| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| ~ Licensed to the Apache Software Foundation (ASF) under one |
| ~ or more contributor license agreements. See the NOTICE file |
| ~ distributed with this work for additional information |
| ~ regarding copyright ownership. The ASF licenses this file |
| ~ to you under the Apache License, Version 2.0 (the |
| ~ "License"); you may not use this file except in compliance |
| ~ with the License. You may obtain a copy of the License at |
| ~ |
| ~ http://www.apache.org/licenses/LICENSE-2.0 |
| ~ |
| ~ Unless required by applicable law or agreed to in writing, |
| ~ software distributed under the License is distributed on an |
| ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| ~ KIND, either express or implied. See the License for the |
| ~ specific language governing permissions and limitations |
| ~ under the License. |
| --> |
| <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> |
| <!-- False positives --> |
| <suppress> |
| <notes><![CDATA[ |
| file name: json-path-2.9.0.jar jackson-core-2.12.7.jar |
| ]]></notes> |
| <cve>CVE-2022-45688</cve> |
| <cve>CVE-2023-35116</cve> |
| </suppress> |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: grpc-context-1.27.2.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/io\.grpc/grpc-context@1.27.2$</packageUrl> |
| <cve>CVE-2023-4785</cve> <!-- Not applicable to gRPC Java - https://nvd.nist.gov/vuln/detail/CVE-2023-4785 --> |
| <cve>CVE-2023-33953</cve> <!-- Not applicable to gRPC Java - https://cloud.google.com/support/bulletins#gcp-2023-022 --> |
| <cve>CVE-2023-32732</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- Pulled in by io.kubernetes:client-java and kafka_2.13 but not fixed in either place yet --> |
| <!-- jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less --> |
| <notes><![CDATA[ |
| file name: commons-compress-1.23.0.jar |
| ]]></notes> |
| <cve>CVE-2023-42503</cve> |
| </suppress> |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: guava-31.1-jre.jar |
| ]]></notes> |
| <cve>CVE-2020-8908</cve> |
| </suppress> |
| |
| <!-- CVE-2022-4244 is affecting plexus-utils package, |
| plexus-interpolation is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973 --> |
| <suppress base="true"> |
| <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl> |
| <cve>CVE-2022-4244</cve> |
| <cve>CVE-2022-4245</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- This presumably applies to maven build system --> |
| <notes><![CDATA[ |
| file name: maven-settings |
| ]]></notes> |
| <cve>CVE-2021-26291</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- LDAP authentication check bypass FP no exploitability analysis --> |
| <notes><![CDATA[ |
| file name: derby-10.14.2.0.jar |
| ]]></notes> |
| <cve>CVE-2022-46337</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- False positive fixed in 9.4.52 |
| https://nvd.nist.gov/vuln/detail/CVE-2023-36479 --> |
| <notes><![CDATA[ |
| file name: jetty-servlets-9.4.53.v20231009.jar |
| ]]></notes> |
| <cve>CVE-2023-36479</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- |
| the suppressions here aren't currently applicable, but can be resolved once we update the version |
| --> |
| <notes><![CDATA[ |
| file name: jackson-databind-2.10.5.1.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl> |
| <!-- CVE-2022-42003 and CVE-2022-42004 are related to UNWRAP_SINGLE_VALUE_ARRAYS which we do not use |
| https://nvd.nist.gov/vuln/detail/CVE-2022-42003 |
