Google Git
Sign in
apache / druid / 6b959f09e529df5d02a0f9541094e9d122ac415d^! / .
commit6b959f09e529df5d02a0f9541094e9d122ac415d[log] [tgz]
authorClint Wylie <cwylie@apache.org>Mon Sep 13 20:45:38 2021 -0700
committerGitHub <noreply@github.com>Mon Sep 13 20:45:38 2021 -0700
tree2d2a1702f87387436521aab2470938ebe05eb4a0
parent779fe8e6adf8ab0c5b50da763d6cb885d4a9841e [diff]
suppress false positive cve (#11699)

* suppress false positive cve

* update comment, dont run tests on changes to owasp-dependency-check-suppressions.xml
diff --git a/check_test_suite.py b/check_test_suite.py
index ec21353..3de4047 100755
--- a/check_test_suite.py
+++ b/check_test_suite.py

@@ -29,7 +29,7 @@
 ignore_prefixes = ['.github', '.idea', '.asf.yaml', '.backportrc.json', '.codecov.yml', '.dockerignore', '.gitignore',
                    '.lgtm.yml', 'CONTRIBUTING.md', 'setup-hooks.sh', 'upload.sh', 'dev', 'distribution/docker',
                    'distribution/asf-release-process-guide.md', '.travis.yml', 'check_test_suite.py',
-                   'check_test_suite_test.py']
+                   'check_test_suite_test.py', 'owasp-dependency-check-suppressions.xml']
 
 # these files are docs changes
 # if changes are limited to this set then we can skip web-console and java

diff --git a/check_test_suite_test.py b/check_test_suite_test.py
index 2cefd44..18446ea 100755
--- a/check_test_suite_test.py
+++ b/check_test_suite_test.py

@@ -77,7 +77,7 @@
             ['check_test_suite_test.py'],
             ['website/core/Footer.js'],
             ['web-console/src/views/index.ts'],
-            ['check_test_suite_test.py', 'website/core/Footer.js', 'web-console/unified-console.html']
+            ['check_test_suite_test.py', 'website/core/Footer.js', 'web-console/unified-console.html', 'owasp-dependency-check-suppressions.xml']
         ]
         some_java_diffs = [
             ['core/src/main/java/org/apache/druid/math/expr/Expr.java'],

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 9b46f22..aa83c41 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml

@@ -26,6 +26,7 @@
     <packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-indexing\-hadoop@.*$</packageUrl>
     <cve>CVE-2012-4449</cve>
     <cve>CVE-2017-3162</cve>
+    <cve>CVE-2018-8009</cve>
   </suppress>
   <suppress>
     <!-- druid-processing.jar is mistaken for org.processing:processing -->
@@ -387,4 +388,13 @@
     <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.13.0$</packageUrl>
     <cve>CVE-2020-13949</cve>
   </suppress>
+  <suppress>
+    <!--
+    the scanner misattributes this to Apache DataSketches
+    the actual vulnerability affects some collaboration tool called Sketch, and impacts some 'library feeds' feature
+    which seems to relate to how the tool handles sharing designs or something, so we are doing a blanket ignore
+    because it seems nearly impossible for us to be affected by this
+     -->
+    <cve>CVE-2021-40531</cve>
+  </suppress>
 </suppressions>