Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][sec] Add OWASP Dependency Check suppressions #21281

Merged
merged 1 commit into from
Sep 30, 2023
Merged

[fix][sec] Add OWASP Dependency Check suppressions #21281

merged 1 commit into from
Sep 30, 2023

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Sep 29, 2023
edited
Loading

Motivation

OWASP dependency check report (example) has some CVEs that can be suppressed.

Modifications

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@lhotari
[fix][sec] Add OWASP Dependency Check suppressions
961b25d 
- add 2 suppressions.
  - CVE-2023-37475 is a false positive
  - CVE-2023-4586 is about Netty hostname verification and that is already covered in Pulsar code base with apache#15824 changes.
@lhotari lhotari added this to the 3.2.0 milestone Sep 29, 2023
@lhotari lhotari self-assigned this Sep 29, 2023
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Sep 29, 2023
@codecov-commenter
Copy link

Codecov Report

Merging #21281 (961b25d) into master (8485d68) will increase coverage by 36.48%.
The diff coverage is n/a.

Impacted file tree graph

@@              Coverage Diff              @@
##             master   #21281       +/-   ##
=============================================
+ Coverage     36.79%   73.28%   +36.48%     
- Complexity    12217    32511    +20294     
=============================================
  Files          1698     1887      +189     
  Lines        130510   140197     +9687     
  Branches      14260    15436     +1176     
=============================================
+ Hits          48019   102740    +54721     
+ Misses        76155    29367    -46788     
- Partials       6336     8090     +1754
Flag Coverage Δ
inttests 24.10% <ø> (+0.02%) ⬆️
systests 24.80% <ø> (+0.06%) ⬆️
unittests 72.56% <ø> (+40.55%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 1453 files with indirect coverage changes

@tisonkun
Copy link
Member

Thank you!

@tisonkun tisonkun merged commit 1bf7371 into apache:master Sep 30, 2023
48 of 49 checks passed
lhotari added a commit that referenced this pull request Sep 30, 2023
@lhotari
[fix][sec] Add OWASP Dependency Check suppressions (#21281)
efc4bf3 
(cherry picked from commit 1bf7371)
lhotari added a commit that referenced this pull request Sep 30, 2023
@lhotari
[fix][sec] Add OWASP Dependency Check suppressions (#21281)
62acc2b 
(cherry picked from commit 1bf7371)

# Conflicts:
#	src/owasp-dependency-check-suppressions.xml
liangyuanpeng pushed a commit to liangyuanpeng/pulsar that referenced this pull request Oct 11, 2023
@lhotari @liangyuanpeng
[fix][sec] Add OWASP Dependency Check suppressions (apache#21281)
5eb92aa
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 12, 2023
@lhotari @nikhil-ctds
[fix][sec] Add OWASP Dependency Check suppressions (apache#21281)
87f9877 
(cherry picked from commit 1bf7371)
(cherry picked from commit efc4bf3)
@nikhil-ctds nikhil-ctds mentioned this pull request Dec 12, 2023
Closed
4 tasks
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 14, 2023
@lhotari @srinath-ctds
[fix][sec] Add OWASP Dependency Check suppressions (apache#21281)
e85622e 
(cherry picked from commit 1bf7371)
(cherry picked from commit efc4bf3)
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 20, 2023
@lhotari @nikhil-ctds
[fix][sec] Add OWASP Dependency Check suppressions (apache#21281)
4904e7d 
(cherry picked from commit 1bf7371)
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 20, 2023
@lhotari @srinath-ctds
[fix][sec] Add OWASP Dependency Check suppressions (apache#21281)
f39032d 
(cherry picked from commit 1bf7371)
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tisonkun tisonkun tisonkun approved these changes

@nicoloboschi nicoloboschi Awaiting requested review from nicoloboschi

@michaeljmarshall michaeljmarshall Awaiting requested review from michaeljmarshall

Assignees

@lhotari lhotari

Labels
area/security cherry-picked/branch-3.0 cherry-picked/branch-3.1 doc-not-needed Your PR changes do not impact docs ready-to-test release/3.0.2 release/3.1.2
Projects
None yet
Milestone
3.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@lhotari @codecov-commenter @tisonkun