MINOR: fix dependencycheck warnings (#14476)

Add suppressions and skip benchmarking/testing projects Reviewers: Josep Prat <josep.prat@aiven.io>
11 months ago · 1983ebebc7
3 changed files with 34 additions and 0 deletions
--- a/build.gradle
+++ b/build.gradle
@ -39,6 +39,9 @@ plugins {
				@@ -39,6 +39,9 @@ plugins {
  id 'org.nosphere.apache.rat' version "0.8.1"
  id "io.swagger.core.v3.swagger-gradle-plugin" version "${swaggerVersion}"

+  // When updating the spotbugs gradle plugin, check if it already
+  // includes spotbugs version 4.7.4, in which case CVE-2022-42920 can
+  // be dropped from gradle/resources/dependencycheck-suppressions.xml
  id "com.github.spotbugs" version '5.1.3' apply false
  id 'org.scoverage' version '7.0.1' apply false
  id 'com.github.johnrengelman.shadow' version '8.1.1' apply false
@ -757,6 +760,7 @@ subprojects {
				@@ -757,6 +760,7 @@ subprojects {

  dependencyCheck {
    suppressionFile = "$rootDir/gradle/resources/dependencycheck-suppressions.xml"
+    skipProjects = [ ":jmh-benchmarks", ":trogdor" ]
  }
 }

--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@ -93,6 +93,9 @@ versions += [
				@@ -93,6 +93,9 @@ versions += [
  argparse4j: "0.7.0",
  bcpkix: "1.75",
  caffeine: "2.9.3", // 3.x supports JDK 11 and above
+  // when updating checkstyle, check whether the exclusion of
+  // CVE-2023-2976 and CVE-2020-8908 can be dropped from
+  // gradle/resources/dependencycheck-suppressions.xml
  checkstyle: "8.36.2",
  commonsCli: "1.4",
  commonsValidator: "1.7",
--- a/gradle/resources/dependencycheck-suppressions.xml
+++ b/gradle/resources/dependencycheck-suppressions.xml
@ -23,4 +23,31 @@
				@@ -23,4 +23,31 @@
    ]]></notes>
    <cve>CVE-2023-35116</cve>
  </suppress>
+  <suppress>
+    <notes><![CDATA[
+      This older version of BCEL is only included in spotbugs.
+      CVE-2022-42920 is irrelevant for spotbugs
+      (https://github.com/spotbugs/spotbugs/discussions/2251),
+      This suppression will no longer be needed when spotbugs 4.7.4 is
+      released.
+    ]]></notes>
+    <cve>CVE-2022-42920</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+      This older version of Guava is only included in checkstyle.
+      CVE-2023-2976 and CVE-2020-8908 are irrelevant for checkstyle,
+      as it is not executed with elevated privileges.
+      This suppression will no longer be needed when checkstyle
+      is updated to 10.5.0 or later.
+    ]]></notes>
+    <cve>CVE-2020-8908</cve>
+    <cve>CVE-2023-2976</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+      Kafka does not use CgiServlet
+    ]]></notes>
+    <cve>CVE-2023-36479</cve>
+  </suppress>
 </suppressions>