22201 applies to Jetty Server 10.0.19 and not Jetty client usage in Solr</notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.http2/http2\-common@.*$</packageUrl>
<vulnerabilityName>CVE-2024-22201</vulnerabilityName>
</suppress>
</suppressions>
Reference in New Issue View Git Blame Copy Permalink