[nifi] 02/03: NIFI-11347 This closes #7089. Upgraded OWASP Dependency Check from 8.0.2 to 8.2.1
This is an automated email from the ASF dual-hosted git repository. joewitt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git commit 5bdee9a7148d165332a763dae645fb85365f6ac6 Author: exceptionfactory AuthorDate: Mon Mar 27 18:16:51 2023 -0500 NIFI-11347 This closes #7089. Upgraded OWASP Dependency Check from 8.0.2 to 8.2.1 - Updated suppression configuration - Upgraded Solr from 8.6.3 to 8.11.1 for Ranger - Excluded Apache Ivy from Hive and Janus Graph dependencies - Excluded Groovy from Hive tests Signed-off-by: Joe Witt --- nifi-dependency-check-maven/suppressions.xml | 117 + .../nifi-graph-test-clients/pom.xml| 4 + .../nifi-hive-bundle/nifi-hive-test-utils/pom.xml | 20 .../nifi-hive-bundle/nifi-hive3-processors/pom.xml | 4 + .../nifi-iceberg-processors/pom.xml| 8 ++ nifi-nar-bundles/nifi-ranger-bundle/pom.xml| 6 ++ .../nifi-registry-ranger/pom.xml | 6 ++ pom.xml| 3 +- 8 files changed, 121 insertions(+), 47 deletions(-) diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml index d017e30e40..345cd293d5 100644 --- a/nifi-dependency-check-maven/suppressions.xml +++ b/nifi-dependency-check-maven/suppressions.xml @@ -39,11 +39,6 @@ ^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$ CVE-2020-5408 - -Spark 2.13 used in nifi-spark-receiver is not impacted by Spark Server vulnerabilities -^pkg:maven/org\.apache\.spark/spark\-.+?_2\.13@.*$ -cpe:/a:apache:spark - Apache Hive vulnerabilities do not apply to Flume Hive Sink ^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-hive\-sink@.*$ @@ -79,36 +74,11 @@ ^pkg:maven/xerces/xercesImpl@.*$ CVE-2017-10355 - -CVE-2020-13955 applies to Apache Calcite not Apache Calcite Avatica -^pkg:maven/org\.apache\.calcite\.avatica/avatica\-core@.*$ -CVE-2020-13955 - - -CVE-2020-13955 applies to Apache Calcite not Apache Calcite Avatica -^pkg:maven/org\.apache\.calcite\/calcite-avatica@.*$ -CVE-2020-13955 - CVE-2020-13955 applies to Apache Calcite not Apache Calcite Druid ^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$ CVE-2020-13955 - -CVE-2020-13955 applies to Apache Calcite Core not Apache Calcite Avatica subproject -^pkg:maven/org\.apache\.calcite\.avatica\/avatica(-metrics)?@.*$ -CVE-2020-13955 - - -OpenTSDB vulnerabilities do not apply to HBase Async library -^pkg:maven/org\.hbase/asynchbase@.*$ -cpe:/a:opentsdb:opentsdb - - -Eclipse Equinox vulnerabilities do not apply to DataNucleus core library -^pkg:maven/org\.datanucleus/datanucleus\-core@.*$ -cpe:/a:eclipse:equinox - CVE-2018-8025 applies to HBase Server not HBase Client ^pkg:maven/org\.apache\.hbase/hbase\-client@.*$ @@ -119,11 +89,6 @@ ^pkg:maven/org\.apache\.hbase/hbase\-client@.*$ CVE-2019-0212 - -CVE-2014-3643 applies to Jersey Server not Jersey Core -^pkg:maven/com\.sun\.jersey/jersey\-core@.*$ -CVE-2014-3643 - CVE-2007-6465 applies to Ganglia Server not Ganglia client libraries ^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$ @@ -175,23 +140,83 @@ ^cpe:/a:elastic.*$ -CVE-2022-45046 description notes that the initial issue was not a security vulnerability -^pkg:maven/org\.apache\.camel/camel\-salesforce@.*$ -CVE-2022-45046 +Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client-sniffer +^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client-sniffer@.*$ +^cpe:/a:elastic.*$ -CVE-2020-36632 applies to JavaScript module named hughsk/flat not flatbuffers -^pkg:maven/com\.vlkan/flatbuffers@.*$ -CVE-2020-36632 +CVE-2022-34271 applies to Atlas Server not the Atlas client library +^pkg:maven/org\.apache\.atlas/.*$ +CVE-2022-34271 -CVE-2018-8015 applies to Apache ORC not to Apache Iceberg -^pkg:maven/org\.apache\.iceberg/iceberg\-orc@.*$ -CVE-2018-8015 +CVE-2022-30187 applies to Azure Blob not the EventHubs Checkpoint Store Blob library +^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$ +CVE-2022-30187 -CVE-2022-39135 applies to Calcite not Calcite Avatica -^pkg:maven/org\.apache\.calcite\.avatica/.*?@.*$ +CVE-2022-39135 applies to Apache Calcite core not the Calcite Druid library +
