| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| ~ Licensed to the Apache Software Foundation (ASF) under one |
| ~ or more contributor license agreements. See the NOTICE file |
| ~ distributed with this work for additional information |
| ~ regarding copyright ownership. The ASF licenses this file |
| ~ to you under the Apache License, Version 2.0 (the |
| ~ "License"); you may not use this file except in compliance |
| ~ with the License. You may obtain a copy of the License at |
| ~ |
| ~ http://www.apache.org/licenses/LICENSE-2.0 |
| ~ |
| ~ Unless required by applicable law or agreed to in writing, |
| ~ software distributed under the License is distributed on an |
| ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| ~ KIND, either express or implied. See the License for the |
| ~ specific language governing permissions and limitations |
| ~ under the License. |
| --> |
| <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> |
| <suppress> |
| <!-- druid-indexing-hadoop.jar is mistaken for hadoop --> |
| <notes><![CDATA[ |
| file name: org.apache.druid:druid-indexing-hadoop |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-indexing\-hadoop@.*$</packageUrl> |
| <cve>CVE-2012-4449</cve> |
| <cve>CVE-2017-3162</cve> |
| <cve>CVE-2018-8009</cve> |
| <cve>CVE-2022-26612</cve> |
| </suppress> |
| <suppress> |
| <!-- druid-processing.jar is mistaken for org.processing:processing --> |
| <notes><![CDATA[ |
| file name: org.apache.druid:druid-processing |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-processing@.*$</packageUrl> |
| <cve>CVE-2018-1000840</cve> |
| </suppress> |
| <suppress> |
| <!-- These CVEs are for the python SDK, but Druid uses the Java SDK --> |
| <notes><![CDATA[ |
| file name: openstack-swift |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-swift@.*$</packageUrl> |
| <cve>CVE-2013-7109</cve> |
| <cve>CVE-2016-0737</cve> |
| <cve>CVE-2016-0738</cve> |
| <cve>CVE-2017-16613</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: openstack-keystone-1.9.1.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-keystone@.*$</packageUrl> |
| <!-- These CVEs are for the python SDK, but Druid uses the Java SDK --> |
| <cve>CVE-2015-7546</cve> |
| <cve>CVE-2020-12689</cve> |
| <cve>CVE-2020-12690</cve> |
| <cve>CVE-2020-12691</cve> |
| |
| <!-- This CVE affects the server --> |
| <cve>CVE-2021-3563</cve> |
| </suppress> |
| <suppress> |
| <!-- |
| ~ CVE-2021-27568: |
| ~ dependency on hadoop 2.8.5 is blocking us from updating this dependency. Not a major concern since Druid |
| ~ eats uncaught exceptions, and only displays them in logs. This issue also should only affect ingestion |
| ~ jobs which can only be run by admin type users. |
| |
| ~ CVE-2022-45688: |
| ~ We do not use XML, so not impact that by this CVE |
| --> |
| <notes><![CDATA[ |
| file name: json-smart-2.3.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/net\.minidev/json\-smart@.*$</packageUrl> |
| <cve>CVE-2021-27568</cve> |
| <cve>CVE-2021-31684</cve> |
| <cve>CVE-2022-45688</cve> |
| <cve>CVE-2023-1370</cve> |
| </suppress> |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: json-path-2.3.0.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/net\.minidev/json\-path@.*$</packageUrl> |
| <cve>CVE-2022-45688</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- |
| accessors-smart-1.2 is a dependency of json-smart-2.3. |
| owasp seems to flag this too against CVE-2021-27568 for some reason. |
| This can be fixed only when json-smart is upgraded. |
| --> |
| <notes><![CDATA[ |
| file name: accessors-smart-1.2.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/net\.minidev/accessors\-smart@.*$</packageUrl> |
| <cve>CVE-2021-27568</cve> |
