From b860f2ab83eabfc2b77ff966069526b6370549a5 Mon Sep 17 00:00:00 2001
From: "tejaswini.bandlamudi" <tejaswini.bandlamudi@imply.io>
Date: Tue, 16 May 2023 12:33:06 +0530
Subject: [PATCH 01/13] Suppress flagged CVEs

---
 .github/workflows/cron-job-its.yml      |  5 ++--
 owasp-dependency-check-suppressions.xml | 34 +++++++++++++++++++++++--
 2 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/cron-job-its.yml b/.github/workflows/cron-job-its.yml
index 02f42292163e..68e93f5b4d45 100644
--- a/.github/workflows/cron-job-its.yml
+++ b/.github/workflows/cron-job-its.yml
@@ -27,7 +27,7 @@ on:
 
 jobs:
   build:
-    if: github.event_name == 'schedule'
+    if: (github.event_name == 'schedule' && github.repository == 'apache/druid')
     name: build (jdk8)
     runs-on: ubuntu-latest
     steps:
@@ -107,10 +107,11 @@ jobs:
       group: other
 
   security_vulnerabilities:
+    if: github.repository == 'apache/druid'
     name: security vulnerabilities
     strategy:
       matrix:
-        HADOOP_PROFILE: [ '', '-Phadoop3' ]
+        HADOOP_PROFILE: [ '', '-Phadoop2' ]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout branch
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 3095ed160c63..55caaca35e2b 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -192,10 +192,12 @@
       ~       ... 27 more
       -->
     <notes><![CDATA[
-   file name: hibernate-validator-5.2.5.Final.jar
+   file name: hibernate-validator-5.3.6.Final.jar
    ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.hibernate/hibernate\-validator@.*$</packageUrl>
-    <cve>CVE-2017-7536</cve>
+    <cve>CVE-2019-10219</cve>
+    <cve>CVE-2019-14900</cve>
+    <cve>CVE-2020-10693</cve>
     <cve>CVE-2020-25638</cve>
   </suppress>
   <suppress>
@@ -216,8 +218,13 @@
     <cve>CVE-2019-20444</cve>
     <cve>CVE-2019-20445</cve>
     <cve>CVE-2020-11612</cve>
+    <cve>CVE-2021-21290</cve>
+    <cve>CVE-2021-21295</cve>
+    <cve>CVE-2021-21409</cve>
     <cve>CVE-2021-37136</cve>
     <cve>CVE-2021-37137</cve>
+    <cve>CVE-2021-43797</cve>
+    <cve>CVE-2022-24823</cve>
     <cve>CVE-2022-41881</cve>
   </suppress>
   <suppress>
@@ -619,6 +626,7 @@
    ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.asynchttpclient/async-http-client-netty-utils@2.5.3$</packageUrl>
     <cve>CVE-2021-43138</cve>
+    <cve>CVE-2021-4277</cve>
   </suppress>
 
   <suppress>
@@ -833,4 +841,26 @@
     <!-- applies to ranger-hive-plugin which afaict we do not use https://nvd.nist.gov/vuln/detail/CVE-2021-40331 -->
     <cve>CVE-2021-40331</cve>
   </suppress>
+
+  <!-- filed against random script set, doesn't apply to any Maven artifacts - https://github.com/jeremylong/DependencyCheck/issues/5213 -->
+  <suppress>
+    <notes><![CDATA[
+      file name: plexus-utils-3.0.24.jar
+      file name: async-http-client-netty-utils-2.5.3.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/.*/.*@.*$</packageUrl>
+    <cve>CVE-2021-4277</cve>
+  </suppress>
+
+  <!--
+    ~ TODO: Update guava to any version after 29.0
+  -->
+  <suppress>
+    <notes><![CDATA[
+      file name: guava-16.0.1.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@16.0.1$</packageUrl>
+    <cve>CVE-2018-10237</cve>
+    <cve>CVE-2020-8908</cve>
+  </suppress>
 </suppressions>

