chore: add global dependency suppressions (#54)

hypertrace · Jun 3, 2024 · 3282781 · 3282781
1 parent a6f3cad
commit 3282781
Show file tree

Hide file tree

Showing 2 changed files with 133 additions and 6 deletions.
diff --git a/dependency-check/action.yml b/dependency-check/action.yml
@@ -6,31 +6,44 @@ inputs:
     description: "NVD API Key"
     required: false
     default: ""
+  use-global-suppressions:
+    description: "Whether to use global suppression file in addition to the local suppression file (assumed name of owasp-suppression.xml at repo root)"
+    required: false
+    default: "true"
 
 runs:
   using: "composite"
   steps:
+    - name: Setup suppressions
+      id: suppressions
+      shell: bash
+      run: |
+        if [ "${{ inputs.use-global-suppressions }}" = "true" ]; then
+          echo args=-Dsuppression.file=owasp-suppressions.xml,$GITHUB_ACTION_PATH/global-suppressions.xml >> $GITHUB_OUTPUT
+        else
+          echo args= >> $GITHUB_OUTPUT
+        fi
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
         submodules: recursive
 
     - name: Dependency Check
-      if: ${{ inputs.nvd-api-key == '' }}
+      if: inputs.nvd-api-key == ''
       uses: hypertrace/github-actions/gradle@main
       with:
-        args: dependencyCheckAggregate
+        args: dependencyCheckAggregate ${{steps.suppressions.outputs.args}}
 
     - name: Dependency Check
-      if: ${{ inputs.nvd-api-key != '' }}
+      if: inputs.nvd-api-key != ''
       uses: hypertrace/github-actions/gradle@main
       with:
-        args: dependencyCheckAggregate -Dnvd.api.key=${{ inputs.nvd-api-key }}
+        args: dependencyCheckAggregate ${{steps.suppressions.outputs.args}} -Dnvd.api.key=${{ inputs.nvd-api-key }}
 
     - name: Upload dependency check report
       if: always()
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: Dependency check report
         path: ${{github.workspace}}/build/reports

diff --git a/dependency-check/global-suppressions.xml b/dependency-check/global-suppressions.xml
@@ -0,0 +1,114 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <notes><![CDATA[
+   Any hypertrace dep
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.hypertrace\..*@.*$</packageUrl>
+    <cpe>cpe:/a:grpc:grpc</cpe>
+    <cpe>cpe:/a:utils_project:utils</cpe>
+    <cpe>cpe:/a:processing:processing</cpe>
+    <cpe>cpe:/a:avro_project:avro</cpe>
+  </suppress>
+  <suppress until="2024-07-31Z">
+    <notes><![CDATA[
+   This CVE is declared fixed from 9.4.52, but the vuln db is not reflecting that. Suppress that specific version until
+   db is updated.
+   Ref:
+   https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\[email protected]\..*$</packageUrl>
+    <vulnerabilityName>CVE-2023-36479</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   Wire android app not a match for squareup's wire packages
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.squareup\.wire/wire\-.*@.*$</packageUrl>
+    <cpe>cpe:/a:wire:wire</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   This CVE is a FP - it only impacts go projects.
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.(flink|parquet)/(flink|parquet)\-avro@.*$
+    </packageUrl>
+    <cve>CVE-2023-37475</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    FP. opentelemetry-exporter-prometheus matches with prometheus:prometheus
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.opentelemetry/opentelemetry\-exporter\-prometheus@.*$
+    </packageUrl>
+    <cpe>cpe:/a:prometheus:prometheus</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   Pinot packages being matched as Avro
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.pinot/.*@.*$</packageUrl>
+    <cpe>cpe:/a:avro_project:avro</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    Pinot mismatches
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.pinot/.*@.*$</packageUrl>
+    <cpe>cpe:/a:apache:avro</cpe>
+    <cpe>cpe:/a:tasks:tasks</cpe>
+    <cpe>cpe:/a:apache:thrift</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   CVE-2024-29133, CVE-2024-29131 only impacts commons-configuration 2+, which is already fixed. Commons configuration 1 is a different artifact and unimpacted.
+
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/commons\-configuration/commons\-configuration@1\..*$
+    </packageUrl>
+    <vulnerabilityName>CVE-2024-29133</vulnerabilityName>
+    <vulnerabilityName>CVE-2024-29131</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    This is a meaningless CVE and disputed. It highlights a method that throws a NPE when
+    called with null.
+    Ref: https://www.joda.org/joda-time/security.html
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/joda\-time/joda\-time@.*$</packageUrl>
+    <vulnerabilityName>CVE-2024-23080</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    Parquet Jackson shades this version of jackson and has no newer release. This is an invalid CVE regardless,
+    but is "fixed" in newer versions so we're only suppressing this specific shaded version. If a new
+    parqet is releeased, this should be removed. https://github.com/FasterXML/jackson-databind/issues/3972
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\[email protected]$
+    </packageUrl>
+    <cve>CVE-2023-35116</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+     This CVE specifically impacts quartz-jobs, not quartz itself. However they share a CPE and thus
+     dependency check can't disambiguate them.
+     Ref: https://github.com/jeremylong/DependencyCheck/issues/5862
+
+     It's also disputed (but we're only excluding the unimpacted jar regardless).
+
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.quartz\-scheduler/quartz@.*$</packageUrl>
+    <cve>CVE-2023-39017</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    These are meaningless CVEs and disputed. They highlight a method that throws a NPE when
+    called with null.
+
+    Ref: https://www.threeten.org/threetenbp/security.html
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.threeten/threetenbp@.*$</packageUrl>
+    <cve>CVE-2024-23081</cve>
+    <cve>CVE-2024-23082</cve>
+  </suppress>
+</suppressions>