Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][build] Resolve OWASP Dependency Check false positives #19120

Merged
merged 1 commit into from
Jan 2, 2023
Merged

[fix][build] Resolve OWASP Dependency Check false positives #19120

merged 1 commit into from
Jan 2, 2023

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Jan 2, 2023

Motivation

OWASP Dependency Check is failing with some false positives:

One or more dependencies were identified with known vulnerabilities in Pulsar :: Distribution :: Server:

commons-cli-1.5.0.jar (pkg:maven/commons-cli/commons-cli@1.5.0, cpe:2.3:a:apache:commons_net:1.5.0:*:*:*:*:*:*:*) : CVE-2021-37533
commons-codec-1.15.jar (pkg:maven/commons-codec/commons-codec@1.15, cpe:2.3:a:apache:commons_net:1.15:*:*:*:*:*:*:*) : CVE-2021-37533
commons-compress-1.21.jar (pkg:maven/org.apache.commons/commons-compress@1.21, cpe:2.3:a:apache:commons_compress:1.21:*:*:*:*:*:*:*, cpe:2.3:a:apache:commons_net:1.21:*:*:*:*:*:*:*) : CVE-2021-37533
commons-configuration-1.10.jar (pkg:maven/commons-configuration/commons-configuration@1.10, cpe:2.3:a:apache:commons_configuration:1.10:*:*:*:*:*:*:*, cpe:2.3:a:apache:commons_net:1.10:*:*:*:*:*:*:*) : CVE-2021-37533
commons-io-2.8.0.jar (pkg:maven/commons-io/commons-io@2.8.0, cpe:2.3:a:apache:commons_io:2.8.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:commons_net:2.8.0:*:*:*:*:*:*:*) : CVE-2021-37533
commons-lang-2.6.jar (pkg:maven/commons-lang/commons-lang@2.6, cpe:2.3:a:apache:commons_net:2.6:*:*:*:*:*:*:*) : CVE-2021-37533
commons-logging-1.1.1.jar (pkg:maven/commons-logging/commons-logging@1.1.1, cpe:2.3:a:apache:commons_net:1.1.1:*:*:*:*:*:*:*) : CVE-2021-37533
commons-text-1.10.0.jar (pkg:maven/org.apache.commons/commons-text@1.10.0, cpe:2.3:a:apache:commons_net:1.10.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:commons_text:1.10.0:*:*:*:*:*:*:*) : CVE-2021-37533
http-server-4.15.3.jar (pkg:maven/org.apache.bookkeeper.http/http-server@4.15.3, cpe:2.3:a:apache:apache_http_server:4.15.3:*:*:*:*:*:*:*, cpe:2.3:a:apache:bookkeeper:4.15.3:*:*:*:*:*:*:*) : CVE-[201](https://github.com/apache/pulsar/actions/runs/3819386174/jobs/6496901705#step:8:202)0-1151
jcl-over-slf4j-1.7.32.jar (pkg:maven/org.slf4j/jcl-over-slf4j@1.7.32, cpe:2.3:a:apache:commons_net:1.7.32:*:*:*:*:*:*:*) : CVE-[202](https://github.com/apache/pulsar/actions/runs/3819386174/jobs/6496901705#step:8:203)1-37533
vertx-http-server-4.15.3.jar (pkg:maven/org.apache.bookkeeper.http/vertx-http-server@4.15.3, cpe:2.3:a:apache:apache_http_server:4.15.3:*:*:*:*:*:*:*, cpe:2.3:a:apache:bookkeeper:4.15.3:*:*:*:*:*:*:*) : CVE-2010-1151

example: https://github.com/apache/pulsar/actions/runs/3819386174/jobs/6496901705#step:8:194

Modifications

Add suppressions to OWASP Dependency Check configuration.

