This is an automated email from the ASF dual-hosted git repository. joewitt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git
commit 68a885d3906014e6b75c07273c42e6a350cf5886 Author: exceptionfactory <exceptionfact...@apache.org> AuthorDate: Mon May 6 11:23:01 2024 -0500 NIFI-13148 Excluded unused xmlunit dependency from nifi-registry-test This closes #8750. - Updated OWASP Dependency Check Suppression configuration to remove non-applicable suppressions Signed-off-by: Joseph Witt <joew...@apache.org> --- nifi-dependency-check-maven/suppressions.xml | 46 ++++------------------ .../nifi-registry-core/nifi-registry-test/pom.xml | 5 +++ 2 files changed, 13 insertions(+), 38 deletions(-) diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml index 16f768e997..e7c879a351 100644 --- a/nifi-dependency-check-maven/suppressions.xml +++ b/nifi-dependency-check-maven/suppressions.xml @@ -24,11 +24,6 @@ <packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl> <cve>CVE-2017-10355</cve> </suppress> - <suppress> - <notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite Druid</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$</packageUrl> - <cve>CVE-2020-13955</cve> - </suppress> <suppress> <notes>CVE-2007-6465 applies to Ganglia Server not Ganglia client libraries</notes> <packageUrl regex="true">^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$</packageUrl> @@ -104,11 +99,6 @@ <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl> <cve>CVE-2023-25194</cve> </suppress> - <suppress> - <notes>CVE-2022-24823 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients</notes> - <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl> - <cve>CVE-2022-24823</cve> - </suppress> <suppress> <notes>CVE-2022-41915 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients</notes> <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl> @@ -189,11 +179,6 @@ <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl> <cve>CVE-2019-3559</cve> </suppress> - <suppress> - <notes>The jetty-servlet-api is versioned according to the Java Servlet API version not the Jetty version</notes> - <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-servlet\-api@.*$</packageUrl> - <cpe>cpe:/a:eclipse:jetty</cpe> - </suppress> <suppress> <notes>CVE-2023-37475 applies to Hamba Avro in Go not Apache Avro for Java</notes> <packageUrl regex="true">^pkg:maven/org\.apache\.avro/.*$</packageUrl> @@ -219,11 +204,6 @@ <packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-(?!mr).*$</packageUrl> <cpe>cpe:/a:apache:parquet-mr</cpe> </suppress> - <suppress> - <notes>Apache Hadoop vulnerabilities do not apply to Parquet Hadoop Bundle library</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-hadoop\-bundle@.*$</packageUrl> - <cpe>cpe:/a:apache:hadoop</cpe> - </suppress> <suppress> <notes>CVE-2019-11358 applies to bundled copies of jQuery not used in the project</notes> <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl> @@ -284,29 +264,19 @@ <packageUrl regex="true">^pkg:maven/com\.azure/.*$</packageUrl> <cve>CVE-2023-36052</cve> </suppress> - <suppress> - <notes>software.amazon.ion:ion-java is newer than com.amazonaws.ion:ion-java and does not share the same vulnerabilities</notes> - <packageUrl regex="true">^pkg:maven/software\.amazon\.ion/ion\-java@.*$</packageUrl> - <cpe>cpe:/a:amazon:ion</cpe> - </suppress> - <suppress> - <notes>CVE-2017-20189 applies to the Clojure library not the spec files which have a different version number</notes> - <packageUrl regex="true">^pkg:maven/org\.clojure/spec\.alpha@.*$</packageUrl> - <cve>CVE-2017-20189</cve> - </suppress> - <suppress> - <notes>CVE-2017-20189 applies to the Clojure library not the spec files which have a different version number</notes> - <packageUrl regex="true">^pkg:maven/org\.clojure/core\.specs\.alpha@.*$</packageUrl> - <cve>CVE-2017-20189</cve> - </suppress> <suppress> <notes>Findings for Apache Hadoop do not apply to the shaded Protobuf library</notes> <packageUrl regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-protobuf_3_21@.*$</packageUrl> <cpe>cpe:/a:apache:hadoop</cpe> </suppress> <suppress> - <notes>CVE-2024-22201 applies to Jetty Server 10.0.19 and not Jetty client usage in Solr</notes> - <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.http2/http2\-common@.*$</packageUrl> - <vulnerabilityName>CVE-2024-22201</vulnerabilityName> + <notes>CVE-2024-23081 applies to threetenbp 1.6.8 and earlier not 1.6.9</notes> + <packageUrl regex="true">^pkg:maven/org\.threeten/threetenbp@.*$</packageUrl> + <vulnerabilityName>CVE-2024-23081</vulnerabilityName> + </suppress> + <suppress> + <notes>CVE-2024-23082 applies to threetenbp 1.6.8 and earlier not 1.6.9</notes> + <packageUrl regex="true">^pkg:maven/org\.threeten/threetenbp@.*$</packageUrl> + <vulnerabilityName>CVE-2024-23082</vulnerabilityName> </suppress> </suppressions> diff --git a/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml b/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml index ccde7a580c..b22bf5daac 100644 --- a/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml +++ b/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml @@ -31,6 +31,11 @@ <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-logging</artifactId> </exclusion> + <!-- XML Unit is not used --> + <exclusion> + <groupId>org.xmlunit</groupId> + <artifactId>xmlunit-core</artifactId> + </exclusion> </exclusions> </dependency> <dependency>