| <cve>CVE-2022-45688</cve> |
| </suppress> |
| <suppress> |
| <!-- |
| the suppressions here aren't currently applicable, but can be resolved once we update the version |
| --> |
| <notes><![CDATA[ |
| file name: jackson-databind-2.10.5.1.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl> |
| <!-- CVE-2022-42003 and CVE-2022-42004 are related to UNWRAP_SINGLE_VALUE_ARRAYS which we do not use |
| https://nvd.nist.gov/vuln/detail/CVE-2022-42003 |
| https://nvd.nist.gov/vuln/detail/CVE-2022-42004 |
| --> |
| <cve>CVE-2022-42003</cve> |
| <cve>CVE-2022-42004</cve> |
| <!-- CVE-2021-46877 only applies to jdk serialization which we do not use |
| https://nvd.nist.gov/vuln/detail/CVE-2021-46877 |
| https://github.com/FasterXML/jackson-databind/issues/3328 |
| --> |
| <cve>CVE-2021-46877</cve> |
| </suppress> |
| |
| |
| <suppress> |
| <!-- Not much for us to do as a user of the client lib, and no patch is available, |
| see https://github.com/kubernetes/kubernetes/issues/97076 --> |
| <notes><![CDATA[ |
| file name: client-java-10.0.1.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/io\.kubernetes/client\-java.*@10.0.1$</packageUrl> |
| <cve>CVE-2020-8554</cve> |
| </suppress> |
| |
| <!-- FIXME: These are suppressed so that CI can enforce that no new vulnerable dependencies are added. --> |
| <suppress> |
| <!-- |
| ~ TODO: Fix by updating hibernate-validator. |
| |
| ~ Note hibernate-validator:5.3.1 introduces a change that requires an EL implementation to be in the classpath: |
| ~ https://developer.jboss.org/wiki/HibernateValidatorMigrationGuide#jive_content_id_531Final |
| ~ |
| ~ For example, updating hibernate-validator causes hadoop ingestion tasks to fail: |
| ~ |
| ~ Error: com.google.inject.CreationException: Unable to create injector, see the following errors: |
| ~ |
| ~ 1) An exception was caught and reported. Message: HV000183: Unable to initialize 'javax.el.ExpressionFactory'. Check that you have the EL dependencies on the classpath, or use ParameterMessageInterpolator instead |
| ~ at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138) |
| ~ |
| ~ 2) No implementation for javax.validation.Validator was bound. |
| ~ at org.apache.druid.guice.ConfigModule.configure(ConfigModule.java:39) |
| ~ |
| ~ 2 errors |
| ~ at com.google.inject.internal.Errors.throwCreationExceptionIfErrorsExist(Errors.java:470) |
| ~ at com.google.inject.internal.InternalInjectorCreator.initializeStatically(InternalInjectorCreator.java:155) |
| ~ at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:107) |
| ~ at com.google.inject.Guice.createInjector(Guice.java:99) |
| ~ at com.google.inject.Guice.createInjector(Guice.java:73) |
| ~ at org.apache.druid.guice.GuiceInjectors.makeStartupInjector(GuiceInjectors.java:56) |
| ~ at org.apache.druid.indexer.HadoopDruidIndexerConfig.<clinit>(HadoopDruidIndexerConfig.java:102) |
| ~ at org.apache.druid.indexer.HadoopDruidIndexerMapper.setup(HadoopDruidIndexerMapper.java:53) |
| ~ at org.apache.druid.indexer.DetermineHashedPartitionsJob$DetermineCardinalityMapper.setup(DetermineHashedPartitionsJob.java:279) |
| ~ at org.apache.druid.indexer.DetermineHashedPartitionsJob$DetermineCardinalityMapper.run(DetermineHashedPartitionsJob.java:334) |
| ~ at org.apache.hadoop.mapred.MapTask.runNewMapper(MapTask.java:787) |
| ~ at org.apache.hadoop.mapred.MapTask.run(MapTask.java:341) |
| ~ at org.apache.hadoop.mapred.YarnChild$2.run(YarnChild.java:175) |
| ~ at java.security.AccessController.doPrivileged(Native Method) |
| ~ at javax.security.auth.Subject.doAs(Subject.java:422) |
| ~ at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1844) |
| ~ at org.apache.hadoop.mapred.YarnChild.main(YarnChild.java:169) |
