knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kris...@apache.org
Subject knox git commit: KNOX-1660 - OWASP Add suppressions for false positives
Date Thu, 06 Dec 2018 16:42:19 GMT
Repository: knox
Updated Branches:
  refs/heads/master 4df88bb80 -> 2e7749c0e


KNOX-1660 - OWASP Add suppressions for false positives

Signed-off-by: Kevin Risden <krisden@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/2e7749c0
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/2e7749c0
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/2e7749c0

Branch: refs/heads/master
Commit: 2e7749c0e3557ce12bd56eea10cc8776dd98391b
Parents: 4df88bb
Author: Kevin Risden <krisden@apache.org>
Authored: Thu Dec 6 11:39:34 2018 -0500
Committer: Kevin Risden <krisden@apache.org>
Committed: Thu Dec 6 11:39:40 2018 -0500

----------------------------------------------------------------------
 .../dependency-check/suppressions.xml           | 43 ++++++++++++++++++++
 1 file changed, 43 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/2e7749c0/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml
----------------------------------------------------------------------
diff --git a/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml
b/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml
index 059a747..ed557c9 100644
--- a/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml
+++ b/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml
@@ -17,11 +17,21 @@ limitations under the License.
 -->
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
     <suppress>
+        <notes><![CDATA[file name: javax.jws-api-.*.jar]]></notes>
+        <gav regex="true">^javax\.jws:javax\.jws-api:.*$</gav>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+    </suppress>
+    <suppress>
         <notes><![CDATA[file name: curator-.*.jar]]></notes>
         <gav regex="true">^org\.apache\.curator:curator-.*:.*$</gav>
         <cpe>cpe:/a:apache:zookeeper</cpe>
     </suppress>
     <suppress>
+        <notes><![CDATA[file name: apacheds-all-2.0.0-M24.jar (shaded: org.apache.directory.api:api-util:1.0.0)]]></notes>
+        <gav regex="true">^org\.apache\.directory\.api:.*$</gav>
+        <cve>CVE-2015-3250</cve> <!-- Already past 1.0.0-M30 -->
+    </suppress>
+    <suppress>
         <notes><![CDATA[file name: gateway-.*.jar]]></notes>
         <gav regex="true">^org\.apache\.knox:gateway-.*:.*$</gav>
         <cpe>cpe:/a:apache:ambari</cpe>
@@ -33,6 +43,8 @@ limitations under the License.
         <cpe>cpe:/a:apache:nifi</cpe>
         <cpe>cpe:/a:apache:shiro</cpe>
         <cpe>cpe:/a:apache:storm</cpe>
+        <cpe>cpe:/a:content_project:content</cpe>
+        <cpe>cpe:/a:request_it:request_it</cpe>
     </suppress>
     <suppress>
         <notes><![CDATA[file name: hadoop-examples-.*.jar]]></notes>
@@ -51,6 +63,37 @@ limitations under the License.
         <cve>CVE-2016-6497</cve>
     </suppress>
     <suppress>
+        <notes><![CDATA[file name: jackson-jaxrs-.*.jar]]></notes>
+        <gav regex="true">^org\.codehaus\.jackson:jackson-jaxrs:.*$</gav>
+        <cpe>cpe:/a:content_project:content</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[file name: jettison-.*.jar]]></notes>
+        <gav regex="true">^org\.codehaus\.jettison:jettison:.*$</gav>
+        <cpe>cpe:/a:st_project:st</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[file name: eclipse persistence jars]]></notes>
+        <gav regex="true">^org\.eclipse\.persistence:.*$</gav>
+        <cpe>cpe:/a:git:git</cpe>
+        <cpe>cpe:/a:git_project:git</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[file name: ha-api-.*.jar]]></notes>
+        <gav regex="true">^org\.glassfish\.ha:ha-api:.*$</gav>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[org.glassfish.jaxb:xsom)]]></notes>
+        <gav regex="true">^org\.glassfish\.jaxb:xsom:.*$</gav>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[file name: pac4j-oidc-.*.jar]]></notes>
+        <gav regex="true">^org\.pac4j:pac4j-oidc:.*$</gav>
+        <cpe>cpe:/a:openid:openid</cpe>
+    </suppress>
+    <suppress>
         <notes><![CDATA[file name: xz-.*.jar]]></notes>
         <gav regex="true">^org\.tukaani:xz:.*$</gav>
         <cve>CVE-2015-4035</cve>


Mime
View raw message