From 069b9c1ac1d8533c7f123dc0ebd425f1407bf7c7 Mon Sep 17 00:00:00 2001
From: "tejaswini.bandlamudi" <tejaswini.bandlamudi@imply.io>
Date: Tue, 16 May 2023 12:47:15 +0530
Subject: [PATCH 02/13] remove duplicate

---
 owasp-dependency-check-suppressions.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 55caaca35e2b..b153587fd67e 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -626,7 +626,6 @@
    ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.asynchttpclient/async-http-client-netty-utils@2.5.3$</packageUrl>
     <cve>CVE-2021-43138</cve>
-    <cve>CVE-2021-4277</cve>
   </suppress>
 
   <suppress>

From ccc87b5b857a163ade8e8cad88416e662dec7f10 Mon Sep 17 00:00:00 2001
From: "tejaswini.bandlamudi" <tejaswini.bandlamudi@imply.io>
Date: Tue, 16 May 2023 13:24:08 +0530
Subject: [PATCH 03/13] force update snapshots

---
 .github/workflows/cron-job-its.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cron-job-its.yml b/.github/workflows/cron-job-its.yml
index 68e93f5b4d45..04bcf7401a73 100644
--- a/.github/workflows/cron-job-its.yml
+++ b/.github/workflows/cron-job-its.yml
@@ -126,7 +126,7 @@ jobs:
 
       - name: security vulnerabilities check
         env:
-          MVN: mvn --no-snapshot-updates
+          MVN: mvn -U
           HADOOP_PROFILE: ${{ matrix.HADOOP_PROFILE }}
         run: |
           mvn dependency-check:purge dependency-check:check ${HADOOP_PROFILE} || { echo "

From c01c2406c13144e7f1947aef66eadb1828d5ccff Mon Sep 17 00:00:00 2001
From: "tejaswini.bandlamudi" <tejaswini.bandlamudi@imply.io>
Date: Tue, 16 May 2023 13:36:05 +0530
Subject: [PATCH 04/13] clean install before dependency check

---
 .github/workflows/cron-job-its.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/cron-job-its.yml b/.github/workflows/cron-job-its.yml
index 04bcf7401a73..0f0d303fcd5a 100644
--- a/.github/workflows/cron-job-its.yml
+++ b/.github/workflows/cron-job-its.yml
@@ -124,9 +124,13 @@ jobs:
           distribution: 'zulu'
           cache: maven
 
+      - name: Maven build
+        id: maven_build
+        run: ./it.sh ci
+
       - name: security vulnerabilities check
         env:
-          MVN: mvn -U
+          MVN: mvn --no-snapshot-updates
           HADOOP_PROFILE: ${{ matrix.HADOOP_PROFILE }}
         run: |
           mvn dependency-check:purge dependency-check:check ${HADOOP_PROFILE} || { echo "

From 6acd3e1994acd473320cdc9e709eb6dab13af69b Mon Sep 17 00:00:00 2001
From: "tejaswini.bandlamudi" <tejaswini.bandlamudi@imply.io>
Date: Tue, 23 May 2023 15:05:40 +0530
Subject: [PATCH 05/13] suppress CVE-2017-7536 from
 hibernate-validator-5.2.5.Final.jar while using hadoop2

---
 owasp-dependency-check-suppressions.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index b153587fd67e..a92d57c7945e 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -193,8 +193,10 @@
       -->
     <notes><![CDATA[
    file name: hibernate-validator-5.3.6.Final.jar
+   file name: hibernate-validator-5.2.5.Final.jar
    ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.hibernate/hibernate\-validator@.*$</packageUrl>
+    <cve>CVE-2017-7536</cve>
     <cve>CVE-2019-10219</cve>
     <cve>CVE-2019-14900</cve>
     <cve>CVE-2020-10693</cve>

From 15eb9ce9985c50418b402dee6ef4ee53ebcea894 Mon Sep 17 00:00:00 2001
From: "tejaswini.bandlamudi" <tejaswini.bandlamudi@imply.io>
Date: Tue, 20 Jun 2023 03:07:22 +0530
Subject: [PATCH 06/13] add comments in suppressions file

