This is an automated email from the ASF dual-hosted git repository. mthomsen pushed a commit to branch support/nifi-1.x in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/support/nifi-1.x by this push: new 2d57625249 NIFI-11729 Upgraded OWASP Dependency Check from 8.2.1 to 8.3.1 2d57625249 is described below commit 2d57625249cd5e944b5ff22f10f73e92e437334b Author: exceptionfactory <exceptionfact...@apache.org> AuthorDate: Mon Jun 19 20:52:44 2023 -0500 NIFI-11729 Upgraded OWASP Dependency Check from 8.2.1 to 8.3.1 - Updated OWASP suppressions to exclude several JSON and Kafka false positives - Excluded JUnit dependency from Hive 3 JDBC This closes #7411 Signed-off-by: Mike Thomsen <mthom...@apache.org> --- nifi-dependency-check-maven/suppressions.xml | 75 ++++++++++------------ .../nifi-hive-bundle/nifi-hive3-processors/pom.xml | 4 ++ pom.xml | 2 +- 3 files changed, 40 insertions(+), 41 deletions(-) diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml index 5d36569eaa..e4e0cdac1d 100644 --- a/nifi-dependency-check-maven/suppressions.xml +++ b/nifi-dependency-check-maven/suppressions.xml @@ -19,16 +19,6 @@ <packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl> <cpe regex="true">^cpe:.*$</cpe> </suppress> - <suppress> - <notes>Jetty SSLEngine is incorrectly identified with Jetty Server</notes> - <packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/jetty\-sslengine@.*$</packageUrl> - <cpe regex="true">^cpe:.*$</cpe> - </suppress> - <suppress> - <notes>H2 1.4.200 is shaded and repackaged without vulnerable components in nifi-h2-database for migration</notes> - <packageUrl>pkg:maven/com.h2database/h2@1.4.200</packageUrl> - <vulnerabilityName regex="true">^CVE.*$</vulnerabilityName> - </suppress> <suppress> <notes>CVE-2022-45868 requires running H2 from a command not applicable to project references</notes> <packageUrl regex="true">^pkg:maven/com\.h2database/h2@2.*$</packageUrl> @@ -154,11 +144,6 @@ <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client-sniffer@.*$</packageUrl> <cpe regex="true">^cpe:/a:elastic.*$</cpe> </suppress> - <suppress> - <notes>CVE-2022-34271 applies to Atlas Server not the Atlas client library</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.atlas/.*$</packageUrl> - <cve>CVE-2022-34271</cve> - </suppress> <suppress> <notes>CVE-2022-30187 applies to Azure Blob not the EventHubs Checkpoint Store Blob library</notes> <packageUrl regex="true">^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$</packageUrl> @@ -169,21 +154,11 @@ <packageUrl regex="true">^pkg:maven/org\.apache\.calcite/calcite\-druid@.*$</packageUrl> <cve>CVE-2022-39135</cve> </suppress> - <suppress> - <notes>CVE-2018-8016 applies to Apache Cassandra server not the client library</notes> - <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$</packageUrl> - <cve>CVE-2018-8016</cve> - </suppress> <suppress> <notes>CVE-2018-1000873 applies to Jackson Java 8 Time modules not Jackson Annotations</notes> <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-annotations@.*$</packageUrl> <cve>CVE-2018-1000873</cve> </suppress> - <suppress> - <notes>CVE-2021-34371 applies to Neo4j server not the driver library</notes> - <packageUrl regex="true">^pkg:maven/org\.opencypher\.gremlin/cypher\-gremlin\-neo4j\-driver@.*$</packageUrl> - <cve>CVE-2021-34371</cve> - </suppress> <suppress> <notes>CVE-2010-1151 applies to mod_auth_shadow in Apache HTTP Server not the FTP server library</notes> <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl> @@ -194,21 +169,6 @@ <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl> <vulnerabilityName>CVE-2018-14335</vulnerabilityName> </suppress> - <suppress> - <notes>CVE-2022-31160 included in hadoop-client-api is not used</notes> - <packageUrl regex="true">^pkg:javascript/jquery\-ui@.*$</packageUrl> - <cve>CVE-2022-31160</cve> - </suppress> - <suppress> - <notes>CVE-2021-37533 applies to the Commons Net FTP Client which is not used in the version bundled with hadoop-client-runtime for Accumulo</notes> - <packageUrl regex="true">^pkg:maven/commons\-net/commons\-net@.*$</packageUrl> - <cve>CVE-2021-37533</cve> - </suppress> - <suppress> - <notes>CVE-2021-0341 applies to Android not OkHttp</notes> - <packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp/okhttp@.*$</packageUrl> - <vulnerabilityName>CVE-2021-0341</vulnerabilityName> - </suppress> <suppress> <notes>CVE-2023-25613 applies to an LDAP backend class for Apache Kerby not the Token Provider library</notes> <packageUrl regex="true">^pkg:maven/org\.apache\.kerby/token\-provider@.*$</packageUrl> @@ -264,4 +224,39 @@ <packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-hadoop2\-compat@.*$</packageUrl> <cpe>cpe:/a:apache:hadoop</cpe> </suppress> + <suppress> + <notes>CVE-2022-45688 applies to hutools-json not org.json</notes> + <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl> + <cve>CVE-2022-45688</cve> + </suppress> + <suppress> + <notes>The Jackson maintainers dispute the applicability of CVE-2023-35116 based on cyclic nature of reported concern</notes> + <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl> + <vulnerabilityName>CVE-2023-35116</vulnerabilityName> + </suppress> + <suppress> + <notes>CVE-2023-25194 applies to Kafka Connect workers not client libraries</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl> + <cve>CVE-2023-25194</cve> + </suppress> + <suppress> + <notes>CVE-2022-34917 applies to Kafka brokers not client libraries</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl> + <cve>CVE-2022-34917</cve> + </suppress> + <suppress> + <notes>CVE-2023-25613 applies to the LDAP Identity Backend for Kerby Server which is not used in runtime NiFi configurations</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.kerby/kerb.*?@.*$</packageUrl> + <cve>CVE-2023-25613</cve> + </suppress> + <suppress> + <notes>CVE-2022-24823 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients</notes> + <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl> + <cve>CVE-2022-24823</cve> + </suppress> + <suppress> + <notes>CVE-2022-41915 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients</notes> + <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl> + <cve>CVE-2022-41915</cve> + </suppress> </suppressions> diff --git a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml index 997931a206..9e85d2cc36 100644 --- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml +++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml @@ -129,6 +129,10 @@ <groupId>com.google.code.findbugs</groupId> <artifactId>jsr305</artifactId> </exclusion> + <exclusion> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + </exclusion> </exclusions> </dependency> <dependency> diff --git a/pom.xml b/pom.xml index 4d7227f490..b2bace53f2 100644 --- a/pom.xml +++ b/pom.xml @@ -1180,7 +1180,7 @@ <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> - <version>8.2.1</version> + <version>8.3.1</version> <executions> <execution> <inherited>false</inherited>