This is an automated email from the ASF dual-hosted git repository. pvillard pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push: new 358e4cb451 NIFI-12955 Updated OWASP Dependency Check Suppressions 358e4cb451 is described below commit 358e4cb4512ba12f7168e45329e40177897c6669 Author: exceptionfactory <exceptionfact...@apache.org> AuthorDate: Tue Mar 26 09:04:37 2024 -0500 NIFI-12955 Updated OWASP Dependency Check Suppressions - Removed unused suppressions - Added suppressions for Clojure and Hadoop shaded libraries Signed-off-by: Pierre Villard <pierre.villard...@gmail.com> This closes #8570. --- nifi-dependency-check-maven/suppressions.xml | 161 +++------------------------ 1 file changed, 18 insertions(+), 143 deletions(-) diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml index be9ecb301d..16f768e997 100644 --- a/nifi-dependency-check-maven/suppressions.xml +++ b/nifi-dependency-check-maven/suppressions.xml @@ -19,21 +19,6 @@ <packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl> <cpe regex="true">^cpe:.*$</cpe> </suppress> - <suppress> - <notes>CVE-2022-45868 requires running H2 from a command not applicable to project references</notes> - <packageUrl regex="true">^pkg:maven/com\.h2database/h2@2.*$</packageUrl> - <vulnerabilityName>CVE-2022-45868</vulnerabilityName> - </suppress> - <suppress> - <notes>CVE-2016-1000027 does not apply to Spring Web 5.3.20 and later</notes> - <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-web@.*$</packageUrl> - <cve>CVE-2016-1000027</cve> - </suppress> - <suppress> - <notes>CVE-2020-5408 does not apply to Spring Security Crypto 5.7.1 and later</notes> - <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl> - <vulnerabilityName>CVE-2020-5408</vulnerabilityName> - </suppress> <suppress> <notes>CVE-2017-10355 does not apply to Xerces 2.12.2</notes> <packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl> @@ -49,36 +34,6 @@ <packageUrl regex="true">^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$</packageUrl> <cve>CVE-2007-6465</cve> </suppress> - <suppress> - <notes>CVE-2022-31159 applies to AWS S3 library not the SWF libraries</notes> - <packageUrl regex="true">^pkg:maven/com\.amazonaws/aws\-java\-sdk\-swf\-libraries@.*$</packageUrl> - <cve>CVE-2022-31159</cve> - </suppress> - <suppress> - <notes>Elasticsearch Server vulnerabilities do not apply to Elasticsearch Plugin</notes> - <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.plugin/.*?@7.*$</packageUrl> - <cpe regex="true">^cpe:/a:elastic.*$</cpe> - </suppress> - <suppress> - <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-core</notes> - <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-core@7.*$</packageUrl> - <cpe regex="true">^cpe:/a:elastic.*$</cpe> - </suppress> - <suppress> - <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch</notes> - <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@7.*$</packageUrl> - <cpe regex="true">^cpe:/a:elastic.*$</cpe> - </suppress> - <suppress> - <notes>CVE-2021-22145 applies to Elasticsearch Server not client libraries</notes> - <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@.*$</packageUrl> - <vulnerabilityName>CVE-2021-22145</vulnerabilityName> - </suppress> - <suppress> - <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch libraries</notes> - <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-.*?@7.*$</packageUrl> - <cpe regex="true">^cpe:/a:elastic.*$</cpe> - </suppress> <suppress> <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client</notes> <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$</packageUrl> @@ -94,11 +49,6 @@ <packageUrl regex="true">^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$</packageUrl> <cve>CVE-2022-30187</cve> </suppress> - <suppress> - <notes>CVE-2022-39135 applies to Apache Calcite core not the Calcite Druid library</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.calcite/calcite\-druid@.