This is an automated email from the ASF dual-hosted git repository.
mthomsen pushed a commit to branch support/nifi-1.x
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/support/nifi-1.x by this push:
new 2d57625249 NIFI-11729 Upgraded OWASP Dependency Check from 8.2.1 to
8.3.1
2d57625249 is described below
commit 2d57625249cd5e944b5ff22f10f73e92e437334b
Author: exceptionfactory <exceptionfact...@apache.org>
AuthorDate: Mon Jun 19 20:52:44 2023 -0500
NIFI-11729 Upgraded OWASP Dependency Check from 8.2.1 to 8.3.1
- Updated OWASP suppressions to exclude several JSON and Kafka false
positives
- Excluded JUnit dependency from Hive 3 JDBC
This closes #7411
Signed-off-by: Mike Thomsen <mthom...@apache.org>
---
nifi-dependency-check-maven/suppressions.xml | 75 ++++++++++------------
.../nifi-hive-bundle/nifi-hive3-processors/pom.xml | 4 ++
pom.xml | 2 +-
3 files changed, 40 insertions(+), 41 deletions(-)
diff --git a/nifi-dependency-check-maven/suppressions.xml
b/nifi-dependency-check-maven/suppressions.xml
index 5d36569eaa..e4e0cdac1d 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -19,16 +19,6 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl>
<cpe regex="true">^cpe:.*$</cpe>
</suppress>
- <suppress>
- <notes>Jetty SSLEngine is incorrectly identified with Jetty
Server</notes>
- <packageUrl
regex="true">^pkg:maven/org\.mortbay\.jetty/jetty\-sslengine@.*$</packageUrl>
- <cpe regex="true">^cpe:.*$</cpe>
- </suppress>
- <suppress>
- <notes>H2 1.4.200 is shaded and repackaged without vulnerable
components in nifi-h2-database for migration</notes>
- <packageUrl>pkg:maven/com.h2database/h2@1.4.200</packageUrl>
- <vulnerabilityName regex="true">^CVE.*$</vulnerabilityName>
- </suppress>
<suppress>
<notes>CVE-2022-45868 requires running H2 from a command not
applicable to project references</notes>
<packageUrl
regex="true">^pkg:maven/com\.h2database/h2@2.*$</packageUrl>
@@ -154,11 +144,6 @@
<packageUrl
regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client-sniffer@.*$</packageUrl>
<cpe regex="true">^cpe:/a:elastic.*$</cpe>
</suppress>
- <suppress>
- <notes>CVE-2022-34271 applies to Atlas Server not the Atlas client
library</notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.atlas/.*$</packageUrl>
- <cve>CVE-2022-34271</cve>
- </suppress>
<suppress>
<notes>CVE-2022-30187 applies to Azure Blob not the EventHubs
Checkpoint Store Blob library</notes>
<packageUrl
regex="true">^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$</packageUrl>
@@ -169,21 +154,11 @@
<packageUrl
regex="true">^pkg:maven/org\.apache\.calcite/calcite\-druid@.*$</packageUrl>
<cve>CVE-2022-39135</cve>
</suppress>
- <suppress>
- <notes>CVE-2018-8016 applies to Apache Cassandra server not the client
library</notes>
- <packageUrl
regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$</packageUrl>
- <cve>CVE-2018-8016</cve>
- </suppress>
<suppress>
<notes>CVE-2018-1000873 applies to Jackson Java 8 Time modules not
Jackson Annotations</notes>
<packageUrl
regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-annotations@.*$</packageUrl>
<cve>CVE-2018-1000873</cve>
</suppress>
- <suppress>
- <notes>CVE-2021-34371 applies to Neo4j server not the driver
library</notes>
- <packageUrl
regex="true">^pkg:maven/org\.opencypher\.gremlin/cypher\-gremlin\-neo4j\-driver@.*$</packageUrl>
- <cve>CVE-2021-34371</cve>
- </suppress>
<suppress>
<notes>CVE-2010-1151 applies to mod_auth_shadow in Apache HTTP Server
not the FTP server library</notes>
<packageUrl
regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl>
@@ -194,21 +169,6 @@
<packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
<vulnerabilityName>CVE-2018-14335</vulnerabilityName>
</suppress>
- <suppress>
- <notes>CVE-2022-31160 included in hadoop-client-api is not used</notes>
- <packageUrl regex="true">^pkg:javascript/jquery\-ui@.*$</packageUrl>
- <cve>CVE-2022-31160</cve>
- </suppress>
- <suppress>
- <notes>CVE-2021-37533 applies to the Commons Net FTP Client which is
not used in the version bundled with hadoop-client-runtime for Accumulo</notes>
- <packageUrl
regex="true">^pkg:maven/commons\-net/commons\-net@.*$</packageUrl>
- <cve>CVE-2021-37533</cve>
- </suppress>
- <suppress>
- <notes>CVE-2021-0341 applies to Android not OkHttp</notes>
- <packageUrl
regex="true">^pkg:maven/com\.squareup\.okhttp/okhttp@.*$</packageUrl>
- <vulnerabilityName>CVE-2021-0341</vulnerabilityName>
- </suppress>
<suppress>
<notes>CVE-2023-25613 applies to an LDAP backend class for Apache
Kerby not the Token Provider library</notes>
<packageUrl
regex="true">^pkg:maven/org\.apache\.kerby/token\-provider@.*$</packageUrl>
@@ -264,4 +224,39 @@
<packageUrl
regex="true">^pkg:maven/org\.apache\.hbase/hbase\-hadoop2\-compat@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
+ <suppress>
+ <notes>CVE-2022-45688 applies to hutools-json not org.json</notes>
+ <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
+ <cve>CVE-2022-45688</cve>
+ </suppress>
+ <suppress>
+ <notes>The Jackson maintainers dispute the applicability of
CVE-2023-35116 based on cyclic nature of reported concern</notes>
+ <packageUrl
regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+ <vulnerabilityName>CVE-2023-35116</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes>CVE-2023-25194 applies to Kafka Connect workers not client
libraries</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl>
+ <cve>CVE-2023-25194</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2022-34917 applies to Kafka brokers not client
libraries</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl>
+ <cve>CVE-2022-34917</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2023-25613 applies to the LDAP Identity Backend for Kerby
Server which is not used in runtime NiFi configurations</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.kerby/kerb.*?@.*$</packageUrl>
+ <cve>CVE-2023-25613</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2022-24823 applies to Netty HTTP decoding which is not
applicable to Apache Kudu clients</notes>
+ <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl>
+ <cve>CVE-2022-24823</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2022-41915 applies to Netty HTTP decoding which is not
applicable to Apache Kudu clients</notes>
+ <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl>
+ <cve>CVE-2022-41915</cve>
+ </suppress>
</suppressions>
diff --git a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
index 997931a206..9e85d2cc36 100644
--- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
@@ -129,6 +129,10 @@
<groupId>com.google.code.findbugs</groupId>
<artifactId>jsr305</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
diff --git a/pom.xml b/pom.xml
index 4d7227f490..b2bace53f2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1180,7 +1180,7 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
- <version>8.2.1</version>
+ <version>8.3.1</version>
<executions>
<execution>
<inherited>false</inherited>