| https://nvd.nist.gov/vuln/detail/CVE-2022-42004 |
| --> |
| <cve>CVE-2022-42003</cve> |
| <cve>CVE-2022-42004</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- Avatica server itself is not affected. Vulnerability exists only on client. --> |
| <notes><![CDATA[ |
| file name: avatica-server-1.23.0.jar |
| ]]></notes> |
| <cve>CVE-2022-36364</cve> |
| <cve>CVE-2022-39135</cve> |
| <cve>CVE-2020-13955</cve> |
| </suppress> |
| |
| <!-- DoS when using expression evaluator.guess --> |
| <suppress> |
| <notes><![CDATA[ |
| file name: janino-3.1.9.jar |
| ]]></notes> |
| <cve>CVE-2023-33546</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- from extensions using hadoop-client-runtime, these dependencies are shaded in the jar --> |
| <notes><![CDATA[ |
| file name: hadoop-client-runtime-3.3.6.jar |
| ]]></notes> |
| <!-- this one is windows only - https://nvd.nist.gov/vuln/detail/CVE-2022-26612 --> |
| <cve>CVE-2022-26612</cve> |
| <!-- this one seems to apply to backend server - https://nvd.nist.gov/vuln/detail/CVE-2023-25613 --> |
| <cve>CVE-2023-25613</cve> |
| <cve>CVE-2023-2976</cve> <!-- hadoop-client-runtime isn't using com.google.common.io.FileBackedOutputStream --> |
| <!-- CVE from shaded dependency nimbus-jose-jwt, fixed in upcoming Hadoop release version - |
| https://github.com/apache/hadoop/commit/ad49ddda0e1d9632c8c9fcdc78fca8244e1248c9 --> |
| <cve>CVE-2023-1370</cve> |
| <cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 --> |
| <cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo --> |
| <cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet--> |
| <cve>CVE-2023-36478</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet--> |
| </suppress> |
| |
| <!-- those are false positives, no other tools report any of those CVEs in the hadoop package --> |
| <suppress> |
| <notes><![CDATA[ |
| file name: hadoop-*-3.3.1.jar |
| ]]></notes> |
| <cve>CVE-2015-7430</cve> |
| <cve>CVE-2017-3162</cve> |
| <cve>CVE-2021-31684</cve> |
| <cve>CVE-2022-3509</cve> |
| <cve>CVE-2022-40152</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- |
| 1. hive-storage-api has the thrift vulnerability too |
| 2. CVE-2021-34538 pertains to Hive server. |
| 3. CVE-2021-4125 only applies to the OpenShift Metering hive container images |
| --> |
| <notes><![CDATA[ |
| file name: hive-storage-api-2.8.1.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.hive.*</packageUrl> |
| <cve>CVE-2020-13949</cve> |
| <cve>CVE-2021-34538</cve> |
| <cve>CVE-2021-4125</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- These are for wildfly-openssl. --> |
| <notes><![CDATA[ |
| file name: wildfly-openssl-1.0.7.Final.jar |
| ]]></notes> |
| <cve>CVE-2020-10740</cve> |
| <cve>CVE-2020-25644</cve> |
| <cve>CVE-2020-10718</cve> |
| <cve>CVE-2022-1278</cve> |
| </suppress> |
| |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: kafka-clients-3.2.0.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka\-clients@.*$</packageUrl> |
| <cve>CVE-2022-34917</cve> |
| <cve>CVE-2023-25194</cve> |
| </suppress> |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: woodstox-core-6.2.4.jar |
| ]]></notes> |
| <cve>CVE-2023-34411</cve> |
| </suppress> |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: spatial4j-0.7.jar: |
| ]]></notes> |
| <cve>CVE-2014-125074</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- Pulled in by io.kubernetes:client-java and kafka_2.13 but not fixed in either place yet --> |
| <!-- jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less --> |
