(bookkeeper) branch master updated: build: remove stale owasp suppressions (#4369)

Fri, 17 May 2024 00:08:28 -0700 

This is an automated email from the ASF dual-hosted git repository.

shoothzj pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git


The following commit(s) were added to refs/heads/master by this push:
     new f8eb7a06a6 build: remove stale owasp suppressions (#4369)
f8eb7a06a6 is described below

commit f8eb7a06a683e690e8a70b5bd72927e4df70aa51
Author: ZhangJian He <[email protected]>
AuthorDate: Fri May 17 15:08:17 2024 +0800

    build: remove stale owasp suppressions (#4369)
    
    Signed-off-by: ZhangJian He <[email protected]>
---
 src/owasp-dependency-check-suppressions.xml | 25 -------------------------
 1 file changed, 25 deletions(-)

diff --git a/src/owasp-dependency-check-suppressions.xml 
b/src/owasp-dependency-check-suppressions.xml
index ef8dd4e960..a141bb39be 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -22,21 +22,6 @@
 <suppressions 
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd";>
     <!-- add supressions for known vulnerabilities detected by OWASP 
Dependency Check -->
 
-    <!-- matches BK's http server against apache's http server CVEs -->
-    <suppress>
-        <notes><![CDATA[
-   file name: org.apache.bookkeeper.http:http-server:4.15.0-SNAPSHOT
-   ]]></notes>
-        <packageUrl 
regex="true">^pkg:maven/org\.apache\.bookkeeper\.http/http\-server@.*$</packageUrl>
-        <cpe>cpe:/a:apache:http_server</cpe>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-   file name: org.apache.bookkeeper.http:vertx-http-server:4.15.0-SNAPSHOT
-   ]]></notes>
-        <packageUrl 
regex="true">^pkg:maven/org\.apache\.bookkeeper\.http/vertx\-http\-server@.*$</packageUrl>
-        <cve>CVE-2009-1890</cve>
-    </suppress>
     <suppress>
         <notes>CVE-2021-43045 affects only .NET distro, see 
https://github.com/apache/avro/pull/1357</notes>
         <gav regex="true">org\.apache\.avro:.*</gav>
@@ -172,16 +157,6 @@
         <cve>CVE-2021-26291</cve>
     </suppress>
 
-  <suppress>
-    <notes>fredsmith utils library is not used at all. CVE-2021-4277 is a 
false positive.</notes>
-    <cve>CVE-2021-4277</cve>
-  </suppress>
-
-  <suppress>
-    <notes>yaml_project is not used at all. Any CVEs reported for yaml_project 
are false positives.</notes>
-    <cpe>cpe:/a:yaml_project:yaml</cpe>
-  </suppress>
-
   <suppress>
     <notes><![CDATA[
     snakeyaml is not "fixing" CVE-2022-1471.

Reply via email to