From 39895c3aa110be6fea645614896c0cd909ecaa95 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Fri, 11 Oct 2024 16:03:24 +0200 Subject: [PATCH] DAOS-16673 common: ignore Hadoop 3.4.0 related CVE (#15284) Hadoope 3.4.0 has resolved a few CVE issues but introduces new + enable on demand scan and scan on final PR merge for proper update to GitHub Security tab. Signed-off-by: Tomasz Gromadzki --- .github/workflows/trivy.yml | 3 +++ utils/trivy/.trivyignore | 36 ++++++++++++------------------------ utils/trivy/trivy.yaml | 1 - 3 files changed, 15 insertions(+), 25 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index a9eec6447fd..8f5524d4513 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,6 +1,9 @@ name: Trivy scan on: + workflow_dispatch: + push: + branches: ["master", "release/**"] pull_request: branches: ["master", "release/**"] diff --git a/utils/trivy/.trivyignore b/utils/trivy/.trivyignore index c780a942514..3a3b4cff1ce 100644 --- a/utils/trivy/.trivyignore +++ b/utils/trivy/.trivyignore @@ -1,4 +1,4 @@ -## Ignored hadoop related CVE +## Ignored hadoop 3.3.6 related CVE ## CVE-2023-52428,MEDIUM,,"Denial of Service in Connect2id Nimbus JOSE+JWT","com.nimbusds:nimbus-jose-jwt","9.8.1","9.37.2",https://avd.aquasec.com/nvd/cve-2023-52428 CVE-2023-52428 ## CVE-2023-39410,HIGH,7.5,"apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK","org.apache.avro:avro","1.7.7","1.11.3",https://avd.aquasec.com/nvd/cve-2023-39410 @@ -11,29 +11,17 @@ CVE-2024-26308 CVE-2024-29131 ## CVE-2024-29133,MEDIUM,,"commons-configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree","org.apache.commons:commons-configuration2","2.8.0","2.10.1",https://avd.aquasec.com/nvd/cve-2024-29133 CVE-2024-29133 -## CVE-2022-40150,HIGH,7.5,"jettison: memory exhaustion via user-supplied XML or JSON data","org.codehaus.jettison:jettison","1.1","1.5.2",https://avd.aquasec.com/nvd/cve-2022-40150 -CVE-2022-40150 -## CVE-2022-45685,HIGH,7.5,"jettison: stack overflow in JSONObject() allows attackers to cause a Denial of Service (DoS) via crafted JSON data","org.codehaus.jettison:jettison","1.1","1.5.2",https://avd.aquasec.com/nvd/cve-2022-45685 -CVE-2022-45685 -## CVE-2022-45693,HIGH,7.5,"jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos","org.codehaus.jettison:jettison","1.1","1.5.2",https://avd.aquasec.com/nvd/cve-2022-45693 -CVE-2022-45693 -## CVE-2023-1436,HIGH,7.5,"jettison: Uncontrolled Recursion in JSONArray","org.codehaus.jettison:jettison","1.1","1.5.4",https://avd.aquasec.com/nvd/cve-2023-1436 -CVE-2023-1436 -## CVE-2022-40149,MEDIUM,7.5,"jettison: parser crash by stackoverflow","org.codehaus.jettison:jettison","1.1","1.5.1",https://avd.aquasec.com/nvd/cve-2022-40149 -CVE-2022-40149 -## CVE-2023-34455,HIGH,7.5,"snappy-java: Unchecked chunk length leads to DoS","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.1",https://avd.aquasec.com/nvd/cve-2023-34455 -CVE-2023-34455 -## CVE-2023-43642,HIGH,7.5,"snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.4",https://avd.aquasec.com/nvd/cve-2023-43642 -CVE-2023-43642 -## CVE-2023-34453,MEDIUM,7.5,"snappy-java: Integer overflow in shuffle leads to DoS","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.1",https://avd.aquasec.com/nvd/cve-2023-34453 -CVE-2023-34453 -## CVE-2023-34454,MEDIUM,7.5,"snappy-java: Integer overflow in compress leads to DoS","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.1",https://avd.aquasec.com/nvd/cve-2023-34454 -CVE-2023-34454 ## CVE-2024-25638,HIGH,,"dnsjava: Improper response validation allowing DNSSEC bypass","dnsjava:dnsjava","2.1.7","3.6.0",https://avd.aquasec.com/nvd/cve-2024-25638 CVE-2024-25638 -## Ignore DNSJava-related issues -## GHSA-crjg-w57m-rqqf,MEDIUM,,"DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks","dnsjava:dnsjava","2.1.7","3.6.0",https://github.com/advisories/GHSA-crjg-w57m-rqqf -GHSA-crjg-w57m-rqqf -## GHSA-mmwx-rj87-vfgr,MEDIUM,,"DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources","dnsjava:dnsjava","2.1.7","3.6.0",https://github.com/advisories/GHSA-mmwx-rj87-vfgr -GHSA-mmwx-rj87-vfgr \ No newline at end of file +## Ignored hadoop 3.4.0 related CVE +## CVE-2024-47561,CRITICAL,,"apache-avro: Schema parsing may trigger Remote Code Execution (RCE)","org.apache.avro:avro","1.9.2","1.11.4",https://avd.aquasec.com/nvd/cve-2024-47561 +CVE-2024-47561 +## CVE-2023-33201,MEDIUM,5.3,"bouncycastle: potential blind LDAP injection attack using a self-signed certificate","org.bouncycastle:bcprov-jdk15on","1.70","",https://avd.aquasec.com/nvd/cve-2023-33201 +CVE-2023-33201 +## CVE-2024-29857,MEDIUM,,"org.bouncycastle: Importing an EC certificate with crafted F2m parameters may lead to Denial of Service","org.bouncycastle:bcprov-jdk15on","1.70","1.78",https://avd.aquasec.com/nvd/cve-2024-29857 +CVE-2024-29857 +## CVE-2024-30171,MEDIUM,,"bc-java: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack)","org.bouncycastle:bcprov-jdk15on","1.70","1.78",https://avd.aquasec.com/nvd/cve-2024-30171 +CVE-2024-30171 +## CVE-2024-30172,MEDIUM,,"org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519 verification in the ScalarUtil class","org.bouncycastle:bcprov-jdk15on","1.70","1.78",https://avd.aquasec.com/nvd/cve-2024-30172 +CVE-2024-30172 diff --git a/utils/trivy/trivy.yaml b/utils/trivy/trivy.yaml index 293f7b1ba9f..cfb13b5c40f 100644 --- a/utils/trivy/trivy.yaml +++ b/utils/trivy/trivy.yaml @@ -1,6 +1,5 @@ cache: backend: fs - clear: false dir: redis: ca: ""