This is an automated email from the ASF dual-hosted git repository. lhotari pushed a commit to branch branch-3.0 in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 62acc2b01279769fa9cbd1c9952172ba8b15eccd Author: Lari Hotari <[email protected]> AuthorDate: Sat Sep 30 11:27:36 2023 +0300 [fix][sec] Add OWASP Dependency Check suppressions (#21281) (cherry picked from commit 1bf7371b6d33c4e015d006e547b393b97686ff20) # Conflicts: # src/owasp-dependency-check-suppressions.xml --- src/owasp-dependency-check-suppressions.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/owasp-dependency-check-suppressions.xml b/src/owasp-dependency-check-suppressions.xml index 311204ac370..1a82702105b 100644 --- a/src/owasp-dependency-check-suppressions.xml +++ b/src/owasp-dependency-check-suppressions.xml @@ -404,4 +404,16 @@ <cve>CVE-2020-8908</cve> </suppress> + <suppress> + <notes><![CDATA[ + This is a false positive in avro-protobuf. The vulnerability is in Hamba avro golang library. + ]]></notes> + <cve>CVE-2023-37475</cve> + </suppress> + <suppress> + <notes><![CDATA[ + This CVE can be suppressed since it is covered in Pulsar by hostname verification changes made in https://github.com/apache/pulsar/pull/15824. + ]]></notes> + <cve>CVE-2023-4586</cve> + </suppress> </suppressions>
