Skip to content
This repository has been archived by the owner on Apr 5, 2024. It is now read-only.

Commit

Permalink
Update various vulnerabilities suppressions (#539)
Browse files Browse the repository at this point in the history
Update various vulnerabilities suppressions that are not relevant to EthSigner build.
  • Loading branch information
usmansaleem authored Jan 19, 2024
1 parent b3b62a8 commit 9ede0b4
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 18 deletions.
21 changes: 5 additions & 16 deletions gradle/owasp-suppression.xml
Original file line number Diff line number Diff line change
@@ -1,23 +1,12 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- See https://jeremylong.github.io/DependencyCheck/general/suppression.html for examples -->
<suppress until="2024-01-16">
<notes><![CDATA[
Temporary suppression, as it's arguably a false positive: https://github.com/netty/netty/issues/8537#issuecomment-1527896917
The correct thing to do is ensure hostname verification is enabled: https://codetinkering.com/enable-hostname-verification-netty/
This is indeed the case for Azure, which is the netty-handler: https://github.com/Azure/azure-sdk-for-java/issues/18286#issuecomment-947958978
The other vulnerable lib is besu-metrics, which might want looking at, will see if this CVE gets flagged in besu first
file name: netty-handler-4.1.100.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty*@*.*$</packageUrl>
<vulnerabilityName>CVE-2023-4586</vulnerabilityName>
</suppress>
<suppress until="2024-01-16">
<suppress until="2024-03-16">
<notes><![CDATA[
Suppress CVE-2023-36415 as this should only be applicable on version up to but excluding 1.10.2.
https://github.com/jeremylong/DependencyCheck/issues/5992
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@1\.10\.[2-9]$</packageUrl>
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@1\.11\.[1-9]$</packageUrl>
<vulnerabilityName>CVE-2023-36415</vulnerabilityName>
</suppress>
<suppress>
Expand All @@ -37,21 +26,21 @@
]]></notes>
<cve>CVE-2020-8908</cve>
</suppress>
<suppress until="2024-01-16">
<suppress until="2024-03-16">
<notes><![CDATA[
FP per issue #6100 - CVE-2023-36052 since it is related to Azure-cli not to the azure-core libraries
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure*@*.*$</packageUrl>
<cve>CVE-2023-36052</cve>
</suppress>
<suppress until="2024-01-16">
<suppress until="2024-03-16">
<notes><![CDATA[
CVE relates to attach on gRPC servers (not clients) and is dependent on the Netty version used
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*$</packageUrl>
<cve>CVE-2023-44487</cve>
</suppress>
<suppress until="2024-01-16">
<suppress until="2024-03-16">
<notes><![CDATA[
CVE relates to usage hostname verification when using TLS and doesn't apply as we use Tuweni for this
]]></notes>
Expand Down
4 changes: 2 additions & 2 deletions gradle/versions.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -136,11 +136,11 @@ dependencyManagement {
}

//overriding Azure libraries dependencies as we don't update signers library anymore
dependencySet(group: 'com.azure', version: '4.7.1') {
dependencySet(group: 'com.azure', version: '4.7.3') {
entry 'azure-security-keyvault-secrets'
entry 'azure-security-keyvault-keys'
}
dependency 'com.azure:azure-identity:1.10.4'
dependency 'com.azure:azure-identity:1.11.1'

/*
io.projectreactor.netty:reactor-netty-http:1.0.38 -> 1.0.39 // CVE-2023-34062
Expand Down

0 comments on commit 9ede0b4

Please sign in to comment.