From 747b3495316271160bd0c0ceb92fda6f1a9b10ba Mon Sep 17 00:00:00 2001
From: Jihoon Son <jihoonson@apache.org>
Date: Wed, 24 Mar 2021 15:20:32 -0700
Subject: [PATCH 1/2] Suppress CVEs for Solr and org.codehaus.jackson

---
 owasp-dependency-check-suppressions.xml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 957e7765733e..799ab368d4a1 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -315,4 +315,24 @@
      ]]></notes>
     <cve>CVE-2020-13936</cve>
   </suppress>
+
+  <suppress>
+     <notes><![CDATA[
+     file name: jackson-xc-1.9.x.jar or jackson-jaxrs-1.9.x.jar
+     ]]></notes>
+     <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl>
+     <cve>CVE-2018-14718</cve>
+     <cve>CVE-2018-7489</cve>
+  </suppress>
+
+  <suppress>
+     <notes><![CDATA[
+     file name: solr-solrj-7.7.1.jar
+     ]]></notes>
+     <packageUrl regex="true">^pkg:maven/org\.apache\.solr/solr-solrj@7.7.1$</packageUrl>
+     <cve>CVE-2020-13957</cve>
+     <cve>CVE-2019-17558</cve>
+     <cve>CVE-2019-0193</cve>
+     <cve>CVE-2020-13941</cve>
+  </suppress>
 </suppressions>

From 20fb9d40dd9636cb29faa94bd115f22d1395615d Mon Sep 17 00:00:00 2001
From: Jihoon Son <jihoonson@apache.org>
Date: Wed, 24 Mar 2021 15:49:11 -0700
Subject: [PATCH 2/2] add a comment

---
 owasp-dependency-check-suppressions.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 799ab368d4a1..8c55436b9151 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -317,6 +317,7 @@
   </suppress>
 
   <suppress>
+     <!-- (ranger, ambari, and aliyun-oss) these vulnerabilities are legit, but their latest releases still use the vulnerable jackson version -->
      <notes><![CDATA[
      file name: jackson-xc-1.9.x.jar or jackson-jaxrs-1.9.x.jar
      ]]></notes>