Skip to content

Suppressing false positive CVE-2020-7791#11215

Merged
maytasm merged 2 commits intoapache:masterfrom
maytasm:supress_cve_2020_7791
May 6, 2021
Merged

Suppressing false positive CVE-2020-7791#11215
maytasm merged 2 commits intoapache:masterfrom
maytasm:supress_cve_2020_7791

Conversation

@maytasm
Copy link
Copy Markdown
Contributor

@maytasm maytasm commented May 6, 2021

Suppressing false positive CVE-2020-7791

Description

CVE-2020-7791 (https://snyk.io/vuln/SNYK-DOTNET-I18N-1050179) refers to https://github.com/turquoiseowl/i18n where the issue is indicated to be in some .cs file (which is C#). Apache Druid which has a dependency on hadoop-auth, where hadoop-auth has a dependency on apacheds-kerberos-codec which in turn has a dependency on apacheds-i18n. The apacheds-i18n that is used here is https://github.com/apache/directory-server/tree/master/i18n (Java) and is different from the one in the CVE-2020-7791

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

jihoonson
jihoonson reviewed May 6, 2021
View reviewed changes
Comment thread owasp-dependency-check-suppressions.xml
<cve>CVE-2019-17195</cve>
</suppress>
<suppress>
<notes><![CDATA[
Copy link
Copy Markdown
Contributor

@jihoonson jihoonson May 6, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment that this is false positive?

Copy link
Copy Markdown
Contributor Author

@maytasm maytasm May 6, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@clintropolis clintropolis added this to the 0.21.1 milestone May 6, 2021
@maytasm maytasm merged commit 351059c into apache:master May 6, 2021
@maytasm maytasm deleted the supress_cve_2020_7791 branch May 6, 2021 22:24
clintropolis pushed a commit to clintropolis/druid that referenced this pull request May 6, 2021
@maytasm @clintropolis
Suppressing false positive CVE-2020-7791 (apache#11215)
3ec11bf 
* suppressing false positive CVE-2020-7791

* add comments
@clintropolis clintropolis mentioned this pull request May 6, 2021
Merged
clintropolis added a commit that referenced this pull request May 7, 2021
@clintropolis @maytasm
Suppressing false positive CVE-2020-7791 (#11215) (#11217)
db67938 
* suppressing false positive CVE-2020-7791

* add comments

Co-authored-by: Maytas Monsereenusorn <maytasm@apache.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jihoonson jihoonson jihoonson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

0.21.1

Development

Successfully merging this pull request may close these issues.

3 participants

@maytasm @jihoonson @clintropolis