suppress false positive cve (#11699)
* suppress false positive cve
* update comment, dont run tests on changes to owasp-dependency-check-suppressions.xml
diff --git a/check_test_suite.py b/check_test_suite.py
index ec21353..3de4047 100755
--- a/check_test_suite.py
+++ b/check_test_suite.py
@@ -29,7 +29,7 @@
ignore_prefixes = ['.github', '.idea', '.asf.yaml', '.backportrc.json', '.codecov.yml', '.dockerignore', '.gitignore',
'.lgtm.yml', 'CONTRIBUTING.md', 'setup-hooks.sh', 'upload.sh', 'dev', 'distribution/docker',
'distribution/asf-release-process-guide.md', '.travis.yml', 'check_test_suite.py',
- 'check_test_suite_test.py']
+ 'check_test_suite_test.py', 'owasp-dependency-check-suppressions.xml']
# these files are docs changes
# if changes are limited to this set then we can skip web-console and java
diff --git a/check_test_suite_test.py b/check_test_suite_test.py
index 2cefd44..18446ea 100755
--- a/check_test_suite_test.py
+++ b/check_test_suite_test.py
@@ -77,7 +77,7 @@
['check_test_suite_test.py'],
['website/core/Footer.js'],
['web-console/src/views/index.ts'],
- ['check_test_suite_test.py', 'website/core/Footer.js', 'web-console/unified-console.html']
+ ['check_test_suite_test.py', 'website/core/Footer.js', 'web-console/unified-console.html', 'owasp-dependency-check-suppressions.xml']
]
some_java_diffs = [
['core/src/main/java/org/apache/druid/math/expr/Expr.java'],
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 9b46f22..aa83c41 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -26,6 +26,7 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-indexing\-hadoop@.*$</packageUrl>
<cve>CVE-2012-4449</cve>
<cve>CVE-2017-3162</cve>
+ <cve>CVE-2018-8009</cve>
</suppress>
<suppress>
<!-- druid-processing.jar is mistaken for org.processing:processing -->
@@ -387,4 +388,13 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.13.0$</packageUrl>
<cve>CVE-2020-13949</cve>
</suppress>
+ <suppress>
+ <!--
+ the scanner misattributes this to Apache DataSketches
+ the actual vulnerability affects some collaboration tool called Sketch, and impacts some 'library feeds' feature
+ which seems to relate to how the tool handles sharing designs or something, so we are doing a blanket ignore
+ because it seems nearly impossible for us to be affected by this
+ -->
+ <cve>CVE-2021-40531</cve>
+ </suppress>
</suppressions>