Fix vulnerable dependencies in web API package (#153)

* Update to owasp dep check 0.0.19, fixes dependency vulnerabilities * Remove omit=dev from npm audit compliance check, now owasp dep check dependencies are fixed * Latest package lock file for web api * Add false positive for CVE-2022-25878 in protobufjs 6.11.3 OSSIndex/vulns#305 * Allow WTFPL in allowed licenses for the web API (used by dependency of OWASP dep check, considered a permissive license) * False positives for vulnerabilities in AWS hotpatch for Log4j (we are not using AWS hotpatch) * False positives for vulnerabilities in AWS hotpatch for Log4j (we are not using AWS hotpatch)
finos · Jul 1, 2022 · ef06176 · ef06176
1 parent 66fff4a
commit ef06176
Show file tree

Hide file tree

Showing 3 changed files with 244 additions and 1,950 deletions.
diff --git a/dev/compliance/owasp-false-positives.xml b/dev/compliance/owasp-false-positives.xml
@@ -17,6 +17,9 @@
 
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 
+
+    <!-- Java platform false positives -->
+
     <!-- flyway-mysql driver is detected as part of MySQL -->
     <suppress>
         <packageUrl regex="true">^pkg:maven/org\.flywaydb/flyway\-mysql@.*$</packageUrl>
@@ -43,4 +46,35 @@
         <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
     </suppress>
 
+    <!-- This vulnerability is in AWS hotpatch, not the base log4j libraries -->
+    <!-- We are not using AWS hotpatch -->
+    <suppress>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.logging\.log4j/log4j\-api@.*$</packageUrl>
+        <vulnerabilityName>CVE-2022-33915</vulnerabilityName>
+    </suppress>
+
+    <!-- This vulnerability is in AWS hotpatch, not the base log4j libraries -->
+    <!-- We are not using AWS hotpatch -->
+
+    <suppress>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.logging\.log4j/log4j\-api@.*$</packageUrl>
+        <vulnerabilityName>CVE-2022-33915</vulnerabilityName>
+    </suppress>
+
+    <suppress>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.logging\.log4j/log4j\-core@.*$</packageUrl>
+        <vulnerabilityName>CVE-2022-33915</vulnerabilityName>
+    </suppress>
+
+
+    <!-- Web API false positives -->
+
+    <!-- Vulnerability is fixed in 11.6.3, but still recorded as a vulnerability in Sonatype -->
+    <!-- https://github.com/OSSIndex/vulns/issues/305 -->
+
+    <suppress>
+        <packageUrl regex="true">^pkg:npm/protobufjs@6\.11\.3$</packageUrl>
+        <vulnerabilityName>CVE-2022-25878</vulnerabilityName>
+    </suppress>
+
 </suppressions>