Fix cves

apache · Oct 21, 2024 · 3f90fef · 3f90fef
1 parent 5da9949
commit 3f90fef
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 3 deletions.
diff --git a/licenses.yaml b/licenses.yaml
@@ -2065,7 +2065,7 @@ name: Jetty
 license_category: binary
 module: java-core
 license_name: Apache License version 2.0
-version: 9.4.54.v20240208
+version: 9.4.56.v20240826
 libraries:
   - org.eclipse.jetty: jetty-client
   - org.eclipse.jetty: jetty-continuation

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
@@ -649,10 +649,12 @@
   </suppress>
   <suppress>
     <notes><![CDATA[
-        FP per issue #6100 - CVE-2023-36052 since it is related to Azure-cli not to the azure-core libraries
+        FP per issue #6100 - CVE-2023-36052 since it is related to azure-cli not to the azure-core libraries
+        CVE-2024-43591 is also a FP as it affect azure-cli which is not used.
         ]]></notes>
     <packageUrl regex="true">^pkg:maven/com\.azure/azure*@*.*$</packageUrl>
     <cve>CVE-2023-36052</cve>
+    <cve>CVE-2024-43591</cve>
   </suppress>
   <suppress>
     <!-- CVE is for a totally unrelated Sketch mac app -->
@@ -746,4 +748,20 @@
     <vulnerabilityName>CVE-2024-45772</vulnerabilityName>
   </suppress>
 
+  <suppress>
+    <!-- -->
+    <notes><![CDATA[
+    file name: azure-core-1.48.0.jar
+    ]]></notes>
+    <vulnerabilityName>CVE-2024-43591</vulnerabilityName>
+  </suppress>
+
+  <suppress>
+    <!-- Not affected by this CVE since we donot use lucene directly-->
+    <notes><![CDATA[
+    file name: azure-identity-1.12.0.jar
+    ]]></notes>
+    <vulnerabilityName>CVE-2024-43591</vulnerabilityName>
+  </suppress>
+
 </suppressions>
diff --git a/pom.xml b/pom.xml
@@ -98,7 +98,7 @@
         <guava.version>32.0.1-jre</guava.version>
         <guice.version>4.1.0</guice.version>
         <hamcrest.version>1.3</hamcrest.version>
-        <jetty.version>9.4.54.v20240208</jetty.version>
+        <jetty.version>9.4.56.v20240826</jetty.version>
         <jersey.version>1.19.4</jersey.version>
         <jackson.version>2.12.7.20221012</jackson.version>
         <codehaus.jackson.version>1.9.13</codehaus.jackson.version>