Browse Source

MINOR: fix dependencycheck warnings (#14476)

Add suppressions and skip benchmarking/testing projects

Reviewers: Josep Prat <josep.prat@aiven.io>
pull/14530/head
Arnout Engelen 1 year ago committed by GitHub
parent
commit
1983ebebc7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 4
      build.gradle
  2. 3
      gradle/dependencies.gradle
  3. 27
      gradle/resources/dependencycheck-suppressions.xml

4
build.gradle

@ -39,6 +39,9 @@ plugins { @@ -39,6 +39,9 @@ plugins {
id 'org.nosphere.apache.rat' version "0.8.1"
id "io.swagger.core.v3.swagger-gradle-plugin" version "${swaggerVersion}"
// When updating the spotbugs gradle plugin, check if it already
// includes spotbugs version 4.7.4, in which case CVE-2022-42920 can
// be dropped from gradle/resources/dependencycheck-suppressions.xml
id "com.github.spotbugs" version '5.1.3' apply false
id 'org.scoverage' version '7.0.1' apply false
id 'com.github.johnrengelman.shadow' version '8.1.1' apply false
@ -757,6 +760,7 @@ subprojects { @@ -757,6 +760,7 @@ subprojects {
dependencyCheck {
suppressionFile = "$rootDir/gradle/resources/dependencycheck-suppressions.xml"
skipProjects = [ ":jmh-benchmarks", ":trogdor" ]
}
}

3
gradle/dependencies.gradle

@ -93,6 +93,9 @@ versions += [ @@ -93,6 +93,9 @@ versions += [
argparse4j: "0.7.0",
bcpkix: "1.75",
caffeine: "2.9.3", // 3.x supports JDK 11 and above
// when updating checkstyle, check whether the exclusion of
// CVE-2023-2976 and CVE-2020-8908 can be dropped from
// gradle/resources/dependencycheck-suppressions.xml
checkstyle: "8.36.2",
commonsCli: "1.4",
commonsValidator: "1.7",

27
gradle/resources/dependencycheck-suppressions.xml

@ -23,4 +23,31 @@ @@ -23,4 +23,31 @@
]]></notes>
<cve>CVE-2023-35116</cve>
</suppress>
<suppress>
<notes><![CDATA[
This older version of BCEL is only included in spotbugs.
CVE-2022-42920 is irrelevant for spotbugs
(https://github.com/spotbugs/spotbugs/discussions/2251),
This suppression will no longer be needed when spotbugs 4.7.4 is
released.
]]></notes>
<cve>CVE-2022-42920</cve>
</suppress>
<suppress>
<notes><![CDATA[
This older version of Guava is only included in checkstyle.
CVE-2023-2976 and CVE-2020-8908 are irrelevant for checkstyle,
as it is not executed with elevated privileges.
This suppression will no longer be needed when checkstyle
is updated to 10.5.0 or later.
]]></notes>
<cve>CVE-2020-8908</cve>
<cve>CVE-2023-2976</cve>
</suppress>
<suppress>
<notes><![CDATA[
Kafka does not use CgiServlet
]]></notes>
<cve>CVE-2023-36479</cve>
</suppress>
</suppressions>

Loading…
Cancel
Save