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@lhotari lhotari added this to the 2.12.0 milestone Jan 2, 2023
@lhotari lhotari self-assigned this Jan 2, 2023
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Jan 2, 2023
@lhotari lhotari requested a review from nodece January 2, 2023 10:55
@codecov-commenter
Copy link

codecov-commenter commented Jan 2, 2023
edited
Loading

Codecov Report

Merging #19120 (e35089d) into master (e194c01) will decrease coverage by 1.95%.
The diff coverage is n/a.

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #19120      +/-   ##
============================================
- Coverage     47.36%   45.40%   -1.96%     
- Complexity    10714    10938     +224     
============================================
  Files           712      772      +60     
  Lines         69598    74370    +4772     
  Branches       7470     8002     +532     
============================================
+ Hits          32962    33769     +807     
- Misses        32928    36799    +3871     
- Partials       3708     3802      +94
Flag Coverage Δ
unittests 45.40% <ø> (-1.96%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...g/apache/bookkeeper/mledger/util/StatsBuckets.java 43.75% <0.00%> (-16.67%) ⬇️
.../apache/pulsar/broker/admin/impl/PackagesBase.java 54.12% <0.00%> (-13.77%) ⬇️
...ookkeeper/mledger/impl/ManagedLedgerMBeanImpl.java 53.17% <0.00%> (-9.53%) ⬇️
...balance/impl/SimpleResourceAllocationPolicies.java 48.57% <0.00%> (-5.72%) ⬇️
...r/service/AbstractDispatcherMultipleConsumers.java 66.12% <0.00%> (-4.84%) ⬇️
...sar/broker/loadbalance/impl/LoadManagerShared.java 42.54% <0.00%> (-2.64%) ⬇️
...pache/pulsar/broker/admin/v2/PersistentTopics.java 72.04% <0.00%> (-2.51%) ⬇️
.../org/apache/pulsar/broker/admin/v2/Namespaces.java 56.50% <0.00%> (-2.19%) ⬇️
...rg/apache/pulsar/broker/web/PulsarWebResource.java 55.60% <0.00%> (-1.87%) ⬇️
...pache/pulsar/broker/admin/impl/NamespacesBase.java 61.80% <0.00%> (-1.26%) ⬇️
... and 84 more

@lhotari lhotari merged commit f912fb3 into apache:master Jan 2, 2023
lhotari added a commit that referenced this pull request Jan 2, 2023
@lhotari
[fix][build] Resolve OWASP Dependency Check false positives (#19120)
d02c34a 
(cherry picked from commit f912fb3)
lhotari added a commit that referenced this pull request Jan 2, 2023
@lhotari
[fix][build] Resolve OWASP Dependency Check false positives (#19120)
b8cdc06 
(cherry picked from commit f912fb3)
lhotari added a commit that referenced this pull request Jan 2, 2023
@lhotari
[fix][build] Resolve OWASP Dependency Check false positives (#19120)
a096617 
(cherry picked from commit f912fb3)
lhotari added a commit that referenced this pull request Jan 2, 2023
@lhotari
[fix][build] Resolve OWASP Dependency Check false positives (#19120)
4ac2419 
(cherry picked from commit f912fb3)
@lhotari lhotari added cherry-picked/branch-2.8 Archived: 2.8 is end of life release/2.8.5 labels Jan 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicoloboschi nicoloboschi nicoloboschi approved these changes

@tisonkun tisonkun tisonkun approved these changes

@nodece nodece Awaiting requested review from nodece

Assignees

@lhotari lhotari

Labels
cherry-picked/branch-2.8 Archived: 2.8 is end of life cherry-picked/branch-2.9 Archived: 2.9 is end of life cherry-picked/branch-2.10 cherry-picked/branch-2.11 doc-not-needed Your PR changes do not impact docs ready-to-test release/2.8.5 release/2.9.5 release/2.10.4 release/2.11.1
Projects
None yet
Milestone
3.0.0
Development

Successfully merging this pull request may close these issues.
4 participants
@lhotari @codecov-commenter @tisonkun @nicoloboschi