| ~ Caused by: javax.validation.ValidationException: HV000183: Unable to initialize 'javax.el.ExpressionFactory'. Check that you have the EL dependencies on the classpath, or use ParameterMessageInterpolator instead |
| ~ at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.buildExpressionFactory(ResourceBundleMessageInterpolator.java:102) |
| ~ at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.<init>(ResourceBundleMessageInterpolator.java:45) |
| ~ at org.hibernate.validator.internal.engine.ConfigurationImpl.getDefaultMessageInterpolator(ConfigurationImpl.java:423) |
| ~ at org.hibernate.validator.internal.engine.ConfigurationImpl.getDefaultMessageInterpolatorConfiguredWithClassLoader(ConfigurationImpl.java:575) |
| ~ at org.hibernate.validator.internal.engine.ConfigurationImpl.getMessageInterpolator(ConfigurationImpl.java:364) |
| ~ at org.hibernate.validator.internal.engine.ValidatorFactoryImpl.<init>(ValidatorFactoryImpl.java:148) |
| ~ at org.hibernate.validator.HibernateValidator.buildValidatorFactory(HibernateValidator.java:38) |
| ~ at org.hibernate.validator.internal.engine.ConfigurationImpl.buildValidatorFactory(ConfigurationImpl.java:331) |
| ~ at javax.validation.Validation.buildDefaultValidatorFactory(Validation.java:110) |
| ~ at org.apache.druid.guice.ConfigModule.configure(ConfigModule.java:39) |
| ~ at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340) |
| ~ at com.google.inject.spi.Elements.getElements(Elements.java:110) |
| ~ at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138) |
| ~ at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104) |
| ~ ... 14 more |
| ~ Caused by: java.lang.NoSuchMethodError: javax.el.ExpressionFactory.newInstance()Ljavax/el/ExpressionFactory; |
| ~ at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.buildExpressionFactory(ResourceBundleMessageInterpolator.java:98) |
| ~ ... 27 more |
| --> |
| <notes><![CDATA[ |
| file name: hibernate-validator-5.2.5.Final.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.hibernate/hibernate\-validator@.*$</packageUrl> |
| <cve>CVE-2017-7536</cve> |
| <cve>CVE-2020-25638</cve> |
| </suppress> |
| <suppress> |
| <!-- TODO: Fix by updating curator-x-discovery to > 4.2.0 and updating hadoop --> |
| <notes><![CDATA[ |
| file name: jackson-mapper-asl-1.9.13.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@1.9.13$</packageUrl> |
| <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-mapper-asl:1.9.13 ince it is via curator-x-discovery --> |
| </suppress> |
| <suppress> |
| <!-- TODO: Fix by updating org.apache.druid.java.util.http.client.NettyHttpClient to use netty 4 --> |
| <notes><![CDATA[ |
| file name: netty-3.10.6.Final.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.6.Final$</packageUrl> |
| <cve>CVE-2019-16869</cve> |
| <cve>CVE-2019-20444</cve> |
| <cve>CVE-2019-20445</cve> |
| <cve>CVE-2020-11612</cve> |
| <cve>CVE-2021-37136</cve> |
| <cve>CVE-2021-37137</cve> |
| <cve>CVE-2022-41881</cve> |
| </suppress> |
| <suppress> |
| <!-- TODO: Fix by upgrading hadoop-auth version --> |
| <notes><![CDATA[ |
| file name: nimbus-jose-jwt-4.41.1.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/com\.nimbusds/nimbus\-jose\-jwt@4.41.1$</packageUrl> |
| <cve>CVE-2019-17195</cve> |
| </suppress> |
| <suppress> |
| <!-- This CVE is a false positive. The CVE is not for apacheds-i18n --> |
| <notes><![CDATA[ |
| file name: apacheds-i18n-2.0.0-M15.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.directory\.server/apacheds\-i18n@.*$</packageUrl> |
| <cve>CVE-2020-7791</cve> |
| </suppress> |
| <suppress> |
| <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage --> |
| <notes><![CDATA[ |
| file name: libthrift-0.6.1.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.6.1$</packageUrl> |
