Skip to content

[cleanup][owasp] Supress false positive netty-tcnative #17282

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
eolivelli merged 2 commits into from
Aug 29, 2022
Merged

[cleanup][owasp] Supress false positive netty-tcnative #17282

eolivelli merged 2 commits into from
Aug 29, 2022

Conversation

@nicoloboschi
Copy link
Contributor

@nicoloboschi nicoloboschi commented Aug 25, 2022

Motivation

Owasp check fails with

One or more dependencies were identified with known vulnerabilities in Pulsar :: Distribution :: Server:

netty-tcnative-boringssl-static-2.0.52.Final-osx-x86_64.jar (pkg:maven/io.netty/netty-tcnative-boringssl-static@2.0.52.Final, cpe:2.3:a:chromium_project:chromium:2.0.52:*:*:*:*:*:*:*) : CVE-2011-1797

It's clearly a false positive jeremylong/DependencyCheck#4776

Modifications

  • Suppress the violation
  • doc-not-needed

@nicoloboschi nicoloboschi force-pushed the owasp-suppress-netty-tc branch from b267e7c to 80faa02 Compare August 25, 2022 11:05
@nicoloboschi nicoloboschi mentioned this pull request Aug 25, 2022
Merged
1 task
tisonkun
tisonkun approved these changes Aug 25, 2022
View reviewed changes
Copy link
Member

@tisonkun tisonkun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

It seems this FP has been resolved on upstream jeremylong/DependencyCheck#4154 but it suffers a regression.

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Aug 25, 2022
tisonkun
tisonkun reviewed Aug 26, 2022
View reviewed changes
@tisonkun
Copy link
Member

tisonkun commented Aug 29, 2022

cc @codelipenghui @eolivelli we can merge this patch and unblock other patches touching dependencies.

eolivelli
eolivelli approved these changes Aug 29, 2022
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@eolivelli eolivelli merged commit 409bb12 into apache:master Aug 29, 2022
@Technoboy- Technoboy- added this to the 2.11.0 milestone Aug 29, 2022
Technoboy- pushed a commit that referenced this pull request Aug 29, 2022
@nicoloboschi @Technoboy-
[cleanup][owasp] Supress false positive netty-tcnative (#17282)
fa0bfc3
nicoloboschi added a commit to datastax/pulsar that referenced this pull request Aug 30, 2022
@nicoloboschi
[cleanup][owasp] Supress false positive netty-tcnative (apache#17282)
71f27c4 
(cherry picked from commit 409bb12)
Jason918 pushed a commit that referenced this pull request Sep 20, 2022
@nicoloboschi @Jason918
[cleanup][owasp] Supress false positive netty-tcnative (#17282)
d2793e4 
(cherry picked from commit 409bb12)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tisonkun tisonkun tisonkun approved these changes

@eolivelli eolivelli eolivelli approved these changes

Assignees

No one assigned

Labels

area/ci cherry-picked/branch-2.10 cherry-picked/branch-2.11 doc-not-needed Your PR changes do not impact docs release/2.10.2

Projects

None yet

Milestone

2.11.0

Development

Successfully merging this pull request may close these issues.

5 participants

@nicoloboschi @tisonkun @eolivelli @Jason918 @Technoboy-