This is an automated email from the ASF dual-hosted git repository. brandonwilliams pushed a commit to branch cassandra-3.0 in repository https://gitbox.apache.org/repos/asf/cassandra.git
The following commit(s) were added to refs/heads/cassandra-3.0 by this push: new 493d15fffa Upgrade to OWASP 8.3.1 493d15fffa is described below commit 493d15fffa21e57fcaef7cfb2099cbaa3ab6bb47 Author: Brandon Williams <brandonwilli...@apache.org> AuthorDate: Thu Jul 6 15:50:26 2023 -0500 Upgrade to OWASP 8.3.1 Patch by brandonwilliams; reviewed by edimitrova for CASSANDRA-18650 --- .build/build-owasp.xml | 2 +- .build/dependency-check-suppressions.xml | 10 ++++++++++ CHANGES.txt | 1 + 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.build/build-owasp.xml b/.build/build-owasp.xml index f3174999e8..a792730fb9 100644 --- a/.build/build-owasp.xml +++ b/.build/build-owasp.xml @@ -17,7 +17,7 @@ ~ limitations under the License. --> <project basedir="." name="apache-cassandra-owasp-tasks"> - <property name="dependency-check.version" value="6.3.2"/> + <property name="dependency-check.version" value="8.3.1"/> <property name="dependency-check.home" value="${build.dir}/dependency-check-ant-${dependency-check.version}"/> <condition property="is.dependency.check.jar"> diff --git a/.build/dependency-check-suppressions.xml b/.build/dependency-check-suppressions.xml index 96500422d4..dead8f6120 100644 --- a/.build/dependency-check-suppressions.xml +++ b/.build/dependency-check-suppressions.xml @@ -116,6 +116,14 @@ <cve>CVE-2018-11798</cve> <cve>CVE-2019-0205</cve> </suppress> + <suppress> + <packageUrl regex="true">^pkg:maven/com\.thinkaurelius\.thrift/thrift-server@.*$</packageUrl> + <cve>CVE-2015-3254</cve> + <cve>CVE-2016-5397</cve> + <cve>CVE-2018-1320</cve> + <cve>CVE-2018-11798</cve> + <cve>CVE-2019-0205</cve> + </suppress> <!-- https://issues.apache.org/jira/browse/CASSANDRA-16056 --> <!-- https://issues.apache.org/jira/browse/CASSANDRA-15416 --> @@ -138,6 +146,8 @@ <suppress> <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl> <cve>CVE-2023-35116</cve> + <cve>CVE-2022-42003</cve> + <cve>CVE-2022-42004</cve> </suppress> </suppressions> diff --git a/CHANGES.txt b/CHANGES.txt index cc2eea7a38..fbe5e0751b 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,4 +1,5 @@ 3.0.30 + * Upgrade OWASP to 8.3.1 (CASSANDRA-18650) * Suppress CVE-2023-34462 (CASSANDRA-18649) * Add support for AWS Ec2 IMDSv2 (CASSANDRA-16555) * Suppress CVE-2023-35116 (CASSANDRA-18630) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org