| <notes><![CDATA[ |
| file name: jose4j-0.7.3.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.bitbucket\.b_c/jose4j@.*$</packageUrl> |
| <cve>CVE-2023-31582</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- okhttp --> |
| <notes><![CDATA[ |
| file name: okhttp-*.jar |
| ]]></notes> |
| <cve>CVE-2021-0341</cve> <!-- Suppressed since okhttp requests in Druid are internal, and not user-facing --> |
| <cve>CVE-2016-2402</cve> <!-- Suppressed since okhttp requests in Druid are internal, and not user-facing --> |
| <cve>CVE-2023-0833</cve> <!-- Suppressed since okhttp requests in Druid are internal, and not user-facing --> |
| </suppress> |
| |
| <suppress> |
| <!-- TODO: Fix by updating curator-x-discovery to > 4.2.0 and updating hadoop --> |
| <notes><![CDATA[ |
| file name: jackson-mapper-asl-1.9.13.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@1.9.13$</packageUrl> |
| <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-mapper-asl:1.9.13 ince it is via curator-x-discovery --> |
| </suppress> |
| |
| <suppress> |
| <!-- TODO: Fix by updating org.apache.druid.java.util.http.client.NettyHttpClient to use netty 4 --> |
| <notes><![CDATA[ |
| file name: netty-3.10.6.Final.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.6.Final$</packageUrl> |
| <cve>CVE-2019-16869</cve> |
| <cve>CVE-2019-20444</cve> |
| <cve>CVE-2019-20445</cve> |
| <cve>CVE-2020-11612</cve> |
| <cve>CVE-2021-21290</cve> <!-- We don't use HttpPostRequestDecoder or HttpPostMultiPartRequestDecoder which uses vulnerable AbstractDiskHttpData - https://github.com/advisories/GHSA-5mcr-gq6c-3hq2 --> |
| <cve>CVE-2021-21295</cve> <!-- We don't use HTTP2MultiplexCodec or Http2FrameCodec or Http2StreamFrameToHttpObjectCodec affected or convert HTTP/2 to HTTP/1.1 requests - https://github.com/advisories/GHSA-wm47-8v5p-wjpj --> |
| <cve>CVE-2021-21409</cve> <!-- We don't use Http2HeaderFrame or convert HTTP/2 to HTTP/1.1 requests https://github.com/advisories/GHSA-f256-j965-7f32 --> |
| <cve>CVE-2021-37136</cve> |
| <cve>CVE-2021-37137</cve> |
| <cve>CVE-2021-43797</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-wx5j-54mm-rqqq --> |
| <cve>CVE-2022-24823</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-269q-hmxg-m83q --> |
| <cve>CVE-2022-41881</cve> |
| <cve>CVE-2023-34462</cve> <!-- Suppressed since netty requests in Druid are internal, and not user-facing --> |
| </suppress> |
| |
| <suppress> |
| <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage --> |
| <notes><![CDATA[ |
| file name: libthrift-0.6.1.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.6.1$</packageUrl> |
| <cve>CVE-2018-1320</cve> |
| <cve>CVE-2019-0205</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage --> |
| <notes><![CDATA[ |
| file name: jettison-1.*.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.codehaus\.jettison/jettison@1.*$</packageUrl> |
| <cve>CVE-2022-40149</cve> |
| <cve>CVE-2022-40150</cve> |
| <cve>CVE-2022-45685</cve> |
| <cve>CVE-2022-45693</cve> |
| <cve>CVE-2023-1436</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- The main use of snakeyaml in Druid is coming in test scope from: |
| com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.12.7 |
| (version 1.27) |
| The contrib extension: druid-cassandra-storage uses version 1.6 in compile |
| scope |
| The integration tests use version 1.27 in compile scope. |
| Previous pinning of version to 1.33 forced the usage of the version across |
| all the modules, downgrading the version for some of them. |