| <cve>CVE-2016-5397</cve> |
| <cve>CVE-2018-1320</cve> |
| <cve>CVE-2019-0205</cve> |
| </suppress> |
| <suppress> |
| <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage --> |
| <notes><![CDATA[ |
| file name: jettison-1.*.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.codehaus\.jettison/jettison@1.*$</packageUrl> |
| <cve>CVE-2022-40149</cve> |
| <cve>CVE-2022-40150</cve> |
| <cve>CVE-2022-45685</cve> |
| <cve>CVE-2022-45693</cve> |
| <cve>CVE-2023-1436</cve> |
| </suppress> |
| <suppress> |
| <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage --> |
| <notes><![CDATA[ |
| file name: snakeyaml-1.6.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@1.6$</packageUrl> |
| <cve>CVE-2017-18640</cve> |
| <cve>CVE-2022-25857</cve> |
| <cve>CVE-2023-2251</cve> |
| <cve>CVE-2022-3064</cve> |
| </suppress> |
| <suppress> |
| <!-- We need to wait for 17.0.0 of https://github.com/kubernetes-client/java/releases --> |
| <notes><![CDATA[ |
| file name: snakeyaml-1.27.jar |
| ]]></notes> |
| <cve>CVE-2022-25857</cve> |
| <cve>CVE-2022-1471</cve> |
| <!-- false positive --> |
| <cve>CVE-2023-2251</cve> |
| <cve>CVE-2022-3064</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-annotations:2.4.0) |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-annotations@2.4.0$</packageUrl> |
| <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-annotations:2.4.0 since it is via htrace-core4 --> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-core:2.4.0) |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@2.4.0$</packageUrl> |
| <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-core:2.4.0 since it is via htrace-core4 --> |
| </suppress> |
| <suppress> |
| <!-- |
| ~ TODO: Fix by updating hadoop-common used by extensions-core/parquet-extensions. Possibly need to change |
| ~ HdfsStorageDruidModule.configure()->FileSystem.get(conf) as well. |
| --> |
| <notes><![CDATA[ |
| file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@2.4.0$</packageUrl> |
| <cve>CVE-2018-14721</cve> <!-- cvss of 10.0 --> |
| <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-databind:2.4.0 since it is via htrace-core4 --> |
| </suppress> |
| <suppress> |
| <!-- |
| ~ TODO: Fix by updating parquet version in extensions-core/parquet-extensions. |
| --> |
| <notes><![CDATA[ |
| file name: parquet-jackson-1.11.0.jar (shaded: com.fasterxml.jackson.core:jackson-{core,databind}:2.9.10) |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-.*@2.9.10$</packageUrl> |
| <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-{core,databind}:2.9.0 since it is via parquet transitive dependencies --> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: node-sass:4.13.1 |
| |
| The vulnerability is fixed in 4.13.1: https://github.com/sass/node-sass/issues/2816#issuecomment-575136455 |
| |
| But the dependency check plugin thinks it's still broken as the affected/fixed versions has not been updated on |
| Sonatype OSS Index: https://ossindex.sonatype.org/vuln/c97f4ae7-be1f-4f71-b238-7c095b126e74 |
| ]]></notes> |
| <packageUrl regex="true">^pkg:npm/node\-sass@.*$</packageUrl> |
| <vulnerabilityName>CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</vulnerabilityName> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| Druid is not a native app, so the vulnerability flagged is a false positive. |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/com\.google\.oauth-client/google\-oauth\-client@.*$</packageUrl> |
| <cve>CVE-2020-7692</cve> |
| <cve>CVE-2021-22573</cve> |
| </suppress> |
| <suppress> |
| <!-- |
| ~ TODO: Fix when Apache Ranger 2.1 is released |
| --> |
| <notes><![CDATA[ |
