Skip to content

Commit

Permalink
24.7 CVE fixes for lucene, glassfish, batik/fop (#904)
Browse files Browse the repository at this point in the history
* suppress lucene for CVE-2024-45772, fixed in develop

* suppress glassfish false positives

* bump apache batik and fop for CVE-2024-28168
  • Loading branch information
labkey-willm authored Oct 11, 2024
1 parent 90b3133 commit 06c79b5
Show file tree
Hide file tree
Showing 2 changed files with 125 additions and 2 deletions.
123 changes: 123 additions & 0 deletions dependencyCheckSuppression.xml
Original file line number Diff line number Diff line change
Expand Up @@ -246,5 +246,128 @@
<cve>CVE-2005-1260</cve>
</suppress>

<!--
suppress CVE-2024-45772 for lucene 9.10, fixed in develop with bump to 9.12
-->
<suppress>
<notes><![CDATA[
file name: lucene-analysis-common-9.10.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.lucene/lucene-analysis-common@.*$</packageUrl>
<cve>CVE-2024-45772</cve>
</suppress>

<suppress>
<notes><![CDATA[
file name: lucene-backward-codecs-9.10.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.lucene/lucene-backward-codecs@.*$</packageUrl>
<cve>CVE-2024-45772</cve>
</suppress>

<suppress>
<notes><![CDATA[
file name: lucene-core-9.10.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.lucene/lucene-core@.*$</packageUrl>
<cve>CVE-2024-45772</cve>
</suppress>

<suppress>
<notes><![CDATA[
file name: lucene-queries-9.10.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.lucene/lucene-queries@.*$</packageUrl>
<cve>CVE-2024-45772</cve>
</suppress>

<suppress>
<notes><![CDATA[
file name: lucene-queryparser-9.10.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.lucene/lucene-queryparser@.*$</packageUrl>
<cve>CVE-2024-45772</cve>
</suppress>

<suppress>
<notes><![CDATA[
file name: lucene-sandbox-9.10.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.lucene/lucene-sandbox@.*$</packageUrl>
<cve>CVE-2024-45772</cve>
</suppress>
<!-- end of lucene suppressions -->

<!--
suppress glassfish false positives, being corrected in:
https://github.com/jeremylong/DependencyCheck/issues/7015
https://github.com/jeremylong/DependencyCheck/pull/7016
https://github.com/jeremylong/DependencyCheck/pull/7024
-->
<suppress>
<notes><![CDATA[
file name: jaxb-core-4.0.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish\.jaxb/jaxb-core@.*$</packageUrl>
<cve>CVE-2024-9329</cve>
</suppress>

<suppress>
<notes><![CDATA[
file name: jaxb-core-4.0.5.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish\.jaxb/jaxb-core@.*$</packageUrl>
<cve>CVE-2024-9329</cve>
</suppress>

<suppress>
<notes><![CDATA[
file name: jaxb-core-4.0.5.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish\.jaxb/jaxb-core@.*$</packageUrl>
<cve>CVE-2024-9329</cve>
</suppress>

<suppress>
<notes><![CDATA[
file name: jaxb-runtime-4.0.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish\.jaxb/jaxb-runtime@.*$</packageUrl>
<cve>CVE-2024-9329</cve>
</suppress>

<suppress>
<notes><![CDATA[
file name: jaxb-runtime-4.0.5.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish\.jaxb/jaxb-runtime@.*$</packageUrl>
<cve>CVE-2024-9329</cve>
</suppress>

<suppress>
<notes><![CDATA[
file name: osgi-resource-locator-1.0.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish\.hk2/osgi-resource-locator@.*$</packageUrl>
<cve>CVE-2024-9329</cve>
</suppress>

<suppress>
<notes><![CDATA[
file name: txw2-4.0.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish\.jaxb/txw2@.*$</packageUrl>
<cve>CVE-2024-9329</cve>
</suppress>

<suppress>
<notes><![CDATA[
file name: txw2-4.0.5.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish\.jaxb/txw2@.*$</packageUrl>
<cve>CVE-2024-9329</cve>
</suppress>
<!-- end of glassfish false positive suppressions -->

</suppressions>

4 changes: 2 additions & 2 deletions gradle.properties
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ apacheTomcatVersion=10.1.30
asmVersion=9.7

# Apache Batik -- Batik version needs to be compatible with Apache FOP, but we need to pull in batik-codec separately
batikVersion=1.17
batikVersion=1.18

# sync with Tika version (or later)
bouncycastlePgpVersion=1.78
Expand Down Expand Up @@ -152,7 +152,7 @@ eigenbaseXomVersion=1.3.7
flyingsaucerVersion=R8

# Apache FOP -- linked to Apache Batik version above
fopVersion=2.9
fopVersion=2.10

# Force latest for consistency
googleAutoValueAnnotationsVersion=1.10.4
Expand Down

0 comments on commit 06c79b5

Please sign in to comment.