Skip to content

Commit

Permalink
Merge branch 'master' into high-watermark-subcommand
Browse files Browse the repository at this point in the history
  • Loading branch information
siladu committed Sep 14, 2023
2 parents db700e1 + b51f5bd commit 05fdeed
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 1 deletion.
11 changes: 11 additions & 0 deletions gradle/owasp-suppression.xml
Original file line number Diff line number Diff line change
@@ -1,6 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- See https://jeremylong.github.io/DependencyCheck/general/suppression.html for examples -->
<suppress until="2023-11-01">
<notes><![CDATA[
Temporary suppression, as it's arguably a false positive: https://github.com/netty/netty/issues/8537#issuecomment-1527896917
The correct thing to do is ensure hostname verification is enabled: https://codetinkering.com/enable-hostname-verification-netty/
This is indeed the case for Azure, which is the netty-handler: https://github.com/Azure/azure-sdk-for-java/issues/18286#issuecomment-947958978
The other vulnerable lib is besu-metrics, which might want looking at, will see if this CVE gets flagged in besu first
file name: netty-handler-4.1.97.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty\-handler@.*$</packageUrl>
<vulnerabilityName>CVE-2023-4586</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
Suppress CVE-2023-35116 as this is not considered a CVE according to discussion in https://github.com/FasterXML/jackson-databind/issues/3972
Expand Down
9 changes: 8 additions & 1 deletion gradle/versions.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ dependencyManagement {
dependency 'com.squareup.okio:okio:3.4.0'

// addressing CVE-2022-41881, CVE-2022-41915, CVE-2023-34462
dependencySet(group: 'io.netty', version: '4.1.95.Final') {
dependencySet(group: 'io.netty', version: '4.1.97.Final') {
entry 'netty-all'
entry 'netty-handler'
entry 'netty-resolver-dns'
Expand Down Expand Up @@ -237,5 +237,12 @@ dependencyManagement {

// used in tests to assert log message
dependency 'de.neuland-bfi:assertj-logging-log4j:0.5.0'

// addresses CVE-2023-4759
/*
+--- com.google.errorprone:error_prone_check_api:2.11.0
| +--- io.github.java-diff-utils:java-diff-utils:4.0
*/
dependency 'io.github.java-diff-utils:java-diff-utils:4.12'
}
}

0 comments on commit 05fdeed

Please sign in to comment.