| file name: kafka_2.11-2.0.0.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka_2.11@2.0.0$</packageUrl> |
| <cve>CVE-2019-12399</cve> |
| <cve>CVE-2018-17196</cve> |
| </suppress> |
| <suppress> |
| <!-- |
| ~ TODO: Fix when Apache Ranger 2.1 is released |
| - transitive dep from apache-ranger, upgrading to 2.1.0 adds other CVEs, staying at ranger 2.0.0 for now |
| --> |
| <notes><![CDATA[ |
| file name: kafka-clients-2.0.0.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka-clients@2.0.0$</packageUrl> |
| <cve>CVE-2019-12399</cve> |
| <cve>CVE-2018-17196</cve> |
| <cve>CVE-2023-25194</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: kafka-clients-3.2.0.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka\-clients@.*$</packageUrl> |
| <cve>CVE-2022-34917</cve> |
| </suppress> |
| <suppress> |
| <!-- |
| ~ ambari-metrics-emitter, druid-ranger-security |
| --> |
| <notes><![CDATA[ |
| file name: log4j-1.2.17.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl> |
| <cve>CVE-2019-17571</cve> |
| <cve>CVE-2021-4104</cve> |
| <cve>CVE-2020-9493</cve> |
| <cve>CVE-2022-23307</cve> |
| <cve>CVE-2022-23305</cve> |
| <cve>CVE-2022-23302</cve> |
| <cve>CVE-2023-26464</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: log4j-core-2.17.1.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1$</packageUrl> |
| <cve>CVE-2022-33915</cve> |
| </suppress> |
| <suppress> |
| <!-- |
| - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018. |
| --> |
| <notes><![CDATA[ |
| file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final) |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl> |
| <cve>CVE-2019-16869</cve> |
| <cve>CVE-2019-20444</cve> |
| <cve>CVE-2019-20445</cve> |
| <cve>CVE-2021-37136</cve> |
| <cve>CVE-2021-37137</cve> |
| <cve>CVE-2021-4104</cve> |
| <cve>CVE-2020-9493</cve> |
| <cve>CVE-2022-23307</cve> |
| <cve>CVE-2022-23305</cve> |
| <cve>CVE-2022-23302</cve> |
| <cve>CVE-2022-41881</cve> |
| <cve>CVE-2020-11612</cve> |
| </suppress> |
| <suppress> |
| <!-- |
| - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018. |
| --> |
| <notes><![CDATA[ |
| file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: org.apache.hadoop:hadoop-annotations:2.6.0) |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-annotations@.*$</packageUrl> |
| <cve>CVE-2015-1776</cve> |
| <cve>CVE-2016-3086</cve> |
| <cve>CVE-2016-5393</cve> |
| <cve>CVE-2016-6811</cve> |
| <cve>CVE-2017-3162</cve> |
| <cve>CVE-2018-11768</cve> |
| <cve>CVE-2018-1296</cve> |
| <cve>CVE-2018-8009</cve> |
| <cve>CVE-2018-8029</cve> |
| </suppress> |
| <suppress> |
| <!-- Suppress cves that aren't applicable to hadoop client --> |
| <notes><![CDATA[ |
| file name: hadoop-*-2.8.5.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-.*@.*$</packageUrl> |
| <cve>CVE-2018-11765</cve> |
| <cve>CVE-2020-9492</cve> |
| <cve>CVE-2022-25168</cve> |
| <cve>CVE-2022-26612</cve> |
| <cve>CVE-2018-8009</cve> |
| <cve>CVE-2021-33036</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: hadoop-*-3.3.1.jar |
| ]]></notes> |
| <cve>CVE-2018-11765</cve> |
| <cve>CVE-2020-9492</cve> |
| <cve>CVE-2021-31684</cve> |
| <cve>CVE-2021-35517</cve> |
| <cve>CVE-2021-35516</cve> |
| <cve>CVE-2021-35515</cve> |
| <cve>CVE-2021-36090</cve> |
| <cve>CVE-2022-2048</cve> |
| <cve>CVE-2022-3509</cve> |
| <cve>CVE-2022-40152</cve> |
| </suppress> |
| <suppress> |
| <!-- The CVE is not applicable to kafka-clients. --> |
| <notes><![CDATA[ |
| file name: kafka-clients-2.8.0.jar |
| ]]></notes> |
| <cve>CVE-2021-26291</cve> |
| </suppress> |
| <suppress until="2021-12-30"> |
| <!-- Suppress this until https://github.com/apache/druid/issues/11028 is resolved. --> |
| <notes><![CDATA[ |
| This vulnerability should be fixed soon and the suppression should be removed. |
