This is an automated email from the ASF dual-hosted git repository.
joewitt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
commit 5bdee9a7148d165332a763dae645fb85365f6ac6
Author: exceptionfactory <exceptionfact...@apache.org>
AuthorDate: Mon Mar 27 18:16:51 2023 -0500
NIFI-11347 This closes #7089. Upgraded OWASP Dependency Check from 8.0.2 to
8.2.1
- Updated suppression configuration
- Upgraded Solr from 8.6.3 to 8.11.1 for Ranger
- Excluded Apache Ivy from Hive and Janus Graph dependencies
- Excluded Groovy from Hive tests
Signed-off-by: Joe Witt <joew...@apache.org>
---
nifi-dependency-check-maven/suppressions.xml | 117 +++++++++++++--------
.../nifi-graph-test-clients/pom.xml | 4 +
.../nifi-hive-bundle/nifi-hive-test-utils/pom.xml | 20 ++++
.../nifi-hive-bundle/nifi-hive3-processors/pom.xml | 4 +
.../nifi-iceberg-processors/pom.xml | 8 ++
nifi-nar-bundles/nifi-ranger-bundle/pom.xml | 6 ++
.../nifi-registry-ranger/pom.xml | 6 ++
pom.xml | 3 +-
8 files changed, 121 insertions(+), 47 deletions(-)
diff --git a/nifi-dependency-check-maven/suppressions.xml
b/nifi-dependency-check-maven/suppressions.xml
index d017e30e40..345cd293d5 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -39,11 +39,6 @@
<packageUrl
regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
<vulnerabilityName>CVE-2020-5408</vulnerabilityName>
</suppress>
- <suppress>
- <notes>Spark 2.13 used in nifi-spark-receiver is not impacted by Spark
Server vulnerabilities</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.spark/spark\-.+?_2\.13@.*$</packageUrl>
- <cpe>cpe:/a:apache:spark</cpe>
- </suppress>
<suppress>
<notes>Apache Hive vulnerabilities do not apply to Flume Hive
Sink</notes>
<packageUrl
regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-hive\-sink@.*$</packageUrl>
@@ -79,36 +74,11 @@
<packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
<cve>CVE-2017-10355</cve>
</suppress>
- <suppress>
- <notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite
Avatica</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.calcite\.avatica/avatica\-core@.*$</packageUrl>
- <cve>CVE-2020-13955</cve>
- </suppress>
- <suppress>
- <notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite
Avatica</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.calcite\/calcite-avatica@.*$</packageUrl>
- <cve>CVE-2020-13955</cve>
- </suppress>
<suppress>
<notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite
Druid</notes>
<packageUrl
regex="true">^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$</packageUrl>
<cve>CVE-2020-13955</cve>
</suppress>
- <suppress>
- <notes>CVE-2020-13955 applies to Apache Calcite Core not Apache
Calcite Avatica subproject</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.calcite\.avatica\/avatica(-metrics)?@.*$</packageUrl>
- <cve>CVE-2020-13955</cve>
- </suppress>
- <suppress>
- <notes>OpenTSDB vulnerabilities do not apply to HBase Async
library</notes>
- <packageUrl
regex="true">^pkg:maven/org\.hbase/asynchbase@.*$</packageUrl>
- <cpe>cpe:/a:opentsdb:opentsdb</cpe>
- </suppress>
- <suppress>
- <notes>Eclipse Equinox vulnerabilities do not apply to DataNucleus
core library</notes>
- <packageUrl
regex="true">^pkg:maven/org\.datanucleus/datanucleus\-core@.*$</packageUrl>
- <cpe>cpe:/a:eclipse:equinox</cpe>
- </suppress>
<suppress>
<notes>CVE-2018-8025 applies to HBase Server not HBase Client</notes>
<packageUrl
regex="true">^pkg:maven/org\.apache\.hbase/hbase\-client@.*$</packageUrl>
@@ -119,11 +89,6 @@
<packageUrl
regex="true">^pkg:maven/org\.apache\.hbase/hbase\-client@.*$</packageUrl>
<cve>CVE-2019-0212</cve>
</suppress>
- <suppress>
- <notes>CVE-2014-3643 applies to Jersey Server not Jersey Core</notes>
- <packageUrl
regex="true">^pkg:maven/com\.sun\.jersey/jersey\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2014-3643</vulnerabilityName>
- </suppress>
<suppress>
<notes>CVE-2007-6465 applies to Ganglia Server not Ganglia client
libraries</notes>
<packageUrl
regex="true">^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$</packageUrl>
@@ -175,23 +140,83 @@
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
- <notes>CVE-2022-45046 description notes that the initial issue was not
