Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nifi/nifi-dependency-check-maven/suppressions.xml

208 lines
10 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes>NiFi packages contain other project names, which can cause incorrect identification</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl>
<cpe regex="true">^cpe:.*$</cpe>
</suppress>
<suppress>
<notes>Meta MX HTTP Client is incorrectly identified as Netty</notes>
<packageUrl regex="true">^pkg:maven/com\.metamx/http\-client@.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
</suppress>
<suppress>
<notes>Testcontainers MySQL is incorrectly identified with MySQL server</notes>
<packageUrl regex="true">^pkg:maven/org\.testcontainers/mysql@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress>
<notes>StumbleUpon Async is incorrectly identified as the JavaScript Async library</notes>
<packageUrl regex="true">^pkg:maven/com\.stumbleupon/async@.*$</packageUrl>
<cve>CVE-2021-43138</cve>
</suppress>
<suppress>
<notes>HBase Async is incorrectly identified as the JavaScript Async library</notes>
<packageUrl regex="true">^pkg:maven/org\.hbase/asynchbase@.*$</packageUrl>
<cve>CVE-2021-43138</cve>
</suppress>
<suppress>
<notes>Jetty SSLEngine is incorrectly identified with Jetty Server</notes>
<packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/jetty\-sslengine@.*$</packageUrl>
<cpe regex="true">^cpe:.*$</cpe>
</suppress>
<suppress>
<notes>MySQL Binary Log Connector is incorrectly identified as MySQL server</notes>
<packageUrl regex="true">^pkg:maven/com\.zendesk/mysql\-binlog\-connector\-java@.*$</packageUrl>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress>
<notes>Testcontainers MariaDB is incorrectly identified with MariaDB server</notes>
<packageUrl regex="true">^pkg:maven/org\.testcontainers/mariadb@.*$</packageUrl>
<cpe>cpe:/a:mariadb:mariadb</cpe>
</suppress>
<suppress>
<notes>Twill ZooKeeper is incorrectly identified with ZooKeeper server</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.twill/twill\-zookeeper@.*$</packageUrl>
<cpe>cpe:/a:apache:zookeeper</cpe>
</suppress>
<suppress>
<notes>H2 1.4.200 is shaded and repackaged without vulnerable components in nifi-h2-database for migration</notes>
<packageUrl>pkg:maven/com.h2database/h2@1.4.200</packageUrl>
<vulnerabilityName regex="true">^CVE.*$</vulnerabilityName>
</suppress>
<suppress>
<notes>H2 2 is not vulnerable to CVE-2018-14335</notes>
<packageUrl regex="true">^pkg:maven/com\.h2database/h2@2.*$</packageUrl>
<vulnerabilityName>CVE-2018-14335</vulnerabilityName>
</suppress>
<suppress>
<notes>Jetty apache-jsp is not part of Apache Tomcat server</notes>
<packageUrl>pkg:maven/org.mortbay.jasper/apache-jsp@8.5.70</packageUrl>
<cpe>cpe:/a:apache:tomcat</cpe>
</suppress>
<suppress>
<notes>CVE-2016-1000027 does not apply to Spring Web 5.3.20 and later</notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-web@.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
</suppress>
<suppress>
<notes>CVE-2020-5408 does not apply to Spring Security Crypto 5.7.1 and later</notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
<vulnerabilityName>CVE-2020-5408</vulnerabilityName>
</suppress>
<suppress>
<notes>Spring Security Kerberos Core is an extension of the Spring Security project</notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security\.kerberos/spring\-security\-kerberos.*$</packageUrl>
<cpe>cpe:/a:vmware:spring_security</cpe>
</suppress>
<suppress>
<notes>Servlet API 2.5 does not include Jetty Server vulnerabilities</notes>
<packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/servlet\-api@.*$</packageUrl>
<cpe regex="true">^cpe:.*$</cpe>
</suppress>
<suppress>
<notes>Spark 2.13 used in nifi-spark-receiver is not impacted by Spark Server vulnerabilities</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.spark/spark\-.+?_2\.13@.*$</packageUrl>
<cpe>cpe:/a:apache:spark</cpe>
</suppress>
<suppress>
<notes>Apache Hive vulnerabilities do not apply to Flume Hive Sink</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-hive\-sink@.*$</packageUrl>
<cpe>cpe:/a:apache:hive</cpe>
</suppress>
<suppress>
<notes>Apache Kafka vulnerabilities do not apply to Flume Kafka Sink</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-kafka\-sink@.*$</packageUrl>