| ]]></notes> |
| <cve>CVE-2020-13949</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- (avro, parquet, integration-tests) we don't allow velocity templates to be uploaded by untrusted users --> |
| <notes><![CDATA[ |
| file name: velocity-engine-core-2.2.jar: |
| ]]></notes> |
| <cve>CVE-2020-13936</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- (ranger, ambari, and aliyun-oss) these vulnerabilities are legit, but their latest releases still use the vulnerable jackson version --> |
| <notes><![CDATA[ |
| file name: jackson-xc-1.9.x.jar or jackson-jaxrs-1.9.x.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl> |
| <cve>CVE-2018-14718</cve> |
| <cve>CVE-2018-7489</cve> |
| <cve>CVE-2022-42003</cve> |
| <cve>CVE-2022-42004</cve> |
| </suppress> |
| <suppress> |
| <!-- aliyun-oss --> |
| <notes><![CDATA[ |
| file name: ini4j-0.5.4.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.ini4j/ini4j@.*$</packageUrl> |
| <vulnerabilityName>CVE-2022-41404</vulnerabilityName> |
| </suppress> |
| <suppress> |
| <!-- Transitive dependency from apache-ranger, latest ranger version 2.1.0 still uses solr 7.7.1--> |
| <notes><![CDATA[ |
| file name: solr-solrj-7.7.1.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.solr/solr-solrj@7.7.1$</packageUrl> |
| <cve>CVE-2020-13957</cve> |
| <cve>CVE-2019-17558</cve> |
| <cve>CVE-2019-0193</cve> |
| <cve>CVE-2020-13941</cve> |
| <cve>CVE-2021-29943</cve> |
| <cve>CVE-2021-27905</cve> |
| <cve>CVE-2021-29262</cve> |
| <cve>CVE-2021-44548</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- Transitive dependency from aliyun-sdk-oss, there is currently no newer version of jdom2 as well--> |
| <notes><![CDATA[ |
| file name: jdom2-2.0.6.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.jdom/jdom2@2.0.6$</packageUrl> |
| <cve>CVE-2021-33813</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- Upgrading to libthrift-0.14.2 adds many tomcat CVEs, suppress and stay at 0.13.0 for now--> |
| <notes><![CDATA[ |
| file name: libthrift-0.13.0.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.13.0$</packageUrl> |
| <cve>CVE-2020-13949</cve> |
| </suppress> |
| <suppress> |
| <!-- |
| 1. hive-storage-api has the thrift vulnerability too |
| 2. CVE-2021-34538 pertains to Hive server. |
| 3. CVE-2021-4125 only applies to the OpenShift Metering hive container images |
| --> |
| <notes><![CDATA[ |
| file name: hive-storage-api-2.8.1.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.hive/hive-storage-api@2.8.1$</packageUrl> |
| <cve>CVE-2020-13949</cve> |
| <cve>CVE-2021-34538</cve> |
| <cve>CVE-2021-4125</cve> |
| </suppress> |
| <suppress> |
| <!-- |
| the scanner misattributes this to Apache DataSketches |
| the actual vulnerability affects some collaboration tool called Sketch, and impacts some 'library feeds' feature |
| which seems to relate to how the tool handles sharing designs or something, so we are doing a blanket ignore |
| because it seems nearly impossible for us to be affected by this |
| --> |
| <cve>CVE-2021-40531</cve> |
| </suppress> |
| <suppress> |
| <!-- These are for wildfly-openssl. --> |
| <notes><![CDATA[ |
| file name: wildfly-openssl-1.0.7.Final.jar |
| ]]></notes> |
| <cve>CVE-2020-10740</cve> |
| <cve>CVE-2020-25644</cve> |
| <cve>CVE-2020-10718</cve> |
| <cve>CVE-2022-1278</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- Suppress aws-java-sdk-bundle cves --> |
| <notes><![CDATA[ |
| file name: aws-java-sdk-bundle-1.11.901.jar |
| ]]></notes> |
| <cve>CVE-2020-8570</cve> |
| <cve>CVE-2015-8559</cve> |
| <cve>CVE-2021-20291</cve> |
| <cve>CVE-2017-17485</cve> |
| <cve>CVE-2018-5968</cve> |
| <cve>CVE-2017-15095</cve> |
| <cve>CVE-2019-16942</cve> |
| <cve>CVE-2020-25649</cve> |
