tchekai704
/
src-kafka
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

MINOR: fix dependencycheck warnings (#14476) 

Add suppressions and skip benchmarking/testing projects

Reviewers: Josep Prat <josep.prat@aiven.io>
pull/14530/head
Arnout Engelen 1 year ago committed by GitHub
parent
a0e3d01fef
commit
1983ebebc7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 34 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      build.gradle
  2. 3
      gradle/dependencies.gradle
  3. 27
      gradle/resources/dependencycheck-suppressions.xml

4
build.gradle
Unescape View File

@ -39,6 +39,9 @@ plugins {
id 'org.nosphere.apache.rat' version "0.8.1" id 'org.nosphere.apache.rat' version "0.8.1"
id "io.swagger.core.v3.swagger-gradle-plugin" version "${swaggerVersion}" id "io.swagger.core.v3.swagger-gradle-plugin" version "${swaggerVersion}"
// When updating the spotbugs gradle plugin, check if it already
// includes spotbugs version 4.7.4, in which case CVE-2022-42920 can
// be dropped from gradle/resources/dependencycheck-suppressions.xml
id "com.github.spotbugs" version '5.1.3' apply false id "com.github.spotbugs" version '5.1.3' apply false
id 'org.scoverage' version '7.0.1' apply false id 'org.scoverage' version '7.0.1' apply false
id 'com.github.johnrengelman.shadow' version '8.1.1' apply false id 'com.github.johnrengelman.shadow' version '8.1.1' apply false
@ -757,6 +760,7 @@ subprojects {
dependencyCheck { dependencyCheck {
suppressionFile = "$rootDir/gradle/resources/dependencycheck-suppressions.xml" suppressionFile = "$rootDir/gradle/resources/dependencycheck-suppressions.xml"
skipProjects = [ ":jmh-benchmarks", ":trogdor" ]
} }
} }

3
gradle/dependencies.gradle
Unescape View File

@ -93,6 +93,9 @@ versions += [
argparse4j: "0.7.0", argparse4j: "0.7.0",
bcpkix: "1.75", bcpkix: "1.75",
caffeine: "2.9.3", // 3.x supports JDK 11 and above caffeine: "2.9.3", // 3.x supports JDK 11 and above
// when updating checkstyle, check whether the exclusion of
// CVE-2023-2976 and CVE-2020-8908 can be dropped from
// gradle/resources/dependencycheck-suppressions.xml
checkstyle: "8.36.2", checkstyle: "8.36.2",
commonsCli: "1.4", commonsCli: "1.4",
commonsValidator: "1.7", commonsValidator: "1.7",

27
gradle/resources/dependencycheck-suppressions.xml
Unescape View File

@ -23,4 +23,31 @@
]]></notes> ]]></notes>
<cve>CVE-2023-35116</cve> <cve>CVE-2023-35116</cve>
</suppress> </suppress>
<suppress>
<notes><![CDATA[
This older version of BCEL is only included in spotbugs.
CVE-2022-42920 is irrelevant for spotbugs
(https://github.com/spotbugs/spotbugs/discussions/2251),
This suppression will no longer be needed when spotbugs 4.7.4 is
released.
]]></notes>
<cve>CVE-2022-42920</cve>
</suppress>
<suppress>
<notes><![CDATA[
This older version of Guava is only included in checkstyle.
CVE-2023-2976 and CVE-2020-8908 are irrelevant for checkstyle,
as it is not executed with elevated privileges.
This suppression will no longer be needed when checkstyle
is updated to 10.5.0 or later.
]]></notes>
<cve>CVE-2020-8908</cve>
<cve>CVE-2023-2976</cve>
</suppress>
<suppress>
<notes><![CDATA[
Kafka does not use CgiServlet
]]></notes>
<cve>CVE-2023-36479</cve>
</suppress>
</suppressions> </suppressions>

Write Preview
Loading…
Cancel
Save