This is an automated email from the ASF dual-hosted git repository.
joewitt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
commit 68a885d3906014e6b75c07273c42e6a350cf5886
Author: exceptionfactory <exceptionfact...@apache.org>
AuthorDate: Mon May 6 11:23:01 2024 -0500
NIFI-13148 Excluded unused xmlunit dependency from nifi-registry-test
This closes #8750.
- Updated OWASP Dependency Check Suppression configuration to remove
non-applicable suppressions
Signed-off-by: Joseph Witt <joew...@apache.org>
---
nifi-dependency-check-maven/suppressions.xml | 46 ++++------------------
.../nifi-registry-core/nifi-registry-test/pom.xml | 5 +++
2 files changed, 13 insertions(+), 38 deletions(-)
diff --git a/nifi-dependency-check-maven/suppressions.xml
b/nifi-dependency-check-maven/suppressions.xml
index 16f768e997..e7c879a351 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -24,11 +24,6 @@
<packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
<cve>CVE-2017-10355</cve>
</suppress>
- <suppress>
- <notes>CVE-2020-13955 applies to Apache Calcite not Apache Calcite
Druid</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$</packageUrl>
- <cve>CVE-2020-13955</cve>
- </suppress>
<suppress>
<notes>CVE-2007-6465 applies to Ganglia Server not Ganglia client
libraries</notes>
<packageUrl
regex="true">^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$</packageUrl>
@@ -104,11 +99,6 @@
<packageUrl
regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl>
<cve>CVE-2023-25194</cve>
</suppress>
- <suppress>
- <notes>CVE-2022-24823 applies to Netty HTTP decoding which is not
applicable to Apache Kudu clients</notes>
- <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl>
- <cve>CVE-2022-24823</cve>
- </suppress>
<suppress>
<notes>CVE-2022-41915 applies to Netty HTTP decoding which is not
applicable to Apache Kudu clients</notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl>
@@ -189,11 +179,6 @@
<packageUrl
regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
<cve>CVE-2019-3559</cve>
</suppress>
- <suppress>
- <notes>The jetty-servlet-api is versioned according to the Java
Servlet API version not the Jetty version</notes>
- <packageUrl
regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-servlet\-api@.*$</packageUrl>
- <cpe>cpe:/a:eclipse:jetty</cpe>
- </suppress>
<suppress>
<notes>CVE-2023-37475 applies to Hamba Avro in Go not Apache Avro for
Java</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.avro/.*$</packageUrl>
@@ -219,11 +204,6 @@
<packageUrl
regex="true">^pkg:maven/org\.apache\.parquet/parquet\-(?!mr).*$</packageUrl>
<cpe>cpe:/a:apache:parquet-mr</cpe>
</suppress>
- <suppress>
- <notes>Apache Hadoop vulnerabilities do not apply to Parquet Hadoop
Bundle library</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.parquet/parquet\-hadoop\-bundle@.*$</packageUrl>
- <cpe>cpe:/a:apache:hadoop</cpe>
- </suppress>
<suppress>
<notes>CVE-2019-11358 applies to bundled copies of jQuery not used in
the project</notes>
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
@@ -284,29 +264,19 @@
<packageUrl regex="true">^pkg:maven/com\.azure/.*$</packageUrl>
<cve>CVE-2023-36052</cve>
</suppress>
- <suppress>
- <notes>software.amazon.ion:ion-java is newer than
com.amazonaws.ion:ion-java and does not share the same vulnerabilities</notes>
- <packageUrl
regex="true">^pkg:maven/software\.amazon\.ion/ion\-java@.*$</packageUrl>
- <cpe>cpe:/a:amazon:ion</cpe>
- </suppress>
- <suppress>
- <notes>CVE-2017-20189 applies to the Clojure library not the spec
files which have a different version number</notes>
- <packageUrl
regex="true">^pkg:maven/org\.clojure/spec\.alpha@.*$</packageUrl>
- <cve>CVE-2017-20189</cve>
- </suppress>
- <suppress>
- <notes>CVE-2017-20189 applies to the Clojure library not the spec
files which have a different version number</notes>
- <packageUrl
regex="true">^pkg:maven/org\.clojure/core\.specs\.alpha@.*$</packageUrl>
- <cve>CVE-2017-20189</cve>
- </suppress>
<suppress>
<notes>Findings for Apache Hadoop do not apply to the shaded Protobuf
library</notes>
<packageUrl
regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-protobuf_3_21@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
<suppress>
- <notes>CVE-2024-22201 applies to Jetty Server 10.0.19 and not Jetty
client usage in Solr</notes>
- <packageUrl
regex="true">^pkg:maven/org\.eclipse\.jetty\.http2/http2\-common@.*$</packageUrl>
- <vulnerabilityName>CVE-2024-22201</vulnerabilityName>
+ <notes>CVE-2024-23081 applies to threetenbp 1.6.8 and earlier not
1.6.9</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.threeten/threetenbp@.*$</packageUrl>
+ <vulnerabilityName>CVE-2024-23081</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes>CVE-2024-23082 applies to threetenbp 1.6.8 and earlier not
1.6.9</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.threeten/threetenbp@.*$</packageUrl>
+ <vulnerabilityName>CVE-2024-23082</vulnerabilityName>
</suppress>
</suppressions>
diff --git a/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml
b/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml
index ccde7a580c..b22bf5daac 100644
--- a/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml
+++ b/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml
@@ -31,6 +31,11 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
+ <!-- XML Unit is not used -->
+ <exclusion>
+ <groupId>org.xmlunit</groupId>
+ <artifactId>xmlunit-core</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