| The removal of the pin in the main POM allows the modules choose which version |
| to be used, enabling the users to disable contrib extensions and use the |
| CVE free version of Snakeyaml in core extensions. |
| --> |
| |
| <notes><![CDATA[ |
| file name: snakeyaml-1.27.jar snakeyaml-1.33.jar |
| ]]></notes> |
| <!-- Snakeyaml is used only in test scope in Druid core with trusted inputs --> |
| <cve>CVE-2022-1471</cve> |
| <!-- false positive --> |
| <cve>CVE-2023-2251</cve> |
| <cve>CVE-2022-3064</cve> |
| </suppress> |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: node-sass:4.13.1 |
| |
| The vulnerability is fixed in 4.13.1: https://github.com/sass/node-sass/issues/2816#issuecomment-575136455 |
| |
| But the dependency check plugin thinks it's still broken as the affected/fixed versions has not been updated on |
| Sonatype OSS Index: https://ossindex.sonatype.org/vuln/c97f4ae7-be1f-4f71-b238-7c095b126e74 |
| ]]></notes> |
| <packageUrl regex="true">^pkg:npm/node\-sass@.*$</packageUrl> |
| <vulnerabilityName>CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</vulnerabilityName> |
| </suppress> |
| |
| <suppress> |
| <!-- (ranger, ambari, and aliyun-oss) these vulnerabilities are legit, but their latest releases still use the vulnerable jackson version --> |
| <notes><![CDATA[ |
| file name: jackson-xc-1.9.x.jar or jackson-jaxrs-1.9.x.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl> |
| <cve>CVE-2018-14718</cve> |
| <cve>CVE-2018-7489</cve> |
| <cve>CVE-2022-42003</cve> |
| <cve>CVE-2022-42004</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- Upgrading to libthrift-0.14.2 adds many tomcat CVEs, suppress and stay at 0.13.0 for now--> |
| <!-- valid issue, worth investigating overhauling to e.g., 0.19.0 --> |
| <notes><![CDATA[ |
| file name: libthrift-0.13.0.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*</packageUrl> |
| <cve>CVE-2020-13949</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- Non-applicable CVE for gson --> |
| <notes><![CDATA[ |
| file name: gson-*.jar |
| ]]></notes> |
| <cve>CVE-2022-25647</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- 4.5.5 is a fixed version as per https://nvd.nist.gov/vuln/detail/CVE-2021-44878. --> |
| <!-- However, vulnerability scan still shows this CVE. Pac4j release notes mention 5.3.1 as "fully fixed" version. --> |
| <!-- Remove suppression once upgraded to 5.3.1. --> |
| <notes><![CDATA[ |
| file name: pac4j-core-4.5.7.jar |
| ]]></notes> |
| <cve>CVE-2021-44878</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- package-lock.json?d3-color --> |
| <notes><![CDATA[ |
| file name: d3-color:2.0.0 |
| ]]></notes> |
| <!-- |
| Not vulnerable to these as, we use d3-color on the client only. |
| --> |
| <packageUrl regex="true">^pkg:npm/d3\-color@.*$</packageUrl> |
| <vulnerabilityName>1084597</vulnerabilityName> |
| <vulnerabilityName>1088594</vulnerabilityName> |
| </suppress> |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: d3-color:2.0.0 |
| ]]></notes> |
| <packageUrl regex="true">^pkg:npm/d3\-color@.*$</packageUrl> |
| <vulnerabilityName>1084597</vulnerabilityName> |
| </suppress> |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: protobuf-java-3.11.0.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl> |
| <cve>CVE-2022-3171</cve> |
| </suppress> |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: protobuf-java-util-3.11.0.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java\-util@.*$</packageUrl> |
| <cve>CVE-2022-3171</cve> |
