CVE suppression

[AmatyaAvadhanula]

Suppress

1. Ambari -> ambari-metrics-common-2.7.0.0.0.jar -> CVE-2021-4104, CVE-2020-9493, CVE-2022-23307, CVE-2022-23305, CVE-2022-23302

• The CVEs are being suppressed since Ambari hasn't been updated in a long time. Might consider eliminating this dependency in the future

2. GSON -> gson-*.jar -> CVE-2022-25647

• This CVE only affects code using java serialization and doesn't affect druid. (Prevent Java deserialization of internal classes google/gson#1991 (comment))

3. Jackson -> *jackson-*.jar -> CVE-2020-36518

• The issue may occur due to large object depth when using jackson. Suppressing for now. A jackson update to mitigate this is being considered as well. One such PR is Bump Jackson to 2.12.6.20220326 (CVE-2020-36518) #12411

4. Jedis -> jedis-2.9.0.jar -> CVE-2021-32626, CVE-2022-24735

• The Jedis vulnerabilities are due to lua script execution in Redis. This is not applicable to druid

5. Solr -> solr-solrj-7.7.1.jar -> CVE-2021-44548

• This CVE only affects Windows and is not applicable to druid

[cryptoe]

LGTM !!

[abhishekagarwal87]

Thank you @AmatyaAvadhanula. can you also create a backport PR?

[AmatyaAvadhanula]

Thank you @AmatyaAvadhanula. can you also create a backport PR?

@abhishekagarwal87 Please find it at #12543