NIFI-11114 Thise closes apache#6906. Upgraded OWASP Dependency Check …

…from 7.4.4 to 8.0.2 - Added jetty-jmx to managed dependencies to maintain aligned versions Signed-off-by: Joe Witt <[email protected]>
nexr · Jan 31, 2023 · bda1bd3 · bda1bd3
1 parent a107214
commit bda1bd3
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 4 deletions.
diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml
@@ -180,8 +180,23 @@
         <cpe regex="true">^cpe:/a:elastic.*$</cpe>
     </suppress>
     <suppress>
-        <notes>HTTP server vulnerabilities do not apply to Apache FTP Server</notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl>
-        <cpe>cpe:/a:apache:apache_http_server</cpe>
+        <notes>CVE-2022-45046 description notes that the initial issue was not a security vulnerability</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel\-salesforce@.*$</packageUrl>
+        <cve>CVE-2022-45046</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2020-36632 applies to JavaScript module named hughsk/flat not flatbuffers</notes>
+        <packageUrl regex="true">^pkg:maven/com\.vlkan/flatbuffers@.*$</packageUrl>
+        <cve>CVE-2020-36632</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2018-8015 applies to Apache ORC not to Apache Iceberg</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.iceberg/iceberg\-orc@.*$</packageUrl>
+        <cve>CVE-2018-8015</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2022-39135 applies to Calcite not Calcite Avatica</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.calcite\.avatica/.*?@.*$</packageUrl>
+        <cve>CVE-2022-39135</cve>
     </suppress>
 </suppressions>
diff --git a/pom.xml b/pom.xml
@@ -512,6 +512,11 @@
                 <artifactId>jetty-util-ajax</artifactId>
                 <version>${jetty.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.eclipse.jetty</groupId>
+                <artifactId>jetty-jmx</artifactId>
+                <version>${jetty.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.eclipse.jetty.http2</groupId>
                 <artifactId>http2-client</artifactId>
@@ -1190,7 +1195,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>7.4.4</version>
+                        <version>8.0.2</version>
                         <executions>
                             <execution>
                                 <inherited>false</inherited>