[nifi] 02/03: NIFI-11347 This closes #7089. Upgraded OWASP Dependency Check from 8.0.2 to 8.2.1
This is an automated email from the ASF dual-hosted git repository. joewitt pushed a commit to branch support/nifi-1.x in repository https://gitbox.apache.org/repos/asf/nifi.git commit 87768708ab5649f314e257320e8543f7d4b83867 Author: exceptionfactory AuthorDate: Mon Mar 27 18:16:51 2023 -0500 NIFI-11347 This closes #7089. Upgraded OWASP Dependency Check from 8.0.2 to 8.2.1 - Updated suppression configuration - Upgraded Solr from 8.6.3 to 8.11.1 for Ranger - Excluded Apache Ivy from Hive and Janus Graph dependencies - Excluded Groovy from Hive tests Signed-off-by: Joe Witt --- nifi-dependency-check-maven/suppressions.xml | 117 + .../nifi-graph-test-clients/pom.xml| 4 + .../nifi-hive-bundle/nifi-hive-test-utils/pom.xml | 20 .../nifi-hive-bundle/nifi-hive3-processors/pom.xml | 4 + .../nifi-iceberg-processors/pom.xml| 8 ++ nifi-nar-bundles/nifi-ranger-bundle/pom.xml| 6 ++ .../nifi-registry-ranger/pom.xml | 6 ++ pom.xml| 3 +- 8 files changed, 121 insertions(+), 47 deletions(-) diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml index fd17ad5457..23b617c89a 100644 --- a/nifi-dependency-check-maven/suppressions.xml +++ b/nifi-dependency-check-maven/suppressions.xml @@ -44,11 +44,6 @@ ^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$ CVE-2020-5408 - -Spark 2.13 used in nifi-spark-receiver is not impacted by Spark Server vulnerabilities -^pkg:maven/org\.apache\.spark/spark\-.+?_2\.13@.*$ -cpe:/a:apache:spark - Apache Hive vulnerabilities do not apply to Flume Hive Sink ^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-hive\-sink@.*$ @@ -84,36 +79,11 @@ ^pkg:maven/xerces/xercesImpl@.*$ CVE-2017-10355 - -CVE-2020-13955 applies to Apache Calcite not Apache Calcite Avatica -^pkg:maven/org\.apache\.calcite\.avatica/avatica\-core@.*$ -CVE-2020-13955 - - -CVE-2020-13955 applies to Apache Calcite not Apache Calcite Avatica -^pkg:maven/org\.apache\.calcite\/calcite-avatica@.*$ -CVE-2020-13955 - CVE-2020-13955 applies to Apache Calcite not Apache Calcite Druid ^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$ CVE-2020-13955 - -CVE-2020-13955 applies to Apache Calcite Core not Apache Calcite Avatica subproject -^pkg:maven/org\.apache\.calcite\.avatica\/avatica(-metrics)?@.*$ -CVE-2020-13955 - - -OpenTSDB vulnerabilities do not apply to HBase Async library -^pkg:maven/org\.hbase/asynchbase@.*$ -cpe:/a:opentsdb:opentsdb - - -Eclipse Equinox vulnerabilities do not apply to DataNucleus core library -^pkg:maven/org\.datanucleus/datanucleus\-core@.*$ -cpe:/a:eclipse:equinox - CVE-2018-8025 applies to HBase Server not HBase Client ^pkg:maven/org\.apache\.hbase/hbase\-client@.*$ @@ -124,11 +94,6 @@ ^pkg:maven/org\.apache\.hbase/hbase\-client@.*$ CVE-2019-0212 - -CVE-2014-3643 applies to Jersey Server not Jersey Core -^pkg:maven/com\.sun\.jersey/jersey\-core@.*$ -CVE-2014-3643 - CVE-2007-6465 applies to Ganglia Server not Ganglia client libraries ^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$ @@ -180,23 +145,83 @@ ^cpe:/a:elastic.*$ -CVE-2022-45046 description notes that the initial issue was not a security vulnerability -^pkg:maven/org\.apache\.camel/camel\-salesforce@.*$ -CVE-2022-45046 +Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client-sniffer +^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client-sniffer@.*$ +^cpe:/a:elastic.*$ -CVE-2020-36632 applies to JavaScript module named hughsk/flat not flatbuffers -^pkg:maven/com\.vlkan/flatbuffers@.*$ -CVE-2020-36632 +CVE-2022-34271 applies to Atlas Server not the Atlas client library +^pkg:maven/org\.apache\.atlas/.*$ +CVE-2022-34271 -CVE-2018-8015 applies to Apache ORC not to Apache Iceberg -^pkg:maven/org\.apache\.iceberg/iceberg\-orc@.*$ -CVE-2018-8015 +CVE-2022-30187 applies to Azure Blob not the EventHubs Checkpoint Store Blob library +^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$ +CVE-2022-30187 -CVE-2022-39135 applies to Calcite not Calcite Avatica -^pkg:maven/org\.apache\.calcite\.avatica/.*?@.*$ +CVE-2022-39135 applies to Apache Calcite core not the Calcite Druid library +