This is an automated email from the ASF dual-hosted git repository. joewitt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push: new bda1bd326d NIFI-11114 Thise closes #6906. Upgraded OWASP Dependency Check from 7.4.4 to 8.0.2 bda1bd326d is described below commit bda1bd326d3b4b097bdbb9bb70f9c01479ff7759 Author: exceptionfactory <exceptionfact...@apache.org> AuthorDate: Mon Jan 30 13:40:09 2023 -0600 NIFI-11114 Thise closes #6906. Upgraded OWASP Dependency Check from 7.4.4 to 8.0.2 - Added jetty-jmx to managed dependencies to maintain aligned versions Signed-off-by: Joe Witt <joew...@apache.org> --- nifi-dependency-check-maven/suppressions.xml | 21 ++++++++++++++++++--- pom.xml | 7 ++++++- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml index ee73d03bb0..fd17ad5457 100644 --- a/nifi-dependency-check-maven/suppressions.xml +++ b/nifi-dependency-check-maven/suppressions.xml @@ -180,8 +180,23 @@ <cpe regex="true">^cpe:/a:elastic.*$</cpe> </suppress> <suppress> - <notes>HTTP server vulnerabilities do not apply to Apache FTP Server</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl> - <cpe>cpe:/a:apache:apache_http_server</cpe> + <notes>CVE-2022-45046 description notes that the initial issue was not a security vulnerability</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel\-salesforce@.*$</packageUrl> + <cve>CVE-2022-45046</cve> + </suppress> + <suppress> + <notes>CVE-2020-36632 applies to JavaScript module named hughsk/flat not flatbuffers</notes> + <packageUrl regex="true">^pkg:maven/com\.vlkan/flatbuffers@.*$</packageUrl> + <cve>CVE-2020-36632</cve> + </suppress> + <suppress> + <notes>CVE-2018-8015 applies to Apache ORC not to Apache Iceberg</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.iceberg/iceberg\-orc@.*$</packageUrl> + <cve>CVE-2018-8015</cve> + </suppress> + <suppress> + <notes>CVE-2022-39135 applies to Calcite not Calcite Avatica</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.calcite\.avatica/.*?@.*$</packageUrl> + <cve>CVE-2022-39135</cve> </suppress> </suppressions> diff --git a/pom.xml b/pom.xml index 44ae66f326..6115b3be61 100644 --- a/pom.xml +++ b/pom.xml @@ -512,6 +512,11 @@ <artifactId>jetty-util-ajax</artifactId> <version>${jetty.version}</version> </dependency> + <dependency> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-jmx</artifactId> + <version>${jetty.version}</version> + </dependency> <dependency> <groupId>org.eclipse.jetty.http2</groupId> <artifactId>http2-client</artifactId> @@ -1190,7 +1195,7 @@ <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> - <version>7.4.4</version> + <version>8.0.2</version> <executions> <execution> <inherited>false</inherited>