(nifi) branch main updated: NIFI-15722 Added configuration for Grype scanning (#11014)

Tue, 17 Mar 2026 11:17:06 -0700 

This is an automated email from the ASF dual-hosted git repository.

pvillard pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new b2d35ef2f7d NIFI-15722 Added configuration for Grype scanning (#11014)
b2d35ef2f7d is described below

commit b2d35ef2f7d356e0ce7ef8187b172ddc7b0082b3
Author: David Handermann <[email protected]>
AuthorDate: Tue Mar 17 13:16:49 2026 -0500

    NIFI-15722 Added configuration for Grype scanning (#11014)
    
    - Included ignored vulnerabilities with reasons and referencing libraries
---
 .grype.yaml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/.grype.yaml b/.grype.yaml
new file mode 100644
index 00000000000..baa1c8c897e
--- /dev/null
+++ b/.grype.yaml
@@ -0,0 +1,32 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+ignore:
+  # Reason: Referencing libraries bundle shaded version of Jackson
+  # Mitigating Factors: Jackson Async Parser not used
+  # Reference: com.hazelcast:hazelcast:5.6.0
+  # Reference: org.apache.parquet:parquet-jackson:1.17.0
+  - vulnerability: GHSA-72hv-8253-57qq
+    package:
+      name: jackson-core
+      version: 2.19.2
+  # Reason: Referencing libraries require code changes for upgraded version
+  # Mitigating Factors: Snappy and LZ4 decompression depend on component 
configuration
+  # Reference: org.apache.kafka:kafka-clients:4.2.0
+  # Reference: org.apache.iceberg:iceberg-core:1.10.1
+  - vulnerability: GHSA-vx9q-rhv9-3jvg
+    package:
+      name: aircompressor
+      version: 0.27

Reply via email to