Suppress CVEs#14291
Merged
abhishekagarwal87 merged 14 commits intoapache:masterfrom Jul 10, 2023
Merged
Conversation
tejaswini-imply
force-pushed
the
fix-flagged-cve-issues
branch
from
254d30e to
c01c240
Compare
Contributor
There was a problem hiding this comment.
we need better reasoning here. Yes, they are shaded but it could still be a problem though?
Member
Author
There was a problem hiding this comment.
I have gone through the Hadoop repository and found no instance of usage of com.google.common.io.FileBackedOutputStream which is responsible for CVE-2023-2976. I'll update the description.
tejaswini-imply
force-pushed
the
fix-flagged-cve-issues
branch
from
1254502 to
47cc31f
Compare
| https://github.com/FasterXML/jackson-databind/issues/3328 | ||
| --> | ||
| <cve>CVE-2021-46877</cve> | ||
| <!-- according to jackson community, this is not a security issue, see https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098, https://github.com/jeremylong/DependencyCheck/issues/5779 --> |
Contributor
There was a problem hiding this comment.
Suggested change
| <!-- according to jackson community, this is not a security issue, see https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098, https://github.com/jeremylong/DependencyCheck/issues/5779 --> | |
| <!-- According to jackson community, this is not a security issue, see https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098, https://github.com/jeremylong/DependencyCheck/issues/5779 --> |
Comment on lines
+858
to
+860
| <!-- | ||
| ~ TODO: Update guava to any version after 29.0 | ||
| --> |
Contributor
There was a problem hiding this comment.
let's remove this.
Member
Author
|
Thanks for the review @abhishekagarwal87. I have addressed your comments in the latest commit. |
abhishekagarwal87
approved these changes
Jul 10, 2023
abhishekagarwal87
pushed a commit
that referenced
this pull request
Jul 11, 2023
Address various CVEs by upgrading dependencies or adding suppression with a justification
sergioferragut
pushed a commit
to sergioferragut/druid
that referenced
this pull request
Jul 21, 2023
Address various CVEs by upgrading dependencies or adding suppression with a justification
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security vulnerabilities check Cron job failure - https://github.com/apache/druid/actions/runs/4976066408/jobs/8903803838
plexus-utils-3.0.24.jar, async-http-client-netty-utils-2.5.3.jarare falsely flagged - [FP]: Dependencies with "utils" in name are matched (CVE-2021-4277) jeremylong/DependencyCheck#5213guava-16.0.1.jar, has to be upgraded to or above32.0.1-jreversionhibernate-validator-5.3.6.Final.jar(unaffected as not exposed to user directly)netty-3.10.6.Final.jar(not applicable to Netty client)