[
https://issues.apache.org/jira/browse/PIG-5462?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Koji Noguchi updated PIG-5462:
------------------------------
Attachment: pig-5462-v02.patch
Summary: Always update Owasp version to latest (was: Update Owasp
version to latest (10.0.3) )
Instead of hard coding the latest version, this will always pull the latest
available. Uploaded the v02 patch.
bq. Like hadoop-shims-0.10.3 being reported as vulnerable.
Unfortunately, this false positive remained.
Reading
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Ahadoop&cpe_version=cpe%3A%2F%3Aapache%3Ahadoop%3A0.10.3
it seems like it's showing the vulnerability of hadoop 0.10 version which is
completely unrelated here. I'll write a separate patch for ignoring those
false positives.
> Always update Owasp version to latest
> --------------------------------------
>
> Key: PIG-5462
> URL: https://issues.apache.org/jira/browse/PIG-5462
> Project: Pig
> Issue Type: Test
> Reporter: Koji Noguchi
> Assignee: Koji Noguchi
> Priority: Trivial
> Attachments: pig-5462-v01.patch, pig-5462-v02.patch
>
>
> While looking at owasp report, a lot of them were completely off.
> (Like hadoop-shims-0.10.3 being reported as vulnerable.)
> Using latest org.owasp/dependency-check-ant
> (https://mvnrepository.com/artifact/org.owasp/dependency-check-ant)
> seems to help cut down the false positives.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
