From bbb798925b4e793525f6f97404052a07f4f860f2 Mon Sep 17 00:00:00 2001
From: Jihoon Son <jihoonson@apache.org>
Date: Thu, 14 Apr 2022 11:14:53 -0700
Subject: [PATCH 1/2] Suppress CVE-2021-43138

---
 owasp-dependency-check-suppressions.xml | 23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index be02807ca38d..b02adcce13eb 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -287,20 +287,6 @@
     <packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
     <cve>CVE-2019-17571</cve>
   </suppress>
-  <suppress>
-    <!--
-      - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
-      -->
-    <notes><![CDATA[
-    file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
-    ]]></notes>
-    <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
-    <cve>CVE-2019-16869</cve>
-    <cve>CVE-2019-20444</cve>
-    <cve>CVE-2019-20445</cve>
-    <cve>CVE-2021-37136</cve>
-    <cve>CVE-2021-37137</cve>
-  </suppress>
   <suppress>
        <!--
          - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
@@ -470,4 +456,13 @@
     ]]></notes>
     <cve>CVE-2021-43045</cve>
   </suppress>
+
+  <suppress>
+    <!-- False alarm for the Async javascript library (https://github.com/caolan/async) which is a dev dependency for the web console -->
+    <notes><![CDATA[
+   file name: async-http-client-netty-utils-2.5.3.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.asynchttpclient/async-http-client-netty-utils@2.5.3$</packageUrl>
+    <cve>CVE-2021-43138</cve>
+  </suppress>
 </suppressions>

From 0131b1e3dcd95d7c0c95f49210f84b19783fcade Mon Sep 17 00:00:00 2001
From: Jihoon Son <jihoonson@apache.org>
Date: Mon, 18 Apr 2022 16:21:43 -0700
Subject: [PATCH 2/2] revert netty 3.10.5.Final

---
 owasp-dependency-check-suppressions.xml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index b02adcce13eb..abc05abead5f 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -287,6 +287,20 @@
     <packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
     <cve>CVE-2019-17571</cve>
   </suppress>
+  <suppress>
+    <!--
+      - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
+      -->
+    <notes><![CDATA[
+    file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
+    <cve>CVE-2019-16869</cve>
+    <cve>CVE-2019-20444</cve>
+    <cve>CVE-2019-20445</cve>
+    <cve>CVE-2021-37136</cve>
+    <cve>CVE-2021-37137</cve>
+  </suppress>
   <suppress>
        <!--
          - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.