This is an automated email from the ASF dual-hosted git repository. joewitt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git
commit 5bdee9a7148d165332a763dae645fb85365f6ac6 Author: exceptionfactory <exceptionfact...@apache.org> AuthorDate: Mon Mar 27 18:16:51 2023 -0500 NIFI-11347 This closes #7089. Upgraded OWASP Dependency Check from 8.0.2 to 8.2.1 - Updated suppression configuration - Upgraded Solr from 8.6.3 to 8.11.1 for Ranger - Excluded Apache Ivy from Hive and Janus Graph dependencies - Excluded Groovy from Hive tests Signed-off-by: Joe Witt <joew...@apache.org> --- nifi-dependency-check-maven/suppressions.xml | 117 +++++++++++++-------- .../nifi-graph-test-clients/pom.xml | 4 + .../nifi-hive-bundle/nifi-hive-test-utils/pom.xml | 20 ++++ .../nifi-hive-bundle/nifi-hive3-processors/pom.xml | 4 + .../nifi-iceberg-processors/pom.xml | 8 ++ nifi-nar-bundles/nifi-ranger-bundle/pom.xml | 6 ++ .../nifi-registry-ranger/pom.xml | 6 ++ pom.xml | 3 +- 8 files changed, 121 insertions(+), 47 deletions(-) diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml index d017e30e40..345cd293d5 100644 --- a/nifi-dependency-check-maven/suppressions.xml +++ b/nifi-dependency-check-maven/suppressions.xml @@ -39,11 +39,6 @@ <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl> <vulnerabilityName>CVE-2020-5408</vulnerabilityName> </suppress> - <suppress> - <notes>Spark 2.13 used in nifi-spark-receiver is not impacted by Spark Server vulnerabilities</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.spark/spark\-.+?_2\.13@.*$</packageUrl> - <cpe>cpe:/a:apache:spark</cpe> - </suppress> <suppress> <notes>Apache Hive vulnerabilities do not apply to Flume Hive Sink</notes> <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-hive\-sink@.*$</packageUrl> @@ -79,36 +74,11 @@ <packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl> <cve>CVE-2017-10355</cve> </suppress> - <suppress> - <notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite Avatica</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.calcite\.avatica/avatica\-core@.*$</packageUrl> - <cve>CVE-2020-13955</cve> - </suppress> - <suppress> - <notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite Avatica</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.calcite\/calcite-avatica@.*$</packageUrl> - <cve>CVE-2020-13955</cve> - </suppress> <suppress> <notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite Druid</notes> <packageUrl regex="true">^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$</packageUrl> <cve>CVE-2020-13955</cve> </suppress> - <suppress> - <notes>CVE-2020-13955 applies to Apache Calcite Core not Apache Calcite Avatica subproject</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.calcite\.avatica\/avatica(-metrics)?@.*$</packageUrl> - <cve>CVE-2020-13955</cve> - </suppress> - <suppress> - <notes>OpenTSDB vulnerabilities do not apply to HBase Async library</notes> - <packageUrl regex="true">^pkg:maven/org\.hbase/asynchbase@.*$</packageUrl> - <cpe>cpe:/a:opentsdb:opentsdb</cpe> - </suppress> - <suppress> - <notes>Eclipse Equinox vulnerabilities do not apply to DataNucleus core library</notes> - <packageUrl regex="true">^pkg:maven/org\.datanucleus/datanucleus\-core@.*$</packageUrl> - <cpe>cpe:/a:eclipse:equinox</cpe> - </suppress> <suppress> <notes>CVE-2018-8025 applies to HBase Server not HBase Client</notes> <packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-client@.*$</packageUrl> @@ -119,11 +89,6 @@ <packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-client@.*$</packageUrl> <cve>CVE-2019-0212</cve> </suppress> - <suppress> - <notes>CVE-2014-3643 applies to Jersey Server not Jersey Core</notes> - <packageUrl regex="true">^pkg:maven/com\.sun\.jersey/jersey\-core@.*$</packageUrl> - <vulnerabilityName>CVE-2014-3643</vulnerabilityName> - </suppress> <suppress> <notes>CVE-2007-6465 applies to Ganglia Server not Ganglia client libraries</notes> <packageUrl regex="true">^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$</packageUrl> @@ -175,23 +140,83 @@ <cpe regex="true">^cpe:/a:elastic.*$</cpe> </suppress> <suppress> - <notes>CVE-2022-45046 description notes that the initial issue was not a security vulnerability</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel\-salesforce@.