CVE suppression for various dependencies. (#17307)

apache · Oct 9, 2024 · 4fdb381 · 4fdb381
1 parent 88d26e4
commit 4fdb381
Showing 1 changed file with 38 additions and 0 deletions.
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
@@ -137,6 +137,10 @@
     <cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo -->
     <cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
     <cve>CVE-2023-36478</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
+    <cve>CVE-2024-7254</cve>  <!--  This seems to be a legitimate vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk v2 dependency work to finish -->
+    <cve>CVE-2024-47554</cve> <!--  This seems to be a legitimate vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk v2 dependency work to finish -->
+    <cve>CVE-2024-47561</cve> <!--  This seems to be a legitimate vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk v2 dependency work to finish -->
+    <cve>CVE-2024-29131</cve> <!--  This seems to be a legitimate vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk v2 dependency work to finish -->
   </suppress>
 
   <!-- those are false positives, no other tools report any of those CVEs in the hadoop package -->
@@ -708,4 +712,38 @@
     ]]></notes>
     <vulnerabilityName>CVE-2022-1271</vulnerabilityName>
   </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+    file name: jakarta.el-3.0.4.jar
+    ]]></notes>
+    <vulnerabilityName>CVE-2024-9329</vulnerabilityName>
+  </suppress>
+
+  <suppress>
+    <!-- The CVE is present in ORC module which cannot be upgraded since they have dropped support for java 8 -->
+    <notes><![CDATA[
+    file name: aircompressor-0.21.jar
+    ]]></notes>
+    <vulnerabilityName>CVE-2024-36114</vulnerabilityName>
+  </suppress>
+
+  <suppress>
+    <!-- CVE-2022-4244 is affecting plexus-utils package,
+  plexus-interpolation is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973 -->
+    <notes><![CDATA[
+    file name: plexus-component-annotations-1.7.1.jar
+    ]]></notes>
+    <vulnerabilityName>CVE-2022-4244</vulnerabilityName>
+  </suppress>
+
+
+  <suppress>
+    <!-- Not affected by this CVE since we donot use lucene directly-->
+    <notes><![CDATA[
+    file name: lucene-core-8.4.0.jar
+    ]]></notes>
+    <vulnerabilityName>CVE-2024-45772</vulnerabilityName>
+  </suppress>
+
 </suppressions>