*$</packageUrl> - <cve>CVE-2022-39135</cve> - </suppress> <suppress> <notes>CVE-2010-1151 applies to mod_auth_shadow in Apache HTTP Server not the FTP server library</notes> <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl> @@ -109,11 +59,6 @@ <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl> <vulnerabilityName>CVE-2018-14335</vulnerabilityName> </suppress> - <suppress> - <notes>CVE-2023-25613 applies to an LDAP backend class for Apache Kerby not the Token Provider library</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.kerby/token\-provider@.*$</packageUrl> - <cve>CVE-2023-25613</cve> - </suppress> <suppress> <notes>The Jetty Apache JSP library is not subject to Apache Tomcat vulnerabilities</notes> <packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$</packageUrl> @@ -159,16 +104,6 @@ <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl> <cve>CVE-2023-25194</cve> </suppress> - <suppress> - <notes>CVE-2022-34917 applies to Kafka brokers not client libraries</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl> - <cve>CVE-2022-34917</cve> - </suppress> - <suppress> - <notes>CVE-2023-25613 applies to the LDAP Identity Backend for Kerby Server which is not used in runtime NiFi configurations</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.kerby/kerb.*?@.*$</packageUrl> - <cve>CVE-2023-25613</cve> - </suppress> <suppress> <notes>CVE-2022-24823 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients</notes> <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl> @@ -189,31 +124,11 @@ <packageUrl regex="true">^pkg:maven/com\.squareup\.wire/.*$</packageUrl> <cpe>cpe:/a:wire:wire</cpe> </suppress> - <suppress> - <notes>CVE-2023-44487 applies to Solr Server not Solr client libraries</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.solr/solr\-solrj@.*$</packageUrl> - <cve>CVE-2023-44487</cve> - </suppress> <suppress> <notes>Avro project vulnerabilities do not apply to Parquet Avro</notes> <packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-avro@.*$</packageUrl> <cpe>cpe:/a:avro_project:avro</cpe> </suppress> - <suppress> - <notes>CVE-2023-4759 is resolved in 6.7.0 which is already upgraded in nifi-registry</notes> - <packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/.*$</packageUrl> - <cve>CVE-2023-4759</cve> - </suppress> - <suppress> - <notes>CVE-2023-4586 is resolved in Netty 4.1.100 which is already upgraded</notes> - <packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl> - <cve>CVE-2023-4586</cve> - </suppress> - <suppress> - <notes>CVE-2023-35887 applies to MINA SSHD not MINA core libraries</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.mina/mina\-core@.*$</packageUrl> - <cve>CVE-2023-35887</cve> - </suppress> <suppress> <notes>CVE-2016-5397 applies to Apache Thrift Go not Java</notes> <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl> @@ -274,36 +189,16 @@ <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl> <cve>CVE-2019-3559</cve> </suppress> - <suppress> - <notes>CVE-2023-36479 was resolved in Jetty 10.0.16</notes> - <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-servlets@.*$</packageUrl> - <vulnerabilityName>CVE-2023-36479</vulnerabilityName> - </suppress> <suppress> <notes>The jetty-servlet-api is versioned according to the Java Servlet API version not the Jetty version</notes> <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-servlet\-api@.*$</packageUrl> <cpe>cpe:/a:eclipse:jetty</cpe> </suppress> - <suppress> - <notes>CVE-2023-31419 applies to Elasticsearch Server not client libraries</notes> - <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@.*$</packageUrl> - <vulnerabilityName>CVE-2023-31419</vulnerabilityName> - </suppress> <suppress> <notes>CVE-2023-37475 applies to Hamba Avro in Go not Apache Avro for Java</notes> <packageUrl regex="true">^pkg:maven/org\.apache\.avro/.*$</packageUrl> <cve>CVE-2023-37475</cve> </suppress> - <suppress> - <notes>CVE-2023-45860 is resolved in Hazelcast 5.3.5</notes> - <packageUrl regex="true">^pkg:maven/com\.hazelcast/hazelcast@.*$</packageUrl> - <vulnerabilityName>CVE-2023-45860</vulnerabilityName> - </suppress> - <suppress> - <notes>CVE-2023-36414 applies to Azure Identity for .NET not Java</notes> - <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@.*$</packageUrl> - <cve>CVE-2023-36414</cve> - </suppress> <suppress> <notes>CVE-2023-36415 applies to Azure Identity for Python not Java</notes> <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@.