[improve][security] CVE-2022-33915 is false positive

[tisonkun]

Signed-off-by: tison wander4096@gmail.com

Motivation

CVE-2022-33915 is about Amazon AWS hotpatch. We don't use that version and the failure reported by OWASP is false positive.

Reported when preparing patch #16320.

Modifications

Suppress CVE-2022-33915.

Verifying this change

• Make sure that the change passes the CI checks.

Does this pull request potentially affect one of the following parts:

If yes was chosen, please highlight the changes

• Dependencies (does it add or upgrade a dependency): (yes / no)
• The public API: (yes / no)
• The schema: (yes / no / don't know)
• The default values of configurations: (yes / no)
• The wire protocol: (yes / no)
• The rest endpoints: (yes / no)
• The admin cli options: (yes / no)
• Anything that affects deployment: (yes / no / don't know)

Documentation

• doc-not-needed

[shoothzj]

can we remove the log4j1 dependency?

[tisonkun]

@shoothzj sorry I make a wrong version number, this is about log4j-core-2.17.1.

[tisonkun]

@nicoloboschi @shoothzj tests failed on flaky cases. You may merge this patch since "CI - Misc - OWASP Dependency Check / owasp-dep-check" passed or help re-trigger the failed jobs :)

[RobertIndie]

/pulsarbot run-failure-checks

[tisonkun]

/pulsarbot run-failure-checks

[tisonkun]

ping @nicoloboschi whether this CI status is valid to move forward?

[RobertIndie]

whether this CI status is valid to move forward?

@tisonkun The CI is broken by CI - Unit - Brokers - Broker Group 1 .
I have reported the flaky tests: #16427 , #16444 . And a suspected CI-related issue: #16445

I'm trying to rerun the CI checks again.

[tisonkun]

@RobertIndie Thank you! However, it seems "Pulsar CI / CI - Unit - Brokers - Broker Group 1" still failed. I don't think we have to rerun until it passes since it's obvious unrelated to this patch. I agree that we should reduce flaky tests, though.

[tisonkun]

It seems OWASP fixes this false positive report. Pending to close...