Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating dependencies (guava and what brought in older guava) to get rid of the guava-related CVE-2018-10237 and CVE-2020-8908 #13716

Merged
merged 11 commits into from
Jan 21, 2022
Merged

Updating dependencies (guava and what brought in older guava) to get rid of the guava-related CVE-2018-10237 and CVE-2020-8908 #13716

Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
7a7a850
Updating dependencies (guava and what brought in older guava) to get …
dlg99 Jan 11, 2022
d6510ee
license check
dlg99 Jan 12, 2022
06fa8eb
testng 7.5 isn't compatible with current powermock https://github.com…
dlg99 Jan 12, 2022
efa603d
more canal-related suppressions
dlg99 Jan 13, 2022
0411e33
more canal-related suppressions
dlg99 Jan 13, 2022
fe9e10f
Make sure presto does not mix in older guava
dlg99 Jan 13, 2022
a3d27c4
Presto: correct guava version
dlg99 Jan 13, 2022
43014ac
revert testng to 7.3 because of test failures on CI
dlg99 Jan 13, 2022
02b36a8
downgrade avro for flume
dlg99 Jan 13, 2022
2128a26
Upgraded canal to 1.1.5, excluded logback, and upgraded spring that c…
dlg99 Jan 18, 2022
ed4dde9
specified sha1 for suppressions intead of the regexes
dlg99 Jan 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
specified sha1 for suppressions intead of the regexes
  • Loading branch information
@dlg99
dlg99 committed Jan 19, 2022
commit ed4dde9aa3a041ae7f593503ac0d386df0033b00
250 changes: 125 additions & 125 deletions src/owasp-dependency-check-suppressions.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,183 +20,183 @@

-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- add supressions for known vulnerabilities detected by OWASP Dependency Check -->
<suppress>
<notes>Ignore netty CVEs in GRPC shaded Netty.</notes>
<filePath regex="true">.*grpc-netty-shaded.*</filePath>
<cpe>cpe:/a:netty:netty</cpe>
</suppress>
<suppress>
<notes>Suppress all pulsar-presto-distribution vulnerabilities</notes>
<filePath regex="true">.*pulsar-presto-distribution-.*</filePath>
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
<suppress>
<notes>Suppress libthrift-0.12.0.jar vulnerabilities</notes>
<gav>org.apache.thrift:libthrift:0.12.0</gav>
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
<suppress>
<notes>Suppress Zookeeper 3.6.2 vulnerabilities</notes>
<gav regex="true">org\.apache\.zookeeper:.*:3\.6\.2</gav>
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
<!-- add supressions for known vulnerabilities detected by OWASP Dependency Check -->
<suppress>
<notes>Ignore netty CVEs in GRPC shaded Netty.</notes>
<filePath regex="true">.*grpc-netty-shaded.*</filePath>
<cpe>cpe:/a:netty:netty</cpe>
</suppress>
<suppress>
<notes>Suppress all pulsar-presto-distribution vulnerabilities</notes>
<filePath regex="true">.*pulsar-presto-distribution-.*</filePath>
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
<suppress>
<notes>Suppress libthrift-0.12.0.jar vulnerabilities</notes>
<gav>org.apache.thrift:libthrift:0.12.0</gav>
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
<suppress>
<notes>Suppress Zookeeper 3.6.2 vulnerabilities</notes>
<gav regex="true">org\.apache\.zookeeper:.*:3\.6\.2</gav>
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>

<!-- see https://github.com/alibaba/canal/issues/4010 -->
<!-- see https://github.com/alibaba/canal/issues/4010 -->
<suppress>
<notes><![CDATA[
file name: canal.client-1.1.5.jar (shaded: com.google.guava:guava:22.0)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@22.0$</packageUrl>
<sha1>b87878db57d5cfc2ca7d3972cc8f7486bf02fbca</sha1>
<cve>CVE-2018-10237</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: canal.client-1.1.5.jar (shaded: com.google.guava:guava:22.0)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@22.0$</packageUrl>
<sha1>b87878db57d5cfc2ca7d3972cc8f7486bf02fbca</sha1>
<cve>CVE-2020-8908</cve>
</suppress>