*$</packageUrl> @@ -329,11 +224,6 @@ <packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-hadoop\-bundle@.*$</packageUrl> <cpe>cpe:/a:apache:hadoop</cpe> </suppress> - <suppress> - <notes>CVE-2017-7525 applies to Jackson 2 not Jackson 1</notes> - <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$</packageUrl> - <vulnerabilityName>CVE-2017-7525</vulnerabilityName> - </suppress> <suppress> <notes>CVE-2019-11358 applies to bundled copies of jQuery not used in the project</notes> <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl> @@ -349,11 +239,6 @@ <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl> <cve>CVE-2020-11023</cve> </suppress> - <suppress> - <notes>CVE-2020-23064 applies to bundled copies of jQuery not used in the project</notes> - <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl> - <cve>CVE-2020-23064</cve> - </suppress> <suppress> <notes>CVE-2011-4969 applies to bundled copies of jQUery not used in the project</notes> <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl> @@ -379,16 +264,6 @@ <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl> <vulnerabilityName>jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates</vulnerabilityName> </suppress> - <suppress> - <notes>CVE-2020-28458 applies to bundled copies of jQuery datatables not used in the project</notes> - <packageUrl regex="true">^pkg:javascript/jquery\.datatables@.*$</packageUrl> - <cve>CVE-2020-28458</cve> - </suppress> - <suppress> - <notes>CVE-2021-23445 applies to bundled copies of jQuery datatables not used in the project</notes> - <packageUrl regex="true">^pkg:javascript/jquery\.datatables@.*$</packageUrl> - <cve>CVE-2021-23445</cve> - </suppress> <suppress> <notes>CVE-2023-44487 references gRPC for Go</notes> <packageUrl regex="true">^pkg:maven/io\.grpc/grpc.*$</packageUrl> @@ -404,21 +279,6 @@ <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl> <cve>CVE-2020-8908</cve> </suppress> - <suppress> - <notes>Bundled versions of jQuery DataTables are not used</notes> - <packageUrl regex="true">^pkg:javascript/jquery\.datatables@.*$</packageUrl> - <vulnerabilityName>prototype pollution</vulnerabilityName> - </suppress> - <suppress> - <notes>Bundled versions of jQuery DataTables are not used</notes> - <packageUrl regex="true">^pkg:javascript/jquery\.datatables@.*$</packageUrl> - <vulnerabilityName>possible XSS</vulnerabilityName> - </suppress> - <suppress> - <notes>Picocli misidentified as LINE library from Android so CVE-2015-0897 does not apply</notes> - <packageUrl regex="true">^pkg:maven/info\.picocli/picocli@.*$</packageUrl> - <cve>CVE-2015-0897</cve> - </suppress> <suppress> <notes>CVE-2023-36052 applies to Azure CLI not Azure Java libraries</notes> <packageUrl regex="true">^pkg:maven/com\.azure/.*$</packageUrl> @@ -430,8 +290,23 @@ <cpe>cpe:/a:amazon:ion</cpe> </suppress> <suppress> - <notes>JSON Path 2.9.0 resolves CVE-2023-51074</notes> - <packageUrl regex="true">^pkg:maven/com\.jayway\.jsonpath/json\-path@2.9.0$</packageUrl> - <vulnerabilityName>CVE-2023-51074</vulnerabilityName> + <notes>CVE-2017-20189 applies to the Clojure library not the spec files which have a different version number</notes> + <packageUrl regex="true">^pkg:maven/org\.clojure/spec\.alpha@.*$</packageUrl> + <cve>CVE-2017-20189</cve> + </suppress> + <suppress> + <notes>CVE-2017-20189 applies to the Clojure library not the spec files which have a different version number</notes> + <packageUrl regex="true">^pkg:maven/org\.clojure/core\.specs\.alpha@.*$</packageUrl> + <cve>CVE-2017-20189</cve> + </suppress> + <suppress> + <notes>Findings for Apache Hadoop do not apply to the shaded Protobuf library</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-protobuf_3_21@.*$</packageUrl> + <cpe>cpe:/a:apache:hadoop</cpe> + </suppress> + <suppress> + <notes>CVE-2024-22201 applies to Jetty Server 10.0.19 and not Jetty client usage in Solr</notes> + <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.http2/http2\-common@.*$</packageUrl> + <vulnerabilityName>CVE-2024-22201</vulnerabilityName> </suppress> </suppressions>