mirror of https://github.com/apache/nifi.git
249 lines
12 KiB
XML
249 lines
12 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!--
|
|
Licensed to the Apache Software Foundation (ASF) under one or more
|
|
contributor license agreements. See the NOTICE file distributed with
|
|
this work for additional information regarding copyright ownership.
|
|
The ASF licenses this file to You under the Apache License, Version 2.0
|
|
(the "License"); you may not use this file except in compliance with
|
|
the License. You may obtain a copy of the License at
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
-->
|
|
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
|
|
<suppress>
|
|
<notes>NiFi packages contain other project names, which can cause incorrect identification</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl>
|
|
<cpe regex="true">^cpe:.*$</cpe>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$</packageUrl>
|
|
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client-sniffer</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client-sniffer@.*$</packageUrl>
|
|
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2022-30187 applies to Azure Blob not the EventHubs Checkpoint Store Blob library</notes>
|
|
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$</packageUrl>
|
|
<cve>CVE-2022-30187</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2018-14335 applies to H2 running with a web server console enabled</notes>
|
|
<packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
|
|
<vulnerabilityName>CVE-2018-14335</vulnerabilityName>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>The Jetty Apache JSP library is not subject to Apache Tomcat vulnerabilities</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl>
|
|
<cpe>cpe:/a:apache:tomcat</cpe>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>Google BigQuery Storage is not the same as the gGRPC framework library</notes>
|
|
<packageUrl regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-bigquerystorage\-.*$</packageUrl>
|
|
<cpe>cpe:/a:grpc:grpc</cpe>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>Google PubSubLite is not the same as the gRPC framework library</notes>
|
|
<packageUrl regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-pubsublite\-v1@.*$</packageUrl>
|
|
<cpe>cpe:/a:grpc:grpc</cpe>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2021-34538 applies to Apache Hive server not the Storage API library</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.hive/hive\-storage\-api@.*$</packageUrl>
|
|
<cve>CVE-2021-34538</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>The Jackson maintainers dispute the applicability of CVE-2023-35116 based on cyclic nature of reported concern</notes>
|
|
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
|
|
<vulnerabilityName>CVE-2023-35116</vulnerabilityName>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>The Square Wire framework is not the same as the Wire secure communication application</notes>
|
|
<packageUrl regex="true">^pkg:maven/com\.squareup\.wire/.*$</packageUrl>
|
|
<cpe>cpe:/a:wire:wire</cpe>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>Avro project vulnerabilities do not apply to Parquet Avro</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-avro@.*$</packageUrl>
|
|
<cpe>cpe:/a:avro_project:avro</cpe>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2016-5397 applies to Apache Thrift Go not Java</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
|
|
<cve>CVE-2016-5397</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2019-0210 applies to Apache Thrift Go server not Java</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
|
|
<cve>CVE-2019-0210</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2018-11798 applies Apache Thrift Node.js not Java</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
|
|
<cve>CVE-2018-11798</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2019-11939 applies to Thrift Servers in Go not Java</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
|
|
<cve>CVE-2019-11939</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2019-3552 applies to Thrift Servers in CPP not Java</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
|
|
<cve>CVE-2019-3552</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2019-3553 applies to Thrift Servers in CPP not Java</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
|
|
<cve>CVE-2019-3553</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2019-3558 applies to Thrift Servers in Python not Java</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
|
|
<cve>CVE-2019-3558</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2019-3564 applies to Thrift Servers in Go not Java</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
|
|
<cve>CVE-2019-3564</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2019-3565 applies to Thrift Servers in CPP not Java</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
|
|
<cve>CVE-2019-3565</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2021-24028 applies to Facebook Thrift CPP</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
|
|
<cve>CVE-2021-24028</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2019-11938 applies to Facebook Thrift Servers</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
