Suppress spurious/not relevant jfreechart CVEs (#1358)

finalize reviews
Unidata · Jul 1, 2024 · 5ce0491 · 5ce0491
1 parent c2dc1d0
commit 5ce0491
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 38 deletions.
diff --git a/cdm/core/src/main/java/ucar/nc2/dataset/VariableDS.java b/cdm/core/src/main/java/ucar/nc2/dataset/VariableDS.java
@@ -943,18 +943,10 @@ private void createEnhancements() {
     if (normalizerAtt != null && this.enhanceMode.contains(Enhance.ApplyNormalizer) && dataType.isFloatingPoint()) {
       this.normalizer = Normalizer.createFromVariable(this);
     }
-    // I need to comment this one out, otherwise it applies the
-    // @Override
-    // public double convert(double val) {
-    // return classifyArray(val);
-    // }
-    // so for now I just turn it off. How else could we do this?
-
-
-    // Attribute classifierAtt = findAttribute(CDM.CLASSIFY);
-    // if (classifierAtt != null && this.enhanceMode.contains(Enhance.ApplyClassifier) && dataType.isNumeric()) {
-    // this.classifier = Classifier.createFromVariable(this);
-    // }
+    Attribute classifierAtt = findAttribute(CDM.CLASSIFY);
+    if (classifierAtt != null && this.enhanceMode.contains(Enhance.ApplyClassifier) && dataType.isNumeric()) {
+      this.classifier = Classifier.createFromVariable(this);
+    }
   }
 
   public Builder<?> toBuilder() {

diff --git a/cdm/core/src/main/java/ucar/nc2/filter/Classifier.java b/cdm/core/src/main/java/ucar/nc2/filter/Classifier.java
@@ -12,7 +12,6 @@
 
 
 public class Classifier implements Enhancement {
-  private int classifiedVal;
   private String[] AttCat;
   private List<int[]> rules = new ArrayList<>();
 
@@ -65,31 +64,7 @@ public int[] classifyWithAttributes(Array arr) {
     return classifiedArray;
   }
 
-  /** Classify double array */
-  public int[] classifyDoubleArray(Array arr) {
-    int[] classifiedArray = new int[(int) arr.getSize()];
-    int i = 0;
-    IndexIterator iterArr = arr.getIndexIterator();
-    while (iterArr.hasNext()) {
-      Number value = (Number) iterArr.getObjectNext();
-      if (!Double.isNaN(value.doubleValue())) {
-
-        classifiedArray[i] = classifyArray(value.doubleValue());
-      }
-      i++;
-    }
-    return classifiedArray;
-  }
 
-  /** for a single double */
-  public int classifyArray(double val) {
-    if (val >= 0) {
-      classifiedVal = 1;
-    } else {
-      classifiedVal = 0;
-    }
-    return classifiedVal;
-  }
 
   public int classifyArrayAttribute(double val) {
     for (int[] rule : rules) {
@@ -112,7 +87,7 @@ private List<int[]> loadClassificationRules() {
 
   @Override
   public double convert(double val) {
-    return classifyArray(val);
+    return classifyArrayAttribute(val);
   }
 
   public static int[] stringToIntArray(String str) {

diff --git a/project-files/owasp-dependency-check/dependency-check-suppression.xml b/project-files/owasp-dependency-check/dependency-check-suppression.xml
@@ -24,4 +24,14 @@
     ]]></notes>
     <cve>CVE-2023-35116</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: uicdm-5.5.4-SNAPSHOT.tar: jfreechart-1.0.19.jar
+   reason: Disputed CVEs and we do not use the vulnerable components (BubbleXYItemLabelGenerator.java, /chart/annotations/CategoryLineAnnotation, setSeriesNeedle)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jfree/jfreechart@.*$</packageUrl>
+    <vulnerabilityName>CVE-2024-23076</vulnerabilityName>
+    <vulnerabilityName>CVE-2024-22949</vulnerabilityName>
+    <vulnerabilityName>CVE-2023-52070</vulnerabilityName>
+  </suppress>
 </suppressions>