Re: [PR] Suppress CVE-2025-49128 for jackson-core shaded in hadoop-client-runtime (druid)

Fri, 24 Apr 2026 23:26:21 -0700 


FrankChen021 commented on code in PR #19105:
URL: https://github.com/apache/druid/pull/19105#discussion_r3141585854


##########
owasp-dependency-check-suppressions.xml:
##########
@@ -142,7 +142,8 @@
     <cve>CVE-2024-47561</cve> <!--  This seems to be a legitimate 
vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk 
v2 dependency work to finish -->
     <cve>CVE-2024-29131</cve> <!--  This seems to be a legitimate 
vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk 
v2 dependency work to finish -->
     <cve>CVE-2024-22201</cve> <!--  This seems to be a legitimate 
vulnerability. We would need to go to a hadoop-client which was not yet 
released  -->
-    <cve>CVE-2025-52999</cve> <!--  This is vulneraability in all versions of 
hadoop-client-runtime and has not been fixed by hadoop yet -->
+    <cve>CVE-2025-52999</cve> <!--  This is vulnerability in all versions of 
hadoop-client-runtime and has not been fixed by hadoop yet -->
+    <cve>CVE-2025-49128</cve> <!--  jackson-core is shaded inside 
hadoop-client-runtime at an older version; Druid's standalone jackson-core is 
2.19.2 which is not affected. No fix available in hadoop-client 3.3.x yet -->

Review Comment:
   P2 Scope the CVE suppression to Hadoop runtime
   
   This suppression block has only notes plus CVE entries, with no packageUrl, 
filePath, gav, or sha1 selector. Dependency-Check notes are descriptive, so 
adding CVE-2025-49128 here suppresses that CVE globally, not just for 
jackson-core shaded inside hadoop-client-runtime-3.3.6.jar. That can hide a 
real vulnerable jackson-core if it appears elsewhere now or in a future 
dependency change. Please constrain this suppression to the Hadoop runtime 
artifact or shaded file path/hash.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to