From e2dce46a69a14ca9357dd54d00e2b7ec39824b50 Mon Sep 17 00:00:00 2001
From: Kashif Faraz <kashif.faraz@gmail.com>
Date: Thu, 20 Oct 2022 21:37:25 +0530
Subject: [PATCH 1/4] Suppress jackson-databind CVE-2022-42003 and
 CVE-2022-42004

(cherry picked from commit 1f4d892c9a2dbc3ce6df1481fd4c6d242ba0ea8d)
---
 owasp-dependency-check-suppressions.xml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 6ffb3b9f2e1f..f9ff2f7963e1 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -88,6 +88,17 @@
     <packageUrl regex="true">^pkg:maven/net\.minidev/accessors\-smart@.*$</packageUrl>
     <cve>CVE-2021-27568</cve>
   </suppress>
+  <suppress>
+    <!--
+      Suppressing for patch release 24.0.1
+      -->
+    <notes><![CDATA[
+   file name: jackson-databind-2.10.5.1.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+    <cve>CVE-2022-42003</cve>
+    <cve>CVE-2022-42004</cve>
+  </suppress>
 
 
   <suppress>

From b9ae56eb401234845d81b051bb6489eb1d0e40e8 Mon Sep 17 00:00:00 2001
From: Kashif Faraz <kashif.faraz@gmail.com>
Date: Wed, 2 Nov 2022 14:33:46 +0530
Subject: [PATCH 2/4] Suppress CVEs

(cherry picked from commit ed55baa8fa7d7f914a0addabb072d9ed47e1cd9f)

 Conflicts:
	owasp-dependency-check-suppressions.xml
---
 owasp-dependency-check-suppressions.xml | 58 +++++++++++++++++++++++--
 1 file changed, 55 insertions(+), 3 deletions(-)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index f9ff2f7963e1..4afeee84aa50 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -220,6 +220,15 @@
       <cve>CVE-2018-1320</cve>
       <cve>CVE-2019-0205</cve>
   </suppress>
+  <suppress>
+    <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage     -->
+    <notes><![CDATA[
+    file name: jettison-1.*.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.codehaus\.jettison/jettison@1.*$</packageUrl>
+    <cve>CVE-2022-40149</cve>
+    <cve>CVE-2022-40150</cve>
+  </suppress>
   <suppress>
     <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
     <notes><![CDATA[
@@ -315,6 +324,13 @@
     <cve>CVE-2019-12399</cve>
     <cve>CVE-2018-17196</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: kafka-clients-3.2.0.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka\-clients@.*$</packageUrl>
+    <cve>CVE-2022-34917</cve>
+  </suppress>
   <suppress>
     <!--
       ~ TODO: Fix when Apache Ranger is released with updated log4j
@@ -429,8 +445,17 @@
      <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl>
      <cve>CVE-2018-14718</cve>
      <cve>CVE-2018-7489</cve>
+     <cve>CVE-2022-42003</cve>
+     <cve>CVE-2022-42004</cve>
+  </suppress>
+  <suppress>
+    <!-- aliyun-oss -->
+    <notes><![CDATA[
+    file name: ini4j-0.5.4.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.ini4j/ini4j@.*$</packageUrl>
+    <vulnerabilityName>CVE-2022-41404</vulnerabilityName>
   </suppress>
-
   <suppress>
     <!-- Transitive dependency from apache-ranger, latest ranger version 2.1.0 still uses solr 7.7.1-->
     <notes><![CDATA[
@@ -633,8 +658,15 @@
    file name: avatica-server-1.17.0.jar
    ]]></notes>
     <cve>CVE-2022-36364</cve>
+    <cve>CVE-2022-39135</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: calcite-core-1.21.0.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.calcite/calcite\-core@.*$</packageUrl>
+    <cve>CVE-2020-13955</cve>
   </suppress>
-
   <suppress>
     <!-- False positive. 42.3.3 is not affected by the CVE. And we don't use Resultset.refreshRow method either  -->
     <notes><![CDATA[
@@ -642,7 +674,6 @@
    ]]></notes>
     <cve>CVE-2022-31197</cve>
   </suppress>
-
   <suppress>
     <!-- avatica-server-1.17.0.jar -->
     <notes><![CDATA[
@@ -677,4 +708,25 @@
     <vulnerabilityName>1084597</vulnerabilityName>
   </suppress>
 
