Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nifi/nifi-dependency-check-maven/suppressions.xml

203 lines
10 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes>NiFi packages contain other project names, which can cause incorrect identification</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl>
<cpe regex="true">^cpe:.*$</cpe>
</suppress>
<suppress>
<notes>Jetty SSLEngine is incorrectly identified with Jetty Server</notes>
<packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/jetty\-sslengine@.*$</packageUrl>
<cpe regex="true">^cpe:.*$</cpe>
</suppress>
<suppress>
<notes>H2 1.4.200 is shaded and repackaged without vulnerable components in nifi-h2-database for migration</notes>
<packageUrl>pkg:maven/com.h2database/h2@1.4.200</packageUrl>
<vulnerabilityName regex="true">^CVE.*$</vulnerabilityName>
</suppress>
<suppress>
<notes>CVE-2022-45868 requires running H2 from a command not applicable to project references</notes>
<packageUrl regex="true">^pkg:maven/com\.h2database/h2@2.*$</packageUrl>
<vulnerabilityName>CVE-2022-45868</vulnerabilityName>
</suppress>
<suppress>
<notes>CVE-2016-1000027 does not apply to Spring Web 5.3.20 and later</notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-web@.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
</suppress>
<suppress>
<notes>CVE-2020-5408 does not apply to Spring Security Crypto 5.7.1 and later</notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
<vulnerabilityName>CVE-2020-5408</vulnerabilityName>
</suppress>
<suppress>
<notes>Spark 2.13 used in nifi-spark-receiver is not impacted by Spark Server vulnerabilities</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.spark/spark\-.+?_2\.13@.*$</packageUrl>
<cpe>cpe:/a:apache:spark</cpe>
</suppress>
<suppress>
<notes>Apache Hive vulnerabilities do not apply to Flume Hive Sink</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-hive\-sink@.*$</packageUrl>
<cpe>cpe:/a:apache:hive</cpe>
</suppress>
<suppress>
<notes>Apache Kafka vulnerabilities do not apply to Flume Kafka Sink</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-kafka\-sink@.*$</packageUrl>
<cpe>cpe:/a:apache:kafka</cpe>
</suppress>
<suppress>
<notes>Apache Kafka vulnerabilities do not apply to Flume Kafka Source</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sources/flume\-kafka\-source@.*$</packageUrl>
<cpe>cpe:/a:apache:kafka</cpe>
</suppress>
<suppress>
<notes>Apache Kafka vulnerabilities do not apply to Flume Shared Kafka</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-shared/flume\-shared\-kafka@.*$</packageUrl>
<cpe>cpe:/a:apache:kafka</cpe>
</suppress>
<suppress>
<notes>Apache HBase vulnerabilities do not apply to Flume HBase Sink</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-hbase\-sink@.*$</packageUrl>
<cpe>cpe:/a:apache:hbase</cpe>
</suppress>
<suppress>
<notes>Apache Solr vulnerabilities do not apply to Flume Solr Sink</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-morphline\-solr\-sink@.*$</packageUrl>
<cpe>cpe:/a:apache:solr</cpe>
</suppress>
<suppress>
<notes>CVE-2017-10355 does not apply to Xerces 2.12.2</notes>
<packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
<cve>CVE-2017-10355</cve>
</suppress>
<suppress>
<notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite Avatica</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.calcite\.avatica/avatica\-core@.*$</packageUrl>
<cve>CVE-2020-13955</cve>
</suppress>
<suppress>
<notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite Avatica</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.calcite\/calcite-avatica@.*$</packageUrl>
<cve>CVE-2020-13955</cve>
</suppress>
<suppress>
<notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite Druid</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$</packageUrl>
<cve>CVE-2020-13955</cve>
</suppress>
<suppress>
<notes>CVE-2020-13955 applies to Apache Calcite Core not Apache Calcite Avatica subproject</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.calcite\.avatica\/avatica(-metrics)?@.*$</packageUrl>
<cve>CVE-2020-13955</cve>
</suppress>
<suppress>