<!-- clickhouse: security scan matches client lib to the server CVEs -->
<suppress>
<notes><![CDATA[
<!-- clickhouse: security scan matches client lib to the server CVEs -->
<suppress>
<notes><![CDATA[
file name: avro-1.10.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.avro/avro@.*$</packageUrl>
<cve>CVE-2021-43045</cve>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>a65aaa91c1aeceb3dd4859dbb9765d1c2063f5a2</sha1>
<cve>CVE-2021-43045</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2018-14668</cve>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>fa9a1ccda7d78edb51a3a33d3493566092786a30</sha1>
<cve>CVE-2018-14668</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2018-14669</cve>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>fa9a1ccda7d78edb51a3a33d3493566092786a30</sha1>
<cve>CVE-2018-14669</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2018-14670</cve>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>fa9a1ccda7d78edb51a3a33d3493566092786a30</sha1>
<cve>CVE-2018-14670</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2018-14671</cve>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>fa9a1ccda7d78edb51a3a33d3493566092786a30</sha1>
<cve>CVE-2018-14671</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2018-14672</cve>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>fa9a1ccda7d78edb51a3a33d3493566092786a30</sha1>
<cve>CVE-2018-14672</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2019-15024</cve>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>fa9a1ccda7d78edb51a3a33d3493566092786a30</sha1>
<cve>CVE-2019-15024</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2019-16535</cve>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>fa9a1ccda7d78edb51a3a33d3493566092786a30</sha1>
<cve>CVE-2019-16535</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2019-18657</cve>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>fa9a1ccda7d78edb51a3a33d3493566092786a30</sha1>
<cve>CVE-2019-18657</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2021-25263</cve>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>fa9a1ccda7d78edb51a3a33d3493566092786a30</sha1>
<cve>CVE-2021-25263</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: logback-core-1.1.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
<cpe>cpe:/a:qos:logback</cpe>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>e3c02049f2dbbc764681b40094ecf0dcbc99b157</sha1>
<cpe>cpe:/a:qos:logback</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: rocketmq-acl-4.5.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.rocketmq/rocketmq\-acl@.*$</packageUrl>
<cpe>cpe:/a:apache:rocketmq</cpe>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd</sha1>
<cpe>cpe:/a:apache:rocketmq</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-core-3.2.18.RELEASE.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd</sha1>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-core-3.2.18.RELEASE.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
<cpe>cpe:/a:springsource:spring_framework</cpe>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd</sha1>
<cpe>cpe:/a:springsource:spring_framework</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-core-3.2.18.RELEASE.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
<cpe>cpe:/a:vmware:spring_framework</cpe>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd</sha1>
<cpe>cpe:/a:vmware:spring_framework</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-core-3.2.18.RELEASE.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>0e2bd9c162280cd79c2ea0f67f174ee5d7b84ddd</sha1>
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: logback-classic-1.1.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-classic@.*$</packageUrl>
<cpe>cpe:/a:qos:logback</cpe>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>d90276fff414f06cb375f2057f6778cd63c6082f</sha1>
<cpe>cpe:/a:qos:logback</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: logback-core-1.1.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
<vulnerabilityName>CVE-2017-5929</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>e3c02049f2dbbc764681b40094ecf0dcbc99b157</sha1>
<vulnerabilityName>CVE-2017-5929</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: logback-classic-1.1.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-classic@.*$</packageUrl>
<cve>CVE-2017-5929</cve>
</suppress>
<suppress>
<notes><![CDATA[
<sha1>d90276fff414f06cb375f2057f6778cd63c6082f</sha1>
<cve>CVE-2017-5929</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: logback-classic-1.1.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-classic@.*$</packageUrl>
<cve>CVE-2021-42550</cve>
</suppress>
<sha1>d90276fff414f06cb375f2057f6778cd63c6082f</sha1>
<cve>CVE-2021-42550</cve>
</suppress>
</suppressions>