FrankChen021 commented on code in PR #19388:
URL: https://github.com/apache/druid/pull/19388#discussion_r3161334467
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -148,6 +148,14 @@
<cve>CVE-2025-5115</cve> <!-- netty issue in shaded hadoop -->
</suppress>
+ <suppress>
+ <!-- from extensions using hadoop-client-runtime 3.5.0, these dependencies
are shaded in the jar -->
+ <notes><![CDATA[
+ file name: hadoop-client-runtime-3.5.0.jar
+ ]]></notes>
+ <cve>CVE-2026-5795</cve> <!-- Jetty 9.4.58 JASPI ThreadLocal privilege
escalation in shaded hadoop. Not exploitable in Druid's Hadoop client usage
(file operations only, no JASPI auth). Requires Hadoop to update to Jetty
9.4.59+ -->
Review Comment:
[P2] Scope the Hadoop CVE suppression
This suppression has only a CVE selector, so dependency-check will suppress
CVE-2026-5795 for every dependency in the scan, not just the shaded Jetty copy
in hadoop-client-runtime-3.5.0. That can hide a real vulnerable Jetty artifact
if one is introduced elsewhere. Add a dependency selector such as a
packageUrl/filePath regex for org.apache.hadoop:hadoop-client-runtime:3.5.0
before suppressing this CVE.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