<notes>OpenTSDB vulnerabilities do not apply to HBase Async library</notes>
<packageUrl regex="true">^pkg:maven/org\.hbase/asynchbase@.*$</packageUrl>
<cpe>cpe:/a:opentsdb:opentsdb</cpe>
</suppress>
<suppress>
<notes>Eclipse Equinox vulnerabilities do not apply to DataNucleus core library</notes>
<packageUrl regex="true">^pkg:maven/org\.datanucleus/datanucleus\-core@.*$</packageUrl>
<cpe>cpe:/a:eclipse:equinox</cpe>
</suppress>
<suppress>
<notes>CVE-2018-8025 applies to HBase Server not HBase Client</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-client@.*$</packageUrl>
<cve>CVE-2018-8025</cve>
</suppress>
<suppress>
<notes>CVE-2019-0212 applies to HBase Server not HBase Client</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-client@.*$</packageUrl>
<cve>CVE-2019-0212</cve>
</suppress>
<suppress>
<notes>CVE-2014-3643 applies to Jersey Server not Jersey Core</notes>
<packageUrl regex="true">^pkg:maven/com\.sun\.jersey/jersey\-core@.*$</packageUrl>
<vulnerabilityName>CVE-2014-3643</vulnerabilityName>
</suppress>
<suppress>
<notes>CVE-2007-6465 applies to Ganglia Server not Ganglia client libraries</notes>
<packageUrl regex="true">^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$</packageUrl>
<cve>CVE-2007-6465</cve>
</suppress>
<suppress>
<notes>CVE-2021-43045 applies to the Apache Avro .NET SDK and not to the Java SDK</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.avro/avro@.*$</packageUrl>
<cve>CVE-2021-43045</cve>
</suppress>
<suppress>
<notes>CVE-2022-31159 applies to AWS S3 library not the SWF libraries</notes>
<packageUrl regex="true">^pkg:maven/com\.amazonaws/aws\-java\-sdk\-swf\-libraries@.*$</packageUrl>
<cve>CVE-2022-31159</cve>
</suppress>
<suppress>
<notes>Elasticsearch Server vulnerabilities do not apply to Elasticsearch Plugin</notes>
<packageUrl regex="true">^pkg:maven/org\.elasticsearch\.plugin/.*?@7.6.0$</packageUrl>
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
<notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-core</notes>
<packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-core@7.6.0$</packageUrl>
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
<notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch</notes>
<packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@7.6.0$</packageUrl>
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
<notes>Elasticsearch Server CVE-2020-7009 does not apply to elasticsearch client libraries</notes>
<packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl>
<cve>CVE-2020-7009</cve>
</suppress>
<suppress>
<notes>Elasticsearch Server CVE-2020-7014 does not apply to elasticsearch client libraries</notes>
<packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl>
<cve>CVE-2020-7014</cve>
</suppress>
<suppress>
<notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch libraries</notes>
<packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-.*?@7.6.0$</packageUrl>
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
<notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client</notes>
<packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$</packageUrl>
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
<notes>CVE-2022-45046 description notes that the initial issue was not a security vulnerability</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel\-salesforce@.*$</packageUrl>
<cve>CVE-2022-45046</cve>
</suppress>
<suppress>
<notes>CVE-2020-36632 applies to JavaScript module named hughsk/flat not flatbuffers</notes>
<packageUrl regex="true">^pkg:maven/com\.vlkan/flatbuffers@.*$</packageUrl>
<cve>CVE-2020-36632</cve>
</suppress>
<suppress>
<notes>CVE-2018-8015 applies to Apache ORC not to Apache Iceberg</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.iceberg/iceberg\-orc@.*$</packageUrl>
<cve>CVE-2018-8015</cve>
</suppress>
<suppress>
<notes>CVE-2022-39135 applies to Calcite not Calcite Avatica</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.calcite\.avatica/.*?@.*$</packageUrl>
<cve>CVE-2022-39135</cve>
</suppress>
</suppressions>
Reference in New Issue View Git Blame Copy Permalink