*$</packageUrl> - <cve>CVE-2022-45046</cve> + <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client-sniffer</notes> + <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client-sniffer@.*$</packageUrl> + <cpe regex="true">^cpe:/a:elastic.*$</cpe> </suppress> <suppress> - <notes>CVE-2020-36632 applies to JavaScript module named hughsk/flat not flatbuffers</notes> - <packageUrl regex="true">^pkg:maven/com\.vlkan/flatbuffers@.*$</packageUrl> - <cve>CVE-2020-36632</cve> + <notes>CVE-2022-34271 applies to Atlas Server not the Atlas client library</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.atlas/.*$</packageUrl> + <cve>CVE-2022-34271</cve> </suppress> <suppress> - <notes>CVE-2018-8015 applies to Apache ORC not to Apache Iceberg</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.iceberg/iceberg\-orc@.*$</packageUrl> - <cve>CVE-2018-8015</cve> + <notes>CVE-2022-30187 applies to Azure Blob not the EventHubs Checkpoint Store Blob library</notes> + <packageUrl regex="true">^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$</packageUrl> + <cve>CVE-2022-30187</cve> </suppress> <suppress> - <notes>CVE-2022-39135 applies to Calcite not Calcite Avatica</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.calcite\.avatica/.*?@.*$</packageUrl> + <notes>CVE-2022-39135 applies to Apache Calcite core not the Calcite Druid library</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.calcite/calcite\-druid@.*$</packageUrl> <cve>CVE-2022-39135</cve> </suppress> + <suppress> + <notes>CVE-2018-8016 applies to Apache Cassandra server not the client library</notes> + <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$</packageUrl> + <cve>CVE-2018-8016</cve> + </suppress> + <suppress> + <notes>CVE-2018-1000873 applies to Jackson Java 8 Time modules not Jackson Annotations</notes> + <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-annotations@.*$</packageUrl> + <cve>CVE-2018-1000873</cve> + </suppress> + <suppress> + <notes>CVE-2021-34371 applies to Neo4j server not the driver library</notes> + <packageUrl regex="true">^pkg:maven/org\.opencypher\.gremlin/cypher\-gremlin\-neo4j\-driver@.*$</packageUrl> + <cve>CVE-2021-34371</cve> + </suppress> + <suppress> + <notes>CVE-2010-1151 applies to mod_auth_shadow in Apache HTTP Server not the FTP server library</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl> + <cve>CVE-2010-1151</cve> + </suppress> + <suppress> + <notes>CVE-2018-14335 applies to H2 running with a web server console enabled</notes> + <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl> + <vulnerabilityName>CVE-2018-14335</vulnerabilityName> + </suppress> + <suppress> + <notes>CVE-2022-31160 included in hadoop-client-api is not used</notes> + <packageUrl regex="true">^pkg:javascript/jquery\-ui@.*$</packageUrl> + <cve>CVE-2022-31160</cve> + </suppress> + <suppress> + <notes>CVE-2021-37533 applies to the Commons Net FTP Client which is not used in the version bundled with hadoop-client-runtime for Accumulo</notes> + <packageUrl regex="true">^pkg:maven/commons\-net/commons\-net@.*$</packageUrl> + <cve>CVE-2021-37533</cve> + </suppress> + <suppress> + <notes>CVE-2021-0341 applies to Android not OkHttp</notes> + <packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp/okhttp@.*$</packageUrl> + <vulnerabilityName>CVE-2021-0341</vulnerabilityName> + </suppress> + <suppress> + <notes>CVE-2023-25613 applies to an LDAP backend class for Apache Kerby not the Token Provider library</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.kerby/token\-provider@.*$</packageUrl> + <cve>CVE-2023-25613</cve> + </suppress> + <suppress> + <notes>The Jetty Apache JSP library is not subject to Apache Tomcat vulnerabilities</notes> + <packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl> + <cpe>cpe:/a:apache:tomcat</cpe> + </suppress> + <suppress> + <notes>Google BigQuery Storage is not the same as the gGRPC framework library</notes> + <packageUrl regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-bigquerystorage\-.*$</packageUrl> + <cpe>cpe:/a:grpc:grpc</cpe> + </suppress> + <suppress> + <notes>Google PubSubLite is not the same as the gRPC framework library</notes> + <packageUrl regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-pubsublite\-v1@.