Skip to content

Commit

Permalink
DAOS-16673 common: ignore Hadoop 3.4.0 related CVE (#15284)
Browse files Browse the repository at this point in the history
Hadoope 3.4.0 has resolved a few CVE issues but introduces new

+ enable on demand scan and scan on final PR merge
for proper update to GitHub Security tab.

Signed-off-by: Tomasz Gromadzki <[email protected]>
  • Loading branch information
grom72 authored Oct 11, 2024
1 parent 24700c3 commit 39895c3
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 25 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
name: Trivy scan

on:
workflow_dispatch:
push:
branches: ["master", "release/**"]
pull_request:
branches: ["master", "release/**"]

Expand Down
36 changes: 12 additions & 24 deletions utils/trivy/.trivyignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
## Ignored hadoop related CVE
## Ignored hadoop 3.3.6 related CVE
## CVE-2023-52428,MEDIUM,,"Denial of Service in Connect2id Nimbus JOSE+JWT","com.nimbusds:nimbus-jose-jwt","9.8.1","9.37.2",https://avd.aquasec.com/nvd/cve-2023-52428
CVE-2023-52428
## CVE-2023-39410,HIGH,7.5,"apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK","org.apache.avro:avro","1.7.7","1.11.3",https://avd.aquasec.com/nvd/cve-2023-39410
Expand All @@ -11,29 +11,17 @@ CVE-2024-26308
CVE-2024-29131
## CVE-2024-29133,MEDIUM,,"commons-configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree","org.apache.commons:commons-configuration2","2.8.0","2.10.1",https://avd.aquasec.com/nvd/cve-2024-29133
CVE-2024-29133
## CVE-2022-40150,HIGH,7.5,"jettison: memory exhaustion via user-supplied XML or JSON data","org.codehaus.jettison:jettison","1.1","1.5.2",https://avd.aquasec.com/nvd/cve-2022-40150
CVE-2022-40150
## CVE-2022-45685,HIGH,7.5,"jettison: stack overflow in JSONObject() allows attackers to cause a Denial of Service (DoS) via crafted JSON data","org.codehaus.jettison:jettison","1.1","1.5.2",https://avd.aquasec.com/nvd/cve-2022-45685
CVE-2022-45685
## CVE-2022-45693,HIGH,7.5,"jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos","org.codehaus.jettison:jettison","1.1","1.5.2",https://avd.aquasec.com/nvd/cve-2022-45693
CVE-2022-45693
## CVE-2023-1436,HIGH,7.5,"jettison: Uncontrolled Recursion in JSONArray","org.codehaus.jettison:jettison","1.1","1.5.4",https://avd.aquasec.com/nvd/cve-2023-1436
CVE-2023-1436
## CVE-2022-40149,MEDIUM,7.5,"jettison: parser crash by stackoverflow","org.codehaus.jettison:jettison","1.1","1.5.1",https://avd.aquasec.com/nvd/cve-2022-40149
CVE-2022-40149
## CVE-2023-34455,HIGH,7.5,"snappy-java: Unchecked chunk length leads to DoS","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.1",https://avd.aquasec.com/nvd/cve-2023-34455
CVE-2023-34455
## CVE-2023-43642,HIGH,7.5,"snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.4",https://avd.aquasec.com/nvd/cve-2023-43642
CVE-2023-43642
## CVE-2023-34453,MEDIUM,7.5,"snappy-java: Integer overflow in shuffle leads to DoS","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.1",https://avd.aquasec.com/nvd/cve-2023-34453
CVE-2023-34453
## CVE-2023-34454,MEDIUM,7.5,"snappy-java: Integer overflow in compress leads to DoS","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.1",https://avd.aquasec.com/nvd/cve-2023-34454
CVE-2023-34454
## CVE-2024-25638,HIGH,,"dnsjava: Improper response validation allowing DNSSEC bypass","dnsjava:dnsjava","2.1.7","3.6.0",https://avd.aquasec.com/nvd/cve-2024-25638
CVE-2024-25638

## Ignore DNSJava-related issues
## GHSA-crjg-w57m-rqqf,MEDIUM,,"DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks","dnsjava:dnsjava","2.1.7","3.6.0",https://github.com/advisories/GHSA-crjg-w57m-rqqf
GHSA-crjg-w57m-rqqf
## GHSA-mmwx-rj87-vfgr,MEDIUM,,"DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources","dnsjava:dnsjava","2.1.7","3.6.0",https://github.com/advisories/GHSA-mmwx-rj87-vfgr
GHSA-mmwx-rj87-vfgr
## Ignored hadoop 3.4.0 related CVE
## CVE-2024-47561,CRITICAL,,"apache-avro: Schema parsing may trigger Remote Code Execution (RCE)","org.apache.avro:avro","1.9.2","1.11.4",https://avd.aquasec.com/nvd/cve-2024-47561
CVE-2024-47561
## CVE-2023-33201,MEDIUM,5.3,"bouncycastle: potential blind LDAP injection attack using a self-signed certificate","org.bouncycastle:bcprov-jdk15on","1.70","",https://avd.aquasec.com/nvd/cve-2023-33201
CVE-2023-33201
## CVE-2024-29857,MEDIUM,,"org.bouncycastle: Importing an EC certificate with crafted F2m parameters may lead to Denial of Service","org.bouncycastle:bcprov-jdk15on","1.70","1.78",https://avd.aquasec.com/nvd/cve-2024-29857
CVE-2024-29857
## CVE-2024-30171,MEDIUM,,"bc-java: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack)","org.bouncycastle:bcprov-jdk15on","1.70","1.78",https://avd.aquasec.com/nvd/cve-2024-30171
CVE-2024-30171
## CVE-2024-30172,MEDIUM,,"org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519 verification in the ScalarUtil class","org.bouncycastle:bcprov-jdk15on","1.70","1.78",https://avd.aquasec.com/nvd/cve-2024-30172
CVE-2024-30172
1 change: 0 additions & 1 deletion utils/trivy/trivy.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
cache:
backend: fs
clear: false
dir:
redis:
ca: ""
Expand Down

0 comments on commit 39895c3

Please sign in to comment.