Skip to content

Commit fb5c13f

Browse files
authored
Add OWASP suppression for CVE-2026-25087 and re-enable dependency check in release (#1296)
## Summary - Added `owasp-suppressions.xml` to suppress CVE-2026-25087 (Apache Arrow C++ only, false positive for Java Arrow libraries) - Referenced suppression file in `jdbc-core/pom.xml` OWASP plugin config - Re-enabled the OWASP dependency check in the release build step (replaces `-Ddependency-check.skip=true` from #1286) and passes NVD API key for fast NVD updates Previously #1286 skipped the OWASP check entirely in the build step as a quick fix for the v3.3.1 release. This PR restores the check with proper suppression so real vulnerabilities are still caught during releases. ## Test plan - [ ] Verify CI passes with the suppression file - [ ] Verify the OWASP check runs during the release build step without failing on Arrow CVE NO_CHANGELOG=true OVERRIDE_FREEZE=true This pull request was AI-assisted by Isaac. Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>
1 parent 9d834a5 commit fb5c13f

4 files changed

Lines changed: 28 additions & 2 deletions

File tree

.github/workflows/release-thin.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,9 @@ jobs:
5151
- name: Build dependencies
5252
run: |
5353
mvn -Prelease clean install --batch-mode -pl jdbc-core -am -Dgpg.skip=true \
54-
-Ddependency-check.skip=true
54+
-Dnvd.api.key=${{ secrets.NVD_API_KEY }} \
55+
-Dossindex.username=${{ secrets.OSSINDEX_USERNAME }} \
56+
-Dossindex.password=${{ secrets.OSSINDEX_PASSWORD }}
5557
5658
# Step 2: Deploy only the thin JAR module to Maven Central
5759
# We don't use -am here to avoid the central-publishing-maven-plugin

.github/workflows/release.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,9 @@ jobs:
3636
- name: Build dependencies
3737
run: |
3838
mvn -Prelease clean install --batch-mode -pl jdbc-core -am -Dgpg.skip=true \
39-
-Ddependency-check.skip=true
39+
-Dnvd.api.key=${{ secrets.NVD_API_KEY }} \
40+
-Dossindex.username=${{ secrets.OSSINDEX_USERNAME }} \
41+
-Dossindex.password=${{ secrets.OSSINDEX_PASSWORD }}
4042
4143
# Step 2: Deploy only the uber JAR module to Maven Central
4244
# We don't use -am here to avoid the central-publishing-maven-plugin

jdbc-core/pom.xml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -355,6 +355,9 @@
355355
This helps us identify and address significant security risks early in the development process.
356356
-->
357357
<failBuildOnCVSS>7</failBuildOnCVSS>
358+
<suppressionFiles>
359+
<suppressionFile>${project.basedir}/../owasp-suppressions.xml</suppressionFile>
360+
</suppressionFiles>
358361
<nvdApiKey>${nvd.api.key}</nvdApiKey>
359362
<nvdMaxRetryCount>10</nvdMaxRetryCount>
360363
<nvdApiDelay>4000</nvdApiDelay>

owasp-suppressions.xml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
3+
<!--
4+
CVE-2026-25087 is a Use After Free vulnerability in the Apache Arrow C++ IPC
5+
file reader when pre-buffering is enabled with variadic buffers.
6+
It does NOT affect the Java Arrow libraries (arrow-memory-core, arrow-vector, etc.)
7+
which are pure Java with no native code. The OWASP scanner falsely matches because
8+
both share the "apache:arrow" CPE namespace.
9+
See: https://nvd.nist.gov/vuln/detail/CVE-2026-25087
10+
-->
11+
<suppress>
12+
<notes><![CDATA[
13+
CVE-2026-25087 affects Apache Arrow C++ only, not Java.
14+
False positive due to CPE matching on the shared "apache:arrow" namespace.
15+
]]></notes>
16+
<packageUrl regex="true">^pkg:maven/org\.apache\.arrow/.*$</packageUrl>
17+
<cve>CVE-2026-25087</cve>
18+
</suppress>
19+
</suppressions>

0 commit comments

Comments
 (0)