---
 owasp-dependency-check-suppressions.xml | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index a92d57c7945e..860da64ee6fa 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -197,9 +197,9 @@
    ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.hibernate/hibernate\-validator@.*$</packageUrl>
     <cve>CVE-2017-7536</cve>
-    <cve>CVE-2019-10219</cve>
-    <cve>CVE-2019-14900</cve>
-    <cve>CVE-2020-10693</cve>
+    <cve>CVE-2019-10219</cve> <!-- We don't use SafeHtml validator annotation https://nvd.nist.gov/vuln/detail/CVE-2019-10219 -->
+    <cve>CVE-2019-14900</cve> <!-- Not applicable to hibernate validator https://github.com/hibernate/hibernate-orm/pull/3438 -->
+    <cve>CVE-2020-10693</cve> <!-- We don't take user input in constraint violation message https://hibernate.atlassian.net/browse/HV-1774 -->
     <cve>CVE-2020-25638</cve>
   </suppress>
   <suppress>
@@ -220,13 +220,13 @@
     <cve>CVE-2019-20444</cve>
     <cve>CVE-2019-20445</cve>
     <cve>CVE-2020-11612</cve>
-    <cve>CVE-2021-21290</cve>
-    <cve>CVE-2021-21295</cve>
-    <cve>CVE-2021-21409</cve>
+    <cve>CVE-2021-21290</cve> <!-- Not applicable to Netty Client -->
+    <cve>CVE-2021-21295</cve> <!-- Not applicable to Netty Client -->
+    <cve>CVE-2021-21409</cve> <!-- Not applicable to Netty Client -->
     <cve>CVE-2021-37136</cve>
     <cve>CVE-2021-37137</cve>
-    <cve>CVE-2021-43797</cve>
-    <cve>CVE-2022-24823</cve>
+    <cve>CVE-2021-43797</cve> <!-- Not applicable to Netty Client -->
+    <cve>CVE-2022-24823</cve> <!-- Not applicable to Netty Client -->
     <cve>CVE-2022-41881</cve>
   </suppress>
   <suppress>
@@ -861,7 +861,11 @@
       file name: guava-16.0.1.jar
     ]]></notes>
     <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@16.0.1$</packageUrl>
+    <!--
+      ~ We don't either use AtomicDoubleArray (when serialized with Java serialization) or
+      ~ CompoundOrdering (when serialized with GWT serialization) nor do we use Java or GWT serialization. https://nvd.nist.gov/vuln/detail/cve-2018-10237
+    -->
     <cve>CVE-2018-10237</cve>
-    <cve>CVE-2020-8908</cve>
+    <cve>CVE-2020-8908</cve> <!-- We do use com.google.common.io.Files.createTempDir() https://nvd.nist.gov/vuln/detail/CVE-2020-8908 -->
   </suppress>
 </suppressions>

From 4b58e77c3bbcd1da79d8b8c96c0d779d74136adf Mon Sep 17 00:00:00 2001
From: "tejaswini.bandlamudi" <tejaswini.bandlamudi@imply.io>
Date: Tue, 20 Jun 2023 13:38:06 +0530
Subject: [PATCH 07/13] suppress CVE-2023-35116, fix cve-2023-34455 by
 upgrading snappy-java

---
 .github/workflows/cron-job-its.yml      | 1 +
 owasp-dependency-check-suppressions.xml | 1 +
 pom.xml                                 | 2 +-
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/cron-job-its.yml b/.github/workflows/cron-job-its.yml
index 0f0d303fcd5a..184ac5d5a9ca 100644
--- a/.github/workflows/cron-job-its.yml
+++ b/.github/workflows/cron-job-its.yml
@@ -110,6 +110,7 @@ jobs:
     if: github.repository == 'apache/druid'
     name: security vulnerabilities
     strategy:
+      fail-fast: false
       matrix:
         HADOOP_PROFILE: [ '', '-Phadoop2' ]
     runs-on: ubuntu-latest
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 860da64ee6fa..bf8132cb4e73 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -122,6 +122,7 @@
     https://github.com/FasterXML/jackson-databind/issues/3328
     -->
     <cve>CVE-2021-46877</cve>
+    <cve>CVE-2023-35116</cve> <!-- This vulnerability is currently awaiting analysis. -->
   </suppress>
 
 
diff --git a/pom.xml b/pom.xml
index 432adba40438..51772b29d2b8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -754,7 +754,7 @@
             <dependency>
                 <groupId>org.xerial.snappy</groupId>
                 <artifactId>snappy-java</artifactId>
-                <version>1.1.8.4</version>
+                <version>1.1.10.1</version>
             </dependency>
             <dependency>
                 <groupId>com.google.protobuf</groupId>