| </suppress> |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: ansi-regex:5.0.0 |
| ]]></notes> |
| <packageUrl regex="true">^pkg:npm/ansi\-regex@.*$</packageUrl> |
| <vulnerabilityName>1084697</vulnerabilityName> |
| <cve>CVE-2021-3807</cve> |
| </suppress> |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: glob-parent:5.1.1 |
| ]]></notes> |
| <packageUrl regex="true">^pkg:npm/glob\-parent@.*$</packageUrl> |
| <vulnerabilityName>1081884</vulnerabilityName> |
| <cve>CVE-2020-28469</cve> |
| </suppress> |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: minimatch:3.0.4 |
| ]]></notes> |
| <packageUrl regex="true">^pkg:npm/minimatch@.*$</packageUrl> |
| <vulnerabilityName>1084765</vulnerabilityName> |
| </suppress> |
| |
| <suppress> |
| <!-- from extensions using hadoop-client-runtime, these dependencies are shaded in the jar --> |
| <notes><![CDATA[ |
| file name: hadoop-client-runtime-3.3.6.jar |
| ]]></notes> |
| <!-- this one is windows only - https://nvd.nist.gov/vuln/detail/CVE-2022-26612 --> |
| <cve>CVE-2022-26612</cve> |
| <!-- this one seems to apply to backend server - https://nvd.nist.gov/vuln/detail/CVE-2023-25613 --> |
| <cve>CVE-2023-25613</cve> |
| <cve>CVE-2023-2976</cve> <!-- hadoop-client-runtime isn't using com.google.common.io.FileBackedOutputStream --> |
| <!-- CVE from shaded dependency nimbus-jose-jwt, fixed in upcoming Hadoop release version - |
| https://github.com/apache/hadoop/commit/ad49ddda0e1d9632c8c9fcdc78fca8244e1248c9 --> |
| <cve>CVE-2023-1370</cve> |
| <cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 --> |
| <cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo --> |
| <cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet--> |
| <cve>CVE-2023-36478</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet--> |
| </suppress> |
| |
| <suppress> |
| <!-- from extensions using hadoop-client-api, these dependencies are shaded in the jar --> |
| <notes><![CDATA[ |
| file name: hadoop-client-api-3.3.6.jar: jquery.dataTables.min.js (pkg:javascript/jquery.datatables@1.10.18) |
| ]]></notes> |
| <vulnerabilityName>prototype pollution</vulnerabilityName> |
| <cve>CVE-2020-28458</cve> |
| </suppress> |
| |
| |
| <!-- filed against random script set, doesn't apply to any Maven artifacts - https://github.com/jeremylong/DependencyCheck/issues/5213 --> |
| <suppress> |
| <notes><![CDATA[ |
| file name: plexus-utils-3.0.24.jar |
| file name: async-http-client-netty-utils-2.5.3.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/.*/.*@.*$</packageUrl> |
| <cve>CVE-2021-4277</cve> |
| </suppress> |
| |
| <!-- the remaining uses of vulnerable okio are in contrib-extensions --> |
| <suppress> |
| <notes><![CDATA[ |
| file name: okio-1.17.2.jar, okio-1.15.0.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio@..*$</packageUrl> |
| <cve>CVE-2023-3635</cve> <!-- Suppressed since okio requests in Druid are internal, and not user-facing --> |
| </suppress> |
| |
| <!-- CVE-2022-4244 is affecting plexus-utils package, plexus-interpolation is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973 --> |
| <suppress base="true"> |
| <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl> |
| <cve>CVE-2022-4244</cve> |
| </suppress> |
| |
| <!-- CVE-2023-5072 has a too broad CPE that seems to be flagging dependencies like json-*. Neither Druid nor any of its |
| ~ transitive dependency use json-java which contains the vulnerability--> |
| <suppress base="true"> |
| <cve>CVE-2023-5072</cve> |
| </suppress> |
| |
| |
| <!-- |