| <cve>CVE-2020-35491</cve> |
| <cve>CVE-2019-16943</cve> |
| <cve>CVE-2020-35490</cve> |
| <cve>CVE-2019-20330</cve> |
| <cve>CVE-2020-10673</cve> |
| <cve>CVE-2018-11307</cve> |
| <cve>CVE-2018-7489</cve> |
| <cve>CVE-2019-17267</cve> |
| <cve>CVE-2019-17531</cve> |
| <cve>CVE-2019-16335</cve> |
| <cve>CVE-2019-14893</cve> |
| <cve>CVE-2019-14540</cve> |
| <cve>CVE-2021-37136</cve> |
| <cve>CVE-2021-37137</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- Suppress hadoop-shaded-guava cves --> |
| <notes><![CDATA[ |
| file name: hadoop-shaded-guava-1.1.1.jar |
| ]]></notes> |
| <cve>CVE-2015-7430</cve> |
| <cve>CVE-2017-3162</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- Suppress avro cves that are only applicable to .NET SDK--> |
| <notes><![CDATA[ |
| file name: avro-1.9.2.jar or avro-ipc-jetty-1.9.2.jar |
| ]]></notes> |
| <cve>CVE-2021-43045</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- False alarm for the Async javascript library (https://github.com/caolan/async) which is a dev dependency for the web console --> |
| <notes><![CDATA[ |
| file name: async-http-client-netty-utils-2.5.3.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.asynchttpclient/async-http-client-netty-utils@2.5.3$</packageUrl> |
| <cve>CVE-2021-43138</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- False alarm for the Async javascript library (https://github.com/caolan/async) which is a dev dependency for the web console --> |
| <notes><![CDATA[ |
| file name: async-http-client-2.5.3.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.asynchttpclient/async-http-client@2.5.3$</packageUrl> |
| <cve>CVE-2021-43138</cve> |
| </suppress> |
| |
| |
| <suppress> |
| <!-- Jackson CVEs when processing objects of large depth. Consider updating --> |
| |
| <notes><![CDATA[ |
| file name: *jackson-*.jar |
| ]]></notes> |
| <cve>CVE-2020-36518</cve> |
| <cve>CVE-2022-45688</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- Non-applicable CVE for gson --> |
| <notes><![CDATA[ |
| file name: gson-*.jar |
| ]]></notes> |
| <cve>CVE-2022-25647</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- Non-applicable CVE for jedis, since we don't use lua scripts --> |
| <notes><![CDATA[ |
| file name: jedis-2.9.0.jar |
| ]]></notes> |
| <cve>CVE-2021-32626</cve> |
| <cve>CVE-2022-24735</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- pac4j-core-3.8.3 --> |
| <notes><![CDATA[ |
| file name: pac4j-core-3.8.3.jar |
| ]]></notes> |
| <cve>CVE-2021-44878</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- cassandra-all-1.0.8.jar --> |
| <notes><![CDATA[ |
| file name: cassandra-all-1.0.8.jar |
| ]]></notes> |
| <cve>CVE-2020-17516</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- jackson-dataformat-cbor-2.10.5.jar --> |
| <notes><![CDATA[ |
| file name: jackson-dataformat-cbor-2.10.5.jar |
| ]]></notes> |
| <cve>CVE-2020-28491</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- okhttp --> |
| <notes><![CDATA[ |
| file name: okhttp-*.jar |
| ]]></notes> |
| <cve>CVE-2021-0341</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- parquet-format-structures-1.12.0.jar --> |
| <notes><![CDATA[ |
| file name: parquet-format-structures-1.12.0.jar |
| ]]></notes> |
| <cve>CVE-2021-41561</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- Avatica server itself is not affected. Vulnerability exists only on client. --> |
| <notes><![CDATA[ |
| file name: avatica-server-1.17.0.jar |
| ]]></notes> |
| <cve>CVE-2022-36364</cve> |
| <cve>CVE-2022-39135</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: calcite-core-1.21.0.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.calcite/calcite\-core@.*$</packageUrl> |
| <cve>CVE-2020-13955</cve> |