+  <suppress>
+     <notes><![CDATA[
+     file name: d3-color:2.0.0
+     ]]></notes>
+     <packageUrl regex="true">^pkg:npm/d3\-color@.*$</packageUrl>
+     <vulnerabilityName>1084597</vulnerabilityName>
+   </suppress>
+   <suppress>
+     <notes><![CDATA[
+     file name: protobuf-java-3.11.0.jar
+     ]]></notes>
+     <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl>
+     <cve>CVE-2022-3171</cve>
+   </suppress>
+   <suppress>
+     <notes><![CDATA[
+     file name: protobuf-java-util-3.11.0.jar
+     ]]></notes>
+     <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java\-util@.*$</packageUrl>
+     <cve>CVE-2022-3171</cve>
+   </suppress>
 </suppressions>

From e280427bfce243f3aa05153dadf27bc67fd8dcec Mon Sep 17 00:00:00 2001
From: Kashif Faraz <kashif.faraz@gmail.com>
Date: Sat, 5 Nov 2022 11:19:21 +0530
Subject: [PATCH 3/4] Suppress vulnerabilities from druid-website package

(cherry picked from commit c0fb364f8049d53cd704e414e2ffeab6c49b012e)
---
 owasp-dependency-check-suppressions.xml | 28 +++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 4afeee84aa50..db72a1d6e982 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -729,4 +729,32 @@
      <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java\-util@.*$</packageUrl>
      <cve>CVE-2022-3171</cve>
    </suppress>
+   <suppress>
+     <notes><![CDATA[
+     file name: ansi-regex:5.0.0
+     ]]></notes>
+     <packageUrl regex="true">^pkg:npm/ansi\-regex@.*$</packageUrl>
+     <vulnerabilityName>1084697</vulnerabilityName>
+   </suppress>
+   <suppress>
+     <notes><![CDATA[
+     file name: glob-parent:5.1.1
+     ]]></notes>
+     <packageUrl regex="true">^pkg:npm/glob\-parent@.*$</packageUrl>
+     <vulnerabilityName>1081884</vulnerabilityName>
+   </suppress>
+   <suppress>
+     <notes><![CDATA[
+     file name: minimatch:3.0.4
+     ]]></notes>
+     <packageUrl regex="true">^pkg:npm/minimatch@.*$</packageUrl>
+     <vulnerabilityName>1084765</vulnerabilityName>
+   </suppress>
+   <suppress>
+     <notes><![CDATA[
+     file name: y18n:4.0.0
+     ]]></notes>
+     <packageUrl regex="true">^pkg:npm/y18n@.*$</packageUrl>
+     <vulnerabilityName>1070209</vulnerabilityName>
+   </suppress>
 </suppressions>

From a9ec5ecbc02aeef947802d0bb769c36c677ed270 Mon Sep 17 00:00:00 2001
From: Kashif Faraz <kashif.faraz@gmail.com>
Date: Sat, 5 Nov 2022 23:14:18 +0530
Subject: [PATCH 4/4] Add more suppressions for website package

(cherry picked from commit 9bba569ebd52c5480bf4219c420ed78eb053701f)
---
 owasp-dependency-check-suppressions.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index db72a1d6e982..a09ed507cc83 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -735,6 +735,7 @@
      ]]></notes>
      <packageUrl regex="true">^pkg:npm/ansi\-regex@.*$</packageUrl>
      <vulnerabilityName>1084697</vulnerabilityName>
+     <cve>CVE-2021-3807</cve>
    </suppress>
    <suppress>
      <notes><![CDATA[
@@ -742,6 +743,7 @@
      ]]></notes>
      <packageUrl regex="true">^pkg:npm/glob\-parent@.*$</packageUrl>
      <vulnerabilityName>1081884</vulnerabilityName>
+     <cve>CVE-2020-28469</cve>
    </suppress>
    <suppress>
      <notes><![CDATA[
@@ -756,5 +758,6 @@
      ]]></notes>
      <packageUrl regex="true">^pkg:npm/y18n@.*$</packageUrl>
      <vulnerabilityName>1070209</vulnerabilityName>
+     <cve>CVE-2020-7774</cve>
    </suppress>
 </suppressions>