| ~ Hostname verification is disabled by default in Netty 4.x, therefore the version that Druid is using gets flagged, |
| ~ however Druid enables it in ChannelResourceFactory therefore this is a false positive--> |
| <suppress> |
| <notes><![CDATA[ |
| file name: netty-transport-4.1.100.Final.jar |
| ]]></notes> |
| <cve>CVE-2023-4586</cve> |
| </suppress> |
| |
| <!-- druid cassandra storage exclusions --> |
| <suppress> |
| <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage --> |
| <notes><![CDATA[ |
| file name: libthrift-0.6.1.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl> |
| <cve>CVE-2016-5397</cve> |
| <cve>CVE-2018-1320</cve> |
| <cve>CVE-2019-0205</cve> |
| <cve>CVE-2015-3254</cve> |
| </suppress> |
| <!-- mostly false positives, need to use dependencies from current decade --> |
| <suppress> |
| <notes><![CDATA[ |
| file name: avro-1.4.0-cassandra-1.jar cassandra-all-1.0.8.jar |
| ]]></notes> |
| <cve>CVE-2012-6708</cve> |
| <cve>CVE-2015-9251</cve> |
| <cve>CVE-2019-11358</cve> |
| <cve>CVE-2020-11022</cve> |
| <cve>CVE-2020-11023</cve> |
| <cve>CVE-2020-7656</cve> |
| <cve>CVE-2011-4969</cve> |
| <cve>CVE-2020-17516</cve> |
| <cve>CVE-2020-13946</cve> |
| </suppress> |
| <!-- end of druid cassandra storage exclusions --> |
| |
| |
| <!-- druid-cloudfiles-extensions exclusions --> |
| <suppress> |
| <!-- CVEs added for completeness in pretty much dead extension --> |
| <notes><![CDATA[ |
| file name: openstack*-2.5.0.jar |
| ]]></notes> |
| <cve>CVE-2020-12689</cve> |
| <cve>CVE-2020-12691</cve> |
| <cve>CVE-2020-12690</cve> |
| <cve>CVE-2021-3563</cve> |
| <cve>CVE-2016-0738</cve> |
| <cve>CVE-2017-16613</cve> |
| </suppress> |
| <!-- end of druid-cloudfiles-extensions exclusions --> |
| |
| <!-- graphite-emitter exclusions --> |
| <suppress> |
| <!-- CVEs added for completeness --> |
| <notes><![CDATA[ |
| file name: amqp-client-5.17.0.jar |
| ]]></notes> |
| <cve>CVE-2023-46120</cve> |
| </suppress> |
| <!-- end of graphite-emitter exclusions --> |
| |
| <!-- ambari-metics-emitter exclusions --> |
| <suppress> |
| <!-- |
| - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018. |
| --> |
| <notes><![CDATA[ |
| file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: org.apache.hadoop:hadoop-annotations:2.6.0) |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-annotations@.*$</packageUrl> |
| <cve>CVE-2015-1776</cve> |
| <cve>CVE-2016-3086</cve> |
| <cve>CVE-2016-5393</cve> |
| <cve>CVE-2016-6811</cve> |
| <cve>CVE-2017-3162</cve> |
| <cve>CVE-2018-11768</cve> |
| <cve>CVE-2018-1296</cve> |
| <cve>CVE-2018-8009</cve> |
| <cve>CVE-2018-8029</cve> |
| </suppress> |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: log4j-1.2.17.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl> |
| <cve>CVE-2019-17571</cve> |
| <cve>CVE-2021-4104</cve> |
| <cve>CVE-2020-9493</cve> |
| <cve>CVE-2022-23307</cve> |
| <cve>CVE-2022-23305</cve> |
| <cve>CVE-2022-23302</cve> |
| <cve>CVE-2023-26464</cve> |
| </suppress> |
| |
| <suppress> |
| <!-- |
| - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018. |
| --> |
| <notes><![CDATA[ |
| file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final) |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl> |
| <cve>CVE-2019-16869</cve> |
| <cve>CVE-2019-20444</cve> |
| <cve>CVE-2019-20445</cve> |
| <cve>CVE-2021-37136</cve> |
| <cve>CVE-2021-37137</cve> |
| <cve>CVE-2021-4104</cve> |
| <cve>CVE-2020-9493</cve> |
| <cve>CVE-2022-23307</cve> |
| <cve>CVE-2022-23305</cve> |
