Suppress CVEs in 27.0.0 (#14647)

* Suppress ambari metrics CVEs * Suppress unrelated CVEs in kubernetes overlord extension
apache · Jul 26, 2023 · 7d665b9 · 7d665b9
1 parent bcc0d1a
commit 7d665b9
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
@@ -230,6 +230,7 @@
     <cve>CVE-2021-43797</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-wx5j-54mm-rqqq -->
     <cve>CVE-2022-24823</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-269q-hmxg-m83q -->
     <cve>CVE-2022-41881</cve>
+    <cve>CVE-2023-34462</cve>	<!-- Suppressed since netty requests in Druid are internal, and not user-facing -->
   </suppress>
   <suppress>
     <!-- TODO: Fix by upgrading hadoop-auth version -->
@@ -280,6 +281,7 @@
     <!-- false positive -->
     <cve>CVE-2023-2251</cve>
     <cve>CVE-2022-3064</cve>
+    <cve>CVE-2021-4235</cve>	<!-- Suppressed as we don't parse user provided yamls -->
   </suppress>
   <suppress>
     <notes><![CDATA[
@@ -391,6 +393,13 @@
     <packageUrl regex="true">^pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1$</packageUrl>
     <cve>CVE-2022-33915</cve>
   </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: ambari-metrics-common-2.7.0.0.0.jar
+    ]]></notes>
+    <cve>CVE-2022-45855</cve>
+    <cve>CVE-2022-42009</cve>
+  </suppress>
   <suppress>
     <!--
       - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
@@ -681,6 +690,7 @@
    file name: okhttp-*.jar
    ]]></notes>
     <cve>CVE-2021-0341</cve>
+    <cve>CVE-2016-2402</cve>	<!-- Suppressed since okhttp requests in Druid are internal, and not user-facing -->
   </suppress>
 
   <suppress>
@@ -851,4 +861,11 @@
     <cve>CVE-2020-8908</cve> <!-- We do not use com.google.common.io.Files.createTempDir() https://nvd.nist.gov/vuln/detail/CVE-2020-8908 -->
     <cve>CVE-2023-2976</cve> <!-- We do not use com.google.common.io.FileBackedOutputStream https://nvd.nist.gov/vuln/detail/CVE-2023-2976 -->
   </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+      file name: okio-1.15.0.jar
+    ]]></notes>
+    <cve>CVE-2023-3635</cve> <!-- We don't expect a DOS due to malformed gzip buffers because externally crafted gzip archives are not expected as input to Druid -->
+  </suppress>
 </suppressions>