a security vulnerability</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.camel/camel\-salesforce@.*$</packageUrl>
- <cve>CVE-2022-45046</cve>
+ <notes>Elasticsearch Server vulnerabilities do not apply to
elasticsearch-rest-client-sniffer</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client-sniffer@.*$</packageUrl>
+ <cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
<suppress>
- <notes>CVE-2020-36632 applies to JavaScript module named hughsk/flat
not flatbuffers</notes>
- <packageUrl
regex="true">^pkg:maven/com\.vlkan/flatbuffers@.*$</packageUrl>
- <cve>CVE-2020-36632</cve>
+ <notes>CVE-2022-34271 applies to Atlas Server not the Atlas client
library</notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.atlas/.*$</packageUrl>
+ <cve>CVE-2022-34271</cve>
</suppress>
<suppress>
- <notes>CVE-2018-8015 applies to Apache ORC not to Apache
Iceberg</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.iceberg/iceberg\-orc@.*$</packageUrl>
- <cve>CVE-2018-8015</cve>
+ <notes>CVE-2022-30187 applies to Azure Blob not the EventHubs
Checkpoint Store Blob library</notes>
+ <packageUrl
regex="true">^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$</packageUrl>
+ <cve>CVE-2022-30187</cve>
</suppress>
<suppress>
- <notes>CVE-2022-39135 applies to Calcite not Calcite Avatica</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.calcite\.avatica/.*?@.*$</packageUrl>
+ <notes>CVE-2022-39135 applies to Apache Calcite core not the Calcite
Druid library</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.calcite/calcite\-druid@.*$</packageUrl>
<cve>CVE-2022-39135</cve>
</suppress>
+ <suppress>
+ <notes>CVE-2018-8016 applies to Apache Cassandra server not the client
library</notes>
+ <packageUrl
regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$</packageUrl>
+ <cve>CVE-2018-8016</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2018-1000873 applies to Jackson Java 8 Time modules not
Jackson Annotations</notes>
+ <packageUrl
regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-annotations@.*$</packageUrl>
+ <cve>CVE-2018-1000873</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2021-34371 applies to Neo4j server not the driver
library</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.opencypher\.gremlin/cypher\-gremlin\-neo4j\-driver@.*$</packageUrl>
+ <cve>CVE-2021-34371</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2010-1151 applies to mod_auth_shadow in Apache HTTP Server
not the FTP server library</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl>
+ <cve>CVE-2010-1151</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2018-14335 applies to H2 running with a web server console
enabled</notes>
+ <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
+ <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes>CVE-2022-31160 included in hadoop-client-api is not used</notes>
+ <packageUrl regex="true">^pkg:javascript/jquery\-ui@.*$</packageUrl>
+ <cve>CVE-2022-31160</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2021-37533 applies to the Commons Net FTP Client which is
not used in the version bundled with hadoop-client-runtime for Accumulo</notes>
+ <packageUrl
regex="true">^pkg:maven/commons\-net/commons\-net@.*$</packageUrl>
+ <cve>CVE-2021-37533</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2021-0341 applies to Android not OkHttp</notes>
+ <packageUrl
regex="true">^pkg:maven/com\.squareup\.okhttp/okhttp@.*$</packageUrl>
+ <vulnerabilityName>CVE-2021-0341</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes>CVE-2023-25613 applies to an LDAP backend class for Apache
Kerby not the Token Provider library</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.kerby/token\-provider@.*$</packageUrl>
+ <cve>CVE-2023-25613</cve>
+ </suppress>
+ <suppress>
+ <notes>The Jetty Apache JSP library is not subject to Apache Tomcat
vulnerabilities</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl>
+ <cpe>cpe:/a:apache:tomcat</cpe>
+ </suppress>
+ <suppress>
+ <notes>Google BigQuery Storage is not the same as the gGRPC framework
library</notes>
+ <packageUrl
regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-bigquerystorage\-.*$</packageUrl>
+ <cpe>cpe:/a:grpc:grpc</cpe>
+ </suppress>
+ <suppress>