<cpe>cpe:/a:apache:kafka</cpe>
</suppress>
<suppress>
<notes>Apache Kafka vulnerabilities do not apply to Flume Kafka Source</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sources/flume\-kafka\-source@.*$</packageUrl>
<cpe>cpe:/a:apache:kafka</cpe>
</suppress>
<suppress>
<notes>Apache Kafka vulnerabilities do not apply to Flume Shared Kafka</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-shared/flume\-shared\-kafka@.*$</packageUrl>
<cpe>cpe:/a:apache:kafka</cpe>
</suppress>
<suppress>
<notes>Apache HBase vulnerabilities do not apply to Flume HBase Sink</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-hbase\-sink@.*$</packageUrl>
<cpe>cpe:/a:apache:hbase</cpe>
</suppress>
<suppress>
<notes>Apache Solr vulnerabilities do not apply to Flume Solr Sink</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-morphline\-solr\-sink@.*$</packageUrl>
<cpe>cpe:/a:apache:solr</cpe>
</suppress>
<suppress>
<notes>CVE-2017-10355 does not apply to Xerces 2.12.2</notes>
<packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
<cve>CVE-2017-10355</cve>
</suppress>
<suppress>
<notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite Avatica</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.calcite\.avatica/avatica\-core@.*$</packageUrl>
<cve>CVE-2020-13955</cve>
</suppress>
<suppress>
<notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite Avatica</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.calcite\/calcite-avatica@.*$</packageUrl>
<cve>CVE-2020-13955</cve>
</suppress>
<suppress>
<notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite Druid</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$</packageUrl>
<cve>CVE-2020-13955</cve>
</suppress>
<suppress>
<notes>CVE-2020-13955 applies to Apache Calcite Core not Apache Calcite Avatica subproject</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.calcite\.avatica\/avatica(-metrics)?@.*$</packageUrl>
<cve>CVE-2020-13955</cve>
</suppress>
<suppress>
<notes>OpenTSDB vulnerabilities do not apply to HBase Async library</notes>
<packageUrl regex="true">^pkg:maven/org\.hbase/asynchbase@.*$</packageUrl>
<cpe>cpe:/a:opentsdb:opentsdb</cpe>
</suppress>
<suppress>
<notes>Eclipse Equinox vulnerabilities do not apply to DataNucleus core library</notes>
<packageUrl regex="true">^pkg:maven/org\.datanucleus/datanucleus\-core@.*$</packageUrl>
<cpe>cpe:/a:eclipse:equinox</cpe>
</suppress>
<suppress>
<notes>CVE-2018-8025 applies to HBase Server not HBase Client</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-client@.*$</packageUrl>
<cve>CVE-2018-8025</cve>
</suppress>
<suppress>
<notes>CVE-2019-0212 applies to HBase Server not HBase Client</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-client@.*$</packageUrl>
<cve>CVE-2019-0212</cve>
</suppress>
<suppress>
<notes>CVE-2014-3643 applies to Jersey Server not Jersey Core</notes>
<packageUrl regex="true">^pkg:maven/com\.sun\.jersey/jersey\-core@.*$</packageUrl>
<vulnerabilityName>CVE-2014-3643</vulnerabilityName>
</suppress>
<suppress>
<notes>Fan Platform vulnerabilities do not apply to JUnit Platform libraries</notes>
<packageUrl regex="true">^pkg:maven/org\.junit\.platform/junit\-platform\-engine@.*$</packageUrl>
<cpe>cpe:/a:fan_platform_project:fan_platform</cpe>
</suppress>
<suppress>
<notes>CVE-2007-6465 applies to Ganglia Server not Ganglia client libraries</notes>
<packageUrl regex="true">^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$</packageUrl>
<cve>CVE-2007-6465</cve>
</suppress>
<suppress>
<notes>Pro Search vulnerabilities do not apply to Spatial4j</notes>
<packageUrl regex="true">^pkg:maven/org\.locationtech\.spatial4j/spatial4j@.*$</packageUrl>
<cpe>cpe:/a:pro_search:pro_search</cpe>
</suppress>
<suppress>
<notes>CVE-2021-43045 applies to the Apache Avro .NET SDK and not to the Java SDK</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.avro/avro@.*$</packageUrl>
<cve>CVE-2021-43045</cve>
</suppress>
<suppress>
<notes>CVE-2022-31159 applies to AWS S3 library not the SWF libraries</notes>
<packageUrl regex="true">^pkg:maven/com\.amazonaws/aws\-java\-sdk\-swf\-libraries@.*$</packageUrl>
<cve>CVE-2022-31159</cve>
</suppress>
</suppressions>
Reference in New Issue View Git Blame Copy Permalink