|
|
<cve>CVE-2019-11938</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2019-3559 applies to Facebook Thrift Servers</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
|
|
<cve>CVE-2019-3559</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2023-37475 applies to Hamba Avro in Go not Apache Avro for Java</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.avro/.*$</packageUrl>
|
|
<cve>CVE-2023-37475</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2023-36415 applies to Azure Identity for Python not Java</notes>
|
|
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@.*$</packageUrl>
|
|
<cve>CVE-2023-36415</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2020-13949 applies to Thrift and not to Hive</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.hive.*$</packageUrl>
|
|
<cve>CVE-2020-13949</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>Parquet MR vulnerabilities do not apply to other Parquet libraries</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-(?!mr).*$</packageUrl>
|
|
<cpe>cpe:/a:apache:parquet-mr</cpe>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2019-11358 applies to bundled copies of jQuery not used in the project</notes>
|
|
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
|
|
<cve>CVE-2019-11358</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2020-11022 applies to bundled copies of jQuery not used in the project</notes>
|
|
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
|
|
<cve>CVE-2020-11022</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2020-11023 applies to bundled copies of jQuery not used in the project</notes>
|
|
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
|
|
<cve>CVE-2020-11023</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2011-4969 applies to bundled copies of jQUery not used in the project</notes>
|
|
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
|
|
<cve>CVE-2011-4969</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2012-6708 applies to bundled copies of jQUery not used in the project</notes>
|
|
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
|
|
<cve>CVE-2012-6708</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2015-9251 applies to bundled copies of jQUery not used in the project</notes>
|
|
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
|
|
<cve>CVE-2015-9251</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2020-7656 applies to bundled copies of jQUery not used in the project</notes>
|
|
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
|
|
<cve>CVE-2020-7656</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2023-44487 references gRPC for Go</notes>
|
|
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc.*$</packageUrl>
|
|
<cve>CVE-2023-44487</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>Guava temporary directory file creation is not used</notes>
|
|
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
|
|
<cve>CVE-2023-2976</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>Guava temporary directory file creation is not used</notes>
|
|
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
|
|
<cve>CVE-2020-8908</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>Findings for Apache Hadoop do not apply to the shaded Protobuf library</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-protobuf_3_25@.*$</packageUrl>
|
|
<cpe>cpe:/a:apache:hadoop</cpe>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2024-23081 applies to threetenbp 1.6.8 and earlier not 1.6.9</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.threeten/threetenbp@.*$</packageUrl>
|
|
<vulnerabilityName>CVE-2024-23081</vulnerabilityName>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2024-23082 applies to threetenbp 1.6.8 and earlier not 1.6.9</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.threeten/threetenbp@.*$</packageUrl>
|
|
<vulnerabilityName>CVE-2024-23082</vulnerabilityName>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2023-7272 applies to Eclipse Parrson not javax.json</notes>
|
|
<packageUrl regex="true">^pkg:maven/org\.glassfish/javax\.json@.*$</packageUrl>
|
|
<vulnerabilityName>CVE-2023-7272</vulnerabilityName>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2024-43591 applies to Azure CLI not azure-core-amqp</notes>
|
|
<packageUrl regex="true">^pkg:maven/com\.azure/.*$</packageUrl>
|
|
<cpe>cpe:/a:microsoft:azure_cli</cpe>
|
|
<cve>CVE-2024-43591</cve>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>jquery is not used although bundled in Hadoop avro-ipc libraries</notes>
|
|
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
|
|
<vulnerabilityName>jquery issue: 162</vulnerabilityName>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>Google OpenTelemetry shared-resourcemapping versions do not align with base OpenTelemetry versions leading to false positives</notes>
|
|
<packageUrl regex="true">^pkg:maven/com\.google\.cloud\.opentelemetry/.*$</packageUrl>
|
|
<cpe>cpe:/a:opentelemetry:opentelemetry</cpe>
|
|
</suppress>
|
|
<suppress>
|
|
<notes>CVE-2024-35255 is resolved in msal4j 1.15.1 and the CPE for other languages does not apply</notes>
|
|
<cve>CVE-2024-35255</cve>
|
|
<cpe>cpe:/a:microsoft:authentication_library:*:*:*:*:*:.net:*:*</cpe>
|
|
</suppress>
|
|
</suppressions>
|