suppress false positive cve (apache#11699) (apache#11702)

* suppress false positive cve * update comment, dont run tests on changes to owasp-dependency-check-suppressions.xml
confluentinc · Sep 14, 2021 · 5c59d77 · 5c59d77
1 parent 194371b
commit 5c59d77
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 2 deletions.
diff --git a/check_test_suite.py b/check_test_suite.py
@@ -29,7 +29,7 @@
 ignore_prefixes = ['.github', '.idea', '.asf.yaml', '.backportrc.json', '.codecov.yml', '.dockerignore', '.gitignore',
                    '.lgtm.yml', 'CONTRIBUTING.md', 'setup-hooks.sh', 'upload.sh', 'dev', 'distribution/docker',
                    'distribution/asf-release-process-guide.md', '.travis.yml', 'check_test_suite.py',
-                   'check_test_suite_test.py']
+                   'check_test_suite_test.py', 'owasp-dependency-check-suppressions.xml']
 
 # these files are docs changes
 # if changes are limited to this set then we can skip web-console and java

diff --git a/check_test_suite_test.py b/check_test_suite_test.py
@@ -77,7 +77,7 @@ def test_some_java(self):
             ['check_test_suite_test.py'],
             ['website/core/Footer.js'],
             ['web-console/src/views/index.ts'],
-            ['check_test_suite_test.py', 'website/core/Footer.js', 'web-console/unified-console.html']
+            ['check_test_suite_test.py', 'website/core/Footer.js', 'web-console/unified-console.html', 'owasp-dependency-check-suppressions.xml']
         ]
         some_java_diffs = [
             ['core/src/main/java/org/apache/druid/math/expr/Expr.java'],

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
@@ -26,6 +26,7 @@
     <packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-indexing\-hadoop@.*$</packageUrl>
     <cve>CVE-2012-4449</cve>
     <cve>CVE-2017-3162</cve>
+    <cve>CVE-2018-8009</cve>
   </suppress>
   <suppress>
     <!-- druid-processing.jar is mistaken for org.processing:processing -->
@@ -387,4 +388,13 @@
     <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/[email protected]$</packageUrl>
     <cve>CVE-2020-13949</cve>
   </suppress>
+  <suppress>
+    <!--
+    the scanner misattributes this to Apache DataSketches
+    the actual vulnerability affects some collaboration tool called Sketch, and impacts some 'library feeds' feature
+    which seems to relate to how the tool handles sharing designs or something, so we are doing a blanket ignore
+    because it seems nearly impossible for us to be affected by this
+     -->
+    <cve>CVE-2021-40531</cve>
+  </suppress>
 </suppressions>