| </suppress> |
| <suppress> |
| <!-- False positive. 42.3.3 is not affected by the CVE. And we don't use Resultset.refreshRow method either --> |
| <notes><![CDATA[ |
| file name: postgresql-42.3.3.jar |
| ]]></notes> |
| <cve>CVE-2022-31197</cve> |
| </suppress> |
| <suppress> |
| <!-- avatica-server-1.17.0.jar --> |
| <notes><![CDATA[ |
| file name: avatica-server-1.17.0.jar |
| ]]></notes> |
| <!-- |
| We do not expose any of the SQL operators that were found vulnerable in this CVE. |
| --> |
| <cve>CVE-2022-39135</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- calcite-core-1.21.0.jar --> |
| <notes><![CDATA[ |
| file name: calcite-core-1.21.0.jar |
| ]]></notes> |
| <!-- |
| We do not expose any of the SQL operators that were found vulnerable in this CVE. |
| --> |
| <cve>CVE-2022-39135</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- package-lock.json?d3-color --> |
| <notes><![CDATA[ |
| file name: d3-color:2.0.0 |
| ]]></notes> |
| <!-- |
| Not vulnerable to these as, we use d3-color on the client only. |
| --> |
| <packageUrl regex="true">^pkg:npm/d3\-color@.*$</packageUrl> |
| <vulnerabilityName>1084597</vulnerabilityName> |
| <vulnerabilityName>1088594</vulnerabilityName> |
| </suppress> |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: d3-color:2.0.0 |
| ]]></notes> |
| <packageUrl regex="true">^pkg:npm/d3\-color@.*$</packageUrl> |
| <vulnerabilityName>1084597</vulnerabilityName> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: protobuf-java-3.11.0.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl> |
| <cve>CVE-2022-3171</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: protobuf-java-util-3.11.0.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java\-util@.*$</packageUrl> |
| <cve>CVE-2022-3171</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: ansi-regex:5.0.0 |
| ]]></notes> |
| <packageUrl regex="true">^pkg:npm/ansi\-regex@.*$</packageUrl> |
| <vulnerabilityName>1084697</vulnerabilityName> |
| <cve>CVE-2021-3807</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: glob-parent:5.1.1 |
| ]]></notes> |
| <packageUrl regex="true">^pkg:npm/glob\-parent@.*$</packageUrl> |
| <vulnerabilityName>1081884</vulnerabilityName> |
| <cve>CVE-2020-28469</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: minimatch:3.0.4 |
| ]]></notes> |
| <packageUrl regex="true">^pkg:npm/minimatch@.*$</packageUrl> |
| <vulnerabilityName>1084765</vulnerabilityName> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: y18n:4.0.0 |
| ]]></notes> |
| <packageUrl regex="true">^pkg:npm/y18n@.*$</packageUrl> |
| <vulnerabilityName>1070209</vulnerabilityName> |
| <cve>CVE-2020-7774</cve> |
| </suppress> |
| <suppress> |
| <!-- druid-ranger-security --> |
| <notes><![CDATA[ |
| file name: ranger-plugins-common-2.0.0.jar |
| ]]></notes> |
| <!-- seems not applicable to plugin --> |
| <cve>CVE-2022-45048</cve> |
| </suppress> |
| <suppress> |
| <!-- from extensions using hadoop-client-runtime, these dependencies are shaded in the jar --> |
| <notes><![CDATA[ |
| file name: hadoop-client-runtime-3.3.5.jar |
| ]]></notes> |
| <!-- this one is windows only - https://nvd.nist.gov/vuln/detail/CVE-2022-26612 --> |
| <cve>CVE-2022-26612</cve> |
| <!-- this one seems to apply to backend server - https://nvd.nist.gov/vuln/detail/CVE-2023-25613 --> |
| <cve>CVE-2023-25613</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| file name: ranger-plugins-*-2.0.0.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.ranger/ranger\-plugins\-.*@2.0.0$</packageUrl> |
| <!-- applies to ranger-hive-plugin which afaict we do not use https://nvd.nist.gov/vuln/detail/CVE-2021-40331 --> |
| <cve>CVE-2021-40331</cve> |
| </suppress> |
| </suppressions> |