hypertrace-ingester/owasp-suppressions.xml at main · hypertrace/hypertrace-ingester · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
  <suppress>
    <notes><![CDATA[
    All mismatch to hypertrace libs
    file name: grpc-client-utils-0.12.0.jar
    file name: grpc-context-utils-0.12.0.jar
    file name: span-processing-utils-0.1.52.jar
    file name: span-processing-config-service-api-0.1.52.jar
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.hypertrace\..*@.*$</packageUrl>
    <cpe>cpe:/a:grpc:grpc</cpe>
    <cpe>cpe:/a:utils_project:utils</cpe>
    <cpe>cpe:/a:processing:processing</cpe>
  </suppress>
  <suppress>
    <notes><![CDATA[
    We need to get pinot to upgrade this dep, it's 16 years old. Upgrades fix this issue but have changed package/group names
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/commons\-httpclient/commons\-httpclient@.*$</packageUrl>
    <cve>CVE-2012-5783</cve>
    <cve>CVE-2020-13956</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[
    False positive. Matching android app "wire"
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/com\.squareup\.wire/wire\-.*@.*$</packageUrl>
    <cpe>cpe:/a:wire:wire</cpe>
  </suppress>
  <suppress>
    <notes><![CDATA[
    This CVE impacts the maven build, not the runtime - ref https://spark.apache.org/security.html#CVE-2018-11804
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.spark/spark\-.*@.*$</packageUrl>
    <cve>CVE-2018-11804</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[
    These CVEs impacts spark as standalone master, not being used in that way here - refs:
     https://spark.apache.org/security.html#CVE-2018-11770
     https://spark.apache.org/security.html#CVE-2018-17190
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.spark/spark\-.*@.*$</packageUrl>
    <cve>CVE-2018-11770</cve>
    <cve>CVE-2018-17190</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[
   file name: pinot-minion-builtin-tasks-0.12.1.jar
   Pinot mismatches
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.pinot/pinot\-minion\-builtin\-tasks@.*$</packageUrl>
    <cpe>cpe:/a:tasks:tasks</cpe>
  </suppress>
  <suppress>
    <notes><![CDATA[
   file name: opentelemetry-exporter-prometheus-1.27.0-alpha.jar
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/io\.opentelemetry/opentelemetry\-exporter\-prometheus@.*$</packageUrl>
    <cpe>cpe:/a:prometheus:prometheus</cpe>
  </suppress>
  <suppress>
    <notes><![CDATA[
   file name: avro-partitioners-0.2.13.jar. Affects go based projects
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.hypertrace\.core\.kafkastreams\.framework/avro\-partitioners@.*$</packageUrl>
    <cve>CVE-2023-37475</cve>
  </suppress>
  <suppress until="2024-02-29Z">
    <notes><![CDATA[
   Not yet fixed in quartz. file name: quartz-2.3.2.jar
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.quartz\-scheduler/quartz@.*$</packageUrl>
    <cve>CVE-2023-39017</cve>
  </suppress>
  <suppress until="2024-02-29Z">
    <notes><![CDATA[
   file name: json-20230618.jar
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
    <cve>CVE-2022-45688</cve>
    <cve>CVE-2023-5072</cve>
  </suppress>
  <suppress>
    <notes><![CDATA[
   file name: jackson-databind-2.15.2.jar https://github.com/FasterXML/jackson-databind/issues/3973 The maintainers
   have rejected the CVE
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
    <cve>CVE-2023-35116</cve>
  </suppress>
  <suppress until="2024-01-30Z">
    <notes><![CDATA[
  This vulnerability is disputed, with the argument that SSL configuration is the responsibility of the client rather
  than the transport. The change in default is under consideration for the next major Netty release, revisit then.
  Regardless, our client (which is what brings in this dependency) enables the concerned feature, hostname verification
  Ref:
  https://github.com/grpc/grpc-java/issues/10033
  https://github.com/netty/netty/issues/8537#issuecomment-1527896917
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/io\.netty/netty.*@.*$</packageUrl>
    <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
  </suppress>
  <suppress until="2024-02-29Z">
    <packageUrl regex="true">^pkg:maven/io\.netty/netty.*@.*$</packageUrl>
    <vulnerabilityName>CVE-2023-44487</vulnerabilityName>
  </suppress>
  <suppress until="2024-02-29Z">
    <notes><![CDATA[
   This CVE (rapid RST) is already mitigated as our servers aren't directly exposed, but it's also
   addressed in 1.59.1, which the CVE doesn't reflect (not all grpc impls versions are exactly aligned).
   Ref: https://github.com/grpc/grpc-java/pull/10675
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*@.*$</packageUrl>
    <cve>CVE-2023-44487</cve>
  </suppress>
  <suppress until="2024-03-30Z">
    <notes><![CDATA[
   The fix might be available in 1.26.0, we will upgrade to it when its available
   file name: commons-compress-1.24.0.jar
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.commons/commons\-compress@.*$</packageUrl>
    <cve>CVE-2024-25710</cve>
    <cve>CVE-2024-26308</cve>
  </suppress>
</suppressions>