abhishekagarwal87 commented on code in PR #15447:
URL: https://github.com/apache/druid/pull/15447#discussion_r1408795151
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -87,6 +100,122 @@
<cve>CVE-2022-42004</cve>
</suppress>
+ <suppress>
+ <!-- Avatica server itself is not affected. Vulnerability exists only on
client. -->
+ <notes><![CDATA[
+ file name: avatica-server-1.23.0.jar
+ ]]></notes>
+ <cve>CVE-2022-36364</cve>
+ <cve>CVE-2022-39135</cve>
+ <cve>CVE-2020-13955</cve>
+ </suppress>
+
+ <!-- DoS when using expression evaluator.guess -->
+ <suppress>
+ <notes><![CDATA[
+ file name: janino-3.1.9.jar
+ ]]></notes>
+ <cve>CVE-2023-33546</cve>
+ </suppress>
+
+ <suppress>
+ <!-- from extensions using hadoop-client-runtime, these dependencies are
shaded in the jar -->
+ <notes><![CDATA[
+ file name: hadoop-client-runtime-3.3.6.jar
+ ]]></notes>
+ <!-- this one is windows only -
https://nvd.nist.gov/vuln/detail/CVE-2022-26612 -->
+ <cve>CVE-2022-26612</cve>
+ <!-- this one seems to apply to backend server -
https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->
+ <cve>CVE-2023-25613</cve>
+ <cve>CVE-2023-2976</cve> <!-- hadoop-client-runtime isn't using
com.google.common.io.FileBackedOutputStream -->
+ <!-- CVE from shaded dependency nimbus-jose-jwt, fixed in upcoming Hadoop
release version -
+
https://github.com/apache/hadoop/commit/ad49ddda0e1d9632c8c9fcdc78fca8244e1248c9
-->
+ <cve>CVE-2023-1370</cve>
+ <cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to
apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843
-->
+ <cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate
vulnerability. But there is no fix as of yet in Hadoop repo -->
+ <cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by
Jetty, but it hasn't been fixed by Hadoop yet-->
+ <cve>CVE-2023-36478</cve> <!-- Occurs in the version of Hadoop used by
Jetty, but it hasn't been fixed by Hadoop yet-->
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: hadoop-*-3.3.1.jar
+ ]]></notes>
+ <cve>CVE-2015-7430</cve>
+ <cve>CVE-2017-3162</cve>
+ <cve>CVE-2021-31684</cve>
+ <cve>CVE-2022-3509</cve>
+ <cve>CVE-2022-40152</cve>
+ </suppress>
+
+ <suppress>
+ <!--
+ 1. hive-storage-api has the thrift vulnerability too
+ 2. CVE-2021-34538 pertains to Hive server.
+ 3. CVE-2021-4125 only applies to the OpenShift Metering hive container
images
+ -->
+ <notes><![CDATA[
+ file name: hive-storage-api-2.8.1.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.hive/[email protected]$</packageUrl>
+ <cve>CVE-2020-13949</cve>
+ <cve>CVE-2021-34538</cve>
+ <cve>CVE-2021-4125</cve>
+ </suppress>
+
+ <suppress>
+ <!-- These are for wildfly-openssl. -->
+ <notes><![CDATA[
+ file name: wildfly-openssl-1.0.7.Final.jar
+ ]]></notes>
+ <cve>CVE-2020-10740</cve>
+ <cve>CVE-2020-25644</cve>
+ <cve>CVE-2020-10718</cve>
+ <cve>CVE-2022-1278</cve>
+ </suppress>
+
+
+ <suppress>
+ <!-- These are for elasticsearch in ranger soon to be fixed. -->
+ <notes><![CDATA[
+ file name: elasticsearch plugins
+ ]]></notes>
+ <cve>CVE-2023-31417</cve>
+ <cve>CVE-2023-31418</cve>
+ <cve>CVE-2023-31419</cve>
+ </suppress>
+
+ <suppress>
Review Comment:
can you add justifications for the suppressions?
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -87,6 +100,122 @@
<cve>CVE-2022-42004</cve>
</suppress>
+ <suppress>
+ <!-- Avatica server itself is not affected. Vulnerability exists only on
client. -->
+ <notes><![CDATA[
+ file name: avatica-server-1.23.0.jar
+ ]]></notes>
+ <cve>CVE-2022-36364</cve>
+ <cve>CVE-2022-39135</cve>
+ <cve>CVE-2020-13955</cve>
+ </suppress>
+
+ <!-- DoS when using expression evaluator.guess -->
+ <suppress>
+ <notes><![CDATA[
+ file name: janino-3.1.9.jar
+ ]]></notes>
+ <cve>CVE-2023-33546</cve>
+ </suppress>
+
+ <suppress>
+ <!-- from extensions using hadoop-client-runtime, these dependencies are
shaded in the jar -->
+ <notes><![CDATA[
+ file name: hadoop-client-runtime-3.3.6.jar
+ ]]></notes>
+ <!-- this one is windows only -
https://nvd.nist.gov/vuln/detail/CVE-2022-26612 -->
+ <cve>CVE-2022-26612</cve>
+ <!-- this one seems to apply to backend server -
https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->
+ <cve>CVE-2023-25613</cve>
+ <cve>CVE-2023-2976</cve> <!-- hadoop-client-runtime isn't using
com.google.common.io.FileBackedOutputStream -->
+ <!-- CVE from shaded dependency nimbus-jose-jwt, fixed in upcoming Hadoop
release version -
+
https://github.com/apache/hadoop/commit/ad49ddda0e1d9632c8c9fcdc78fca8244e1248c9
-->
+ <cve>CVE-2023-1370</cve>
+ <cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to
apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843
-->
+ <cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate
vulnerability. But there is no fix as of yet in Hadoop repo -->
+ <cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by
Jetty, but it hasn't been fixed by Hadoop yet-->
+ <cve>CVE-2023-36478</cve> <!-- Occurs in the version of Hadoop used by
Jetty, but it hasn't been fixed by Hadoop yet-->
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: hadoop-*-3.3.1.jar
+ ]]></notes>
+ <cve>CVE-2015-7430</cve>
Review Comment:
The justification is lost during refactoring
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