*$</packageUrl> + <cpe>cpe:/a:grpc:grpc</cpe> + </suppress> </suppressions> diff --git a/nifi-nar-bundles/nifi-graph-bundle/nifi-graph-test-clients/pom.xml b/nifi-nar-bundles/nifi-graph-bundle/nifi-graph-test-clients/pom.xml index 0b9c37652a..a1efb02649 100644 --- a/nifi-nar-bundles/nifi-graph-bundle/nifi-graph-test-clients/pom.xml +++ b/nifi-nar-bundles/nifi-graph-bundle/nifi-graph-test-clients/pom.xml @@ -79,6 +79,10 @@ <groupId>commons-logging</groupId> <artifactId>commons-logging</artifactId> </exclusion> + <exclusion> + <groupId>org.apache.ivy</groupId> + <artifactId>ivy</artifactId> + </exclusion> </exclusions> </dependency> <dependency> diff --git a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml index 65e9283381..a66a99694f 100644 --- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml +++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml @@ -94,6 +94,14 @@ <groupId>com.google.guava</groupId> <artifactId>guava</artifactId> </exclusion> + <exclusion> + <groupId>org.codehaus.groovy</groupId> + <artifactId>groovy-all</artifactId> + </exclusion> + <exclusion> + <groupId>org.apache.ivy</groupId> + <artifactId>ivy</artifactId> + </exclusion> </exclusions> </dependency> <dependency> @@ -117,6 +125,18 @@ <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> </exclusion> + <exclusion> + <groupId>com.fasterxml.woodstox</groupId> + <artifactId>woodstox-core</artifactId> + </exclusion> + <exclusion> + <groupId>org.codehaus.groovy</groupId> + <artifactId>groovy-all</artifactId> + </exclusion> + <exclusion> + <groupId>org.apache.ivy</groupId> + <artifactId>ivy</artifactId> + </exclusion> </exclusions> </dependency> <dependency> diff --git a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml index 3611d43018..aa3dc1af10 100644 --- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml +++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml @@ -161,6 +161,10 @@ <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-slf4j-impl</artifactId> </exclusion> + <exclusion> + <groupId>org.apache.ivy</groupId> + <artifactId>ivy</artifactId> + </exclusion> </exclusions> </dependency> <dependency> diff --git a/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml b/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml index 2e3a244701..69ae6ec7dc 100644 --- a/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml +++ b/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml @@ -147,6 +147,14 @@ <groupId>org.bouncycastle</groupId> <artifactId>bcprov-jdk15on</artifactId> </exclusion> + <exclusion> + <groupId>org.codehaus.groovy</groupId> + <artifactId>groovy-all</artifactId> + </exclusion> + <exclusion> + <groupId>org.apache.ivy</groupId> + <artifactId>ivy</artifactId> + </exclusion> </exclusions> </dependency> <dependency> diff --git a/nifi-nar-bundles/nifi-ranger-bundle/pom.xml b/nifi-nar-bundles/nifi-ranger-bundle/pom.xml index 2d1ad63edb..958dfa885e 100644 --- a/nifi-nar-bundles/nifi-ranger-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-ranger-bundle/pom.xml @@ -61,6 +61,12 @@ <artifactId>hadoop-common</artifactId> <version>${ranger.hadoop.version}</version> </dependency> + <!-- Override SolrJ 8.6.3 from Ranger --> + <dependency> + <groupId>org.apache.solr</groupId> + <artifactId>solr-solrj</artifactId> + <version>8.11.1</version> + </dependency> </dependencies> </dependencyManagement> </project> diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml index 979dfb123b..04d4b84cd2 100644 --- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml +++ b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml @@ -60,6 +60,12 @@ <artifactId>zookeeper</artifactId> <version>${zookeeper.version}</version> </dependency> + <!-- Override SolrJ 8.6.3 from Ranger --> + <dependency> + <groupId>org.apache.solr</groupId> + <artifactId>solr-solrj</artifactId> + <version>8.11.1</version> + </dependency> </dependencies> </dependencyManagement> </project> \ No newline at end of file diff --git a/pom.xml b/pom.xml index 8264cdde86..8c20954d49 100644 --- a/pom.xml +++ b/pom.xml @@ -1164,7 +1164,7 @@ <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> - <version>8.0.2</version> + <version>8.2.1</version> <executions> <execution> <inherited>false</inherited> @@ -1178,6 +1178,7 @@ <skipSystemScope>true</skipSystemScope> <!-- Disable .NET Assembly Analyzer to avoid non-applicable errors --> <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled> + <skipProvidedScope>true</skipProvidedScope> </configuration> </execution> </executions>