+ <notes>Google PubSubLite is not the same as the gRPC framework
library</notes>
+ <packageUrl
regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-pubsublite\-v1@.*$</packageUrl>
+ <cpe>cpe:/a:grpc:grpc</cpe>
+ </suppress>
</suppressions>
diff --git a/nifi-nar-bundles/nifi-graph-bundle/nifi-graph-test-clients/pom.xml
b/nifi-nar-bundles/nifi-graph-bundle/nifi-graph-test-clients/pom.xml
index 0b9c37652a..a1efb02649 100644
--- a/nifi-nar-bundles/nifi-graph-bundle/nifi-graph-test-clients/pom.xml
+++ b/nifi-nar-bundles/nifi-graph-bundle/nifi-graph-test-clients/pom.xml
@@ -79,6 +79,10 @@
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>org.apache.ivy</groupId>
+ <artifactId>ivy</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
diff --git a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml
b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml
index 65e9283381..a66a99694f 100644
--- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml
+++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml
@@ -94,6 +94,14 @@
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>org.codehaus.groovy</groupId>
+ <artifactId>groovy-all</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.ivy</groupId>
+ <artifactId>ivy</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -117,6 +125,18 @@
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>com.fasterxml.woodstox</groupId>
+ <artifactId>woodstox-core</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.codehaus.groovy</groupId>
+ <artifactId>groovy-all</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.ivy</groupId>
+ <artifactId>ivy</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
diff --git a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
index 3611d43018..aa3dc1af10 100644
--- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
@@ -161,6 +161,10 @@
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>org.apache.ivy</groupId>
+ <artifactId>ivy</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
diff --git
a/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml
b/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml
index 2e3a244701..69ae6ec7dc 100644
--- a/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml
@@ -147,6 +147,14 @@
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>org.codehaus.groovy</groupId>
+ <artifactId>groovy-all</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.ivy</groupId>
+ <artifactId>ivy</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/pom.xml
b/nifi-nar-bundles/nifi-ranger-bundle/pom.xml
index 2d1ad63edb..958dfa885e 100644
--- a/nifi-nar-bundles/nifi-ranger-bundle/pom.xml
+++ b/nifi-nar-bundles/nifi-ranger-bundle/pom.xml
@@ -61,6 +61,12 @@
<artifactId>hadoop-common</artifactId>
<version>${ranger.hadoop.version}</version>
</dependency>
+ <!-- Override SolrJ 8.6.3 from Ranger -->
+ <dependency>
+ <groupId>org.apache.solr</groupId>
+ <artifactId>solr-solrj</artifactId>
+ <version>8.11.1</version>
+ </dependency>
</dependencies>
</dependencyManagement>
</project>
diff --git
a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml
b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml
index 979dfb123b..04d4b84cd2 100644
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml
+++ b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml
@@ -60,6 +60,12 @@
<artifactId>zookeeper</artifactId>
<version>${zookeeper.version}</version>
</dependency>
+ <!-- Override SolrJ 8.6.3 from Ranger -->
+ <dependency>
+ <groupId>org.apache.solr</groupId>
+ <artifactId>solr-solrj</artifactId>
+ <version>8.11.1</version>
+ </dependency>
</dependencies>
</dependencyManagement>
</project>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 8264cdde86..8c20954d49 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1164,7 +1164,7 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
- <version>8.0.2</version>
+ <version>8.2.1</version>
<executions>
<execution>
<inherited>false</inherited>
@@ -1178,6 +1178,7 @@
<skipSystemScope>true</skipSystemScope>
<!-- Disable .NET Assembly Analyzer to
avoid non-applicable errors -->
<assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+ <skipProvidedScope>true</skipProvidedScope>
</configuration>
</execution>
</executions>
