forked from lensesio/stream-reactor
-
Notifications
You must be signed in to change notification settings - Fork 0
/
suppression.xml
115 lines (109 loc) · 4.97 KB
/
suppression.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- Module: AWS-S3 -->
<!-- This CVE relates to Hadoop 1.2, which is very old. This library is not part of core hadoop
but a thirdparty packaging of protobuf, but it's published under 1.2.0, which leads to it
falsely being identified as an old version of Hadoop.
-->
<suppress>
<notes><![CDATA[
file name: kafka-connect-aws-s3-assembly-6.3-SNAPSHOT.jar (shaded: org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_21:1.2.0)
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-protobuf_3_21@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
<!-- This must be a false positive as this library is not in the dependency tree and I can not
find any evidence of the compiled C library by inspecting the jar -->
<suppress>
<notes><![CDATA[
file name: kafka-connect-ftp-assembly-6.3-SNAPSHOT.jar
]]></notes>
<cve>CVE-2023-22551</cve>
</suppress>
<!-- Azure Datalake module has a lot of false positives identified by the OWASP tool -->
<suppress>
<notes><![CDATA[
file name: kafka-connect-azure-datalake-assembly-6.3-SNAPSHOT.jar (shaded: com.azure:azure-json:1.1.0)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-json@.*$</packageUrl>
<cve>CVE-2023-36052</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: kafka-connect-azure-datalake-assembly-6.3-SNAPSHOT.jar (shaded: com.azure:azure-identity:1.11.4)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@.*$</packageUrl>
<cve>CVE-2023-36415</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: kafka-connect-azure-datalake-assembly-6.3-SNAPSHOT.jar (shaded: com.azure:azure-identity:1.11.4)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@.*$</packageUrl>
<cpe>cpe:/a:microsoft:azure_sdk_for_java</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: kafka-connect-azure-datalake-assembly-6.3-SNAPSHOT.jar (shaded: com.azure:azure-core-http-netty:1.14.1)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-core\-http\-netty@.*$</packageUrl>
<cve>CVE-2023-36052</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: kafka-connect-azure-datalake-assembly-6.3-SNAPSHOT.jar (shaded: com.azure:azure-core:1.47.0)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-core@.*$</packageUrl>
<cpe>cpe:/a:microsoft:azure_cli</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: kafka-connect-azure-datalake-assembly-6.3-SNAPSHOT.jar (shaded: com.azure:azure-core:1.47.0)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-core@.*$</packageUrl>
<cpe>cpe:/a:microsoft:azure_sdk_for_java</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: kafka-connect-azure-datalake-assembly-6.3-SNAPSHOT.jar (shaded: com.azure:azure-identity:1.11.4)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@.*$</packageUrl>
<cpe>cpe:/a:microsoft:azure_cli</cpe>
</suppress>
<!--This CVE is not valid, verified by the project author.
https://github.com/JodaOrg/joda-time/issues/780
-->
<suppress>
<notes><![CDATA[
file name: kafka-connect-common-assembly-6.4-SNAPSHOT.jar (shaded: joda-time:joda-time:2.10.8)
]]></notes>
<packageUrl regex="true">^pkg:maven/joda\-time/joda\-time@.*$</packageUrl>
<vulnerabilityName>CVE-2024-23080</vulnerabilityName>
</suppress>
<!-- Similar to the above, there seems to be insufficient evidence for this one
https://vulners.com/cve/CVE-2024-23081
https://vulners.com/cve/CVE-2024-23082
-->
<suppress>
<notes><![CDATA[
file name: kafka-connect-gcp-storage-assembly-6.4-SNAPSHOT.jar (shaded: org.threeten:threetenbp:1.6.8)
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.threeten/threetenbp@.*$</packageUrl>
<vulnerabilityName>CVE-2024-23081</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: kafka-connect-gcp-storage-assembly-6.4-SNAPSHOT.jar (shaded: org.threeten:threetenbp:1.6.8)
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.threeten/threetenbp@.*$</packageUrl>
<vulnerabilityName>CVE-2024-23082</vulnerabilityName>
</suppress>
<!-- Azure False Positive: https://github.com/jeremylong/DependencyCheck/issues/6100 -->
<suppress>
<notes><![CDATA[
file name: kafka-connect-azure-datalake-assembly-6.4-SNAPSHOT.jar (shaded: com.azure:azure-xml:1.0.0)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-xml@.*$</packageUrl>
<cve>CVE-2023-36052</cve>
</suppress>
</suppressions>