| <cve>CVE-2022-23302</cve> |
| <cve>CVE-2022-41881</cve> |
| <cve>CVE-2020-11612</cve> |
| </suppress> |
| |
| <suppress> |
| <notes><![CDATA[ |
| file name: ambari-metrics-common-2.7.0.0.0.jar |
| ]]></notes> |
| <cve>CVE-2022-45855</cve> |
| <cve>CVE-2022-42009</cve> |
| <!-- Suppress hadoop CVEs that not applicable to hadoop-annotations --> |
| <cve>CVE-2022-25168</cve> <!-- Affected FileUtil.unTar(File, File) API isn't present in hadoop-annotations --> |
| <cve>CVE-2021-33036</cve> <!-- Only applicable to hadoop-yarn-server --> |
| <cve>CVE-2020-9492</cve> <!-- Applicable to webHDFS client --> |
| </suppress> |
| <!-- end of ambari-metics-emitter exclusions --> |
| |
| <!-- aliyun-oss exclusions --> |
| <suppress> |
| <!-- Transitive dependency from aliyun-sdk-oss, --> |
| <notes><![CDATA[ |
| file name: ini4j-0.5.4.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.ini4j/ini4j@.*$</packageUrl> |
| <vulnerabilityName>CVE-2022-41404</vulnerabilityName> |
| </suppress> |
| |
| <suppress> |
| <!-- Transitive dependency from aliyun-sdk-oss, there is currently no newer version of jdom2 as well--> |
| <notes><![CDATA[ |
| file name: jdom2-2.0.6.jar |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/org\.jdom/jdom2@2.0.6$</packageUrl> |
| <cve>CVE-2021-33813</cve> |
| </suppress> |
| <!-- end of aliyun-oss exclusions --> |
| |
| <!-- iceberg exclusions --> |
| <suppress> |
| <!-- Transitive dependency from aliyun-sdk-oss, there is currently no newer version of jdom2 as well--> |
| <notes><![CDATA[ |
| file name: libfb303-0.9.3.jar libthrift-0.9.3.jar |
| ]]></notes> |
| <cve>CVE-2016-5397</cve> |
| <cve>CVE-2018-1320</cve> |
| <cve>CVE-2019-0210</cve> |
| <cve>CVE-2020-13949</cve> |
| <cve>CVE-2019-0205</cve> |
| <cve>CVE-2019-0210</cve> |
| <cve>CVE-2020-13949</cve> |
| </suppress> |
| <suppress> |
| <notes><![CDATA[ |
| FP per issue #6100 - CVE-2023-36052 since it is related to Azure-cli not to the azure-core libraries |
| ]]></notes> |
| <packageUrl regex="true">^pkg:maven/com\.azure/azure*@*.*$</packageUrl> |
| <cve>CVE-2023-36052</cve> |
| </suppress> |
| <suppress> |
| <!-- CVE is for a totally unrelated Sketch mac app --> |
| <notes><![CDATA[ |
| file name: sketches-java-0.8.2.jar |
| ]]></notes> |
| <cve>CVE-2021-40531</cve> |
| </suppress> |
| <suppress> |
| <!-- CVE reports versions until 1.10.2 affected. The current version 1.11.1 is already greater and the latest. --> |
| <notes><![CDATA[ |
| file name: azure-identity-1.11.1.jar |
| ]]></notes> |
| <cve>CVE-2023-36415</cve> |
| </suppress> |
| <suppress> |
| <!-- Used in Pac4j. Pac4j versions (such as v5.7.3) corresponding |
| to the safe nimbus-jose-jwt v9.37.2 are incompatible with druid as they don't support JDK 8 |
| https://www.pac4j.org/docs/alldocs.html --> |
| |
| <notes><![CDATA[ |
| file name: nimbus-jose-jwt-8.22.1.jar |
| ]]></notes> |
| <cve>CVE-2023-52428</cve> |
| </suppress> |
| <suppress> |
| <!-- Used in Azure dependencies. |
| Current latest version of Azure BOM (1.2.21) still uses 9.30.2, whereas bug resolved in 9.37.2 --> |
| <notes><![CDATA[ |
| file name: nimbus-jose-jwt-9.30.2.jar |
| ]]></notes> |
| <cve>CVE-2023-52428</cve> |
| </suppress> |
| <suppress> |
| <!-- Legit issues but currently use the latest ranger-plugins-audit jar v2.4.0 --> |
| <notes><![CDATA[ |
| file name: solr-solrj-8.11.2.jar |
| ]]></notes> |
| <cve>CVE-2023-50291</cve> |
| <cve>CVE-2023-50298</cve> |
| <cve>CVE-2023-50386</cve> |
| <cve>CVE-2023-50292</cve> |
| </suppress> |
| </suppressions> |