Skip to content

Commit

Permalink
Updated dependencies to get rid of pulsar-io/jdbc related CVE-2020-13692
Browse files Browse the repository at this point in the history 
 (apache#13753)

* Updated dependencies to get rid of pulsar-io/jdbc related CVE-2020-13692

Also upgraded clickhouse lib and suppressed wrongly detected clickhouse
CVEs (client lib matched to server CVEs)

* CR feedback
  • Loading branch information
@dlg99
dlg99 authored Jan 16, 2022
1 parent ad57f35 commit 8214da8
Show file tree
Hide file tree
Showing 2 changed files with 75 additions and 3 deletions.
4 changes: 2 additions & 2 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,8 +147,8 @@ flexible messaging model and an intuitive client API.</description>
<jclouds.version>2.3.0</jclouds.version>
<sqlite-jdbc.version>3.8.11.2</sqlite-jdbc.version>
<mysql-jdbc.version>8.0.11</mysql-jdbc.version>
<postgresql-jdbc.version>42.2.12</postgresql-jdbc.version>
<clickhouse-jdbc.version>0.2.4</clickhouse-jdbc.version>
<postgresql-jdbc.version>42.2.24</postgresql-jdbc.version>
<clickhouse-jdbc.version>0.3.2</clickhouse-jdbc.version>
<mariadb-jdbc.version>2.6.0</mariadb-jdbc.version>
<hdfs-offload-version3>3.3.0</hdfs-offload-version3>
<elasticsearch.version>7.9.1</elasticsearch.version>
Expand Down
74 changes: 73 additions & 1 deletion src/owasp-dependency-check-suppressions.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,4 +41,76 @@
<gav regex="true">org\.apache\.zookeeper:.*:3\.6\.2</gav>
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
</suppressions>

<!-- clickhouse: security scan matches client lib to the server CVEs -->
<suppress>
<notes><![CDATA[
file name: avro-1.10.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.avro/avro@.*$</packageUrl>
<cve>CVE-2021-43045</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2018-14668</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2018-14669</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2018-14670</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2018-14671</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2018-14672</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2019-15024</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2019-16535</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2019-18657</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: clickhouse-jdbc-0.3.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
<cve>CVE-2021-25263</cve>
</suppress>
</suppressions>

0 comments on commit 8214da8

Please sign in to comment.