From 390b78d0d8b032946af8da68c43fdb1221b08305 Mon Sep 17 00:00:00 2001
From: "tejaswini.bandlamudi" <tejaswini.bandlamudi@imply.io>
Date: Mon, 3 Jul 2023 15:37:56 +0530
Subject: [PATCH 08/13] suppress CVE-2023-2976, jquery.datatables@1.10.18
 prototype pollution

---
 owasp-dependency-check-suppressions.xml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index cd26f100ad92..f8a50bb8ee42 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -826,6 +826,14 @@
     <cve>CVE-2022-26612</cve>
     <!-- this one seems to apply to backend server - https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->
     <cve>CVE-2023-25613</cve>
+    <cve>CVE-2023-2976</cve> <!-- this is from shaded guava dependency -->
+  </suppress>
+  <suppress>
+    <!-- from extensions using hadoop-client-api, these dependencies are shaded in the jar -->
+    <notes><![CDATA[
+     file name: hadoop-client-api-3.3.6.jar: jquery.dataTables.min.js (pkg:javascript/jquery.datatables@1.10.18)
+     ]]></notes>
+    <vulnerabilityName>prototype pollution</vulnerabilityName>
   </suppress>
   <suppress>
     <notes><![CDATA[
@@ -859,6 +867,7 @@
       ~ CompoundOrdering (when serialized with GWT serialization) nor do we use Java or GWT serialization. https://nvd.nist.gov/vuln/detail/cve-2018-10237
     -->
     <cve>CVE-2018-10237</cve>
-    <cve>CVE-2020-8908</cve> <!-- We do use com.google.common.io.Files.createTempDir() https://nvd.nist.gov/vuln/detail/CVE-2020-8908 -->
+    <cve>CVE-2020-8908</cve> <!-- We do not use com.google.common.io.Files.createTempDir() https://nvd.nist.gov/vuln/detail/CVE-2020-8908 -->
+    <cve>CVE-2023-2976</cve> <!-- We do not use com.google.common.io.FileBackedOutputStream https://nvd.nist.gov/vuln/detail/CVE-2023-2976 -->
   </suppress>
 </suppressions>

From 5d2e222b6ad1c80007c45928c0abe6d79a8d6863 Mon Sep 17 00:00:00 2001
From: "tejaswini.bandlamudi" <tejaswini.bandlamudi@imply.io>
Date: Mon, 3 Jul 2023 20:55:53 +0530
Subject: [PATCH 09/13] update description, remove maven build before
 dependency-check

---
 .github/workflows/cron-job-its.yml      | 4 ----
 owasp-dependency-check-suppressions.xml | 2 +-
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/workflows/cron-job-its.yml b/.github/workflows/cron-job-its.yml
index d78eec88fb5d..dffd6aa48508 100644
--- a/.github/workflows/cron-job-its.yml
+++ b/.github/workflows/cron-job-its.yml
@@ -125,10 +125,6 @@ jobs:
           distribution: 'zulu'
           cache: maven
 
-      - name: Maven build
-        id: maven_build
-        run: ./it.sh ci
-
       - name: security vulnerabilities check
         env:
           MVN: mvn --no-snapshot-updates
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index f8a50bb8ee42..53f20081e1aa 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -826,7 +826,7 @@
     <cve>CVE-2022-26612</cve>
     <!-- this one seems to apply to backend server - https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->
     <cve>CVE-2023-25613</cve>
-    <cve>CVE-2023-2976</cve> <!-- this is from shaded guava dependency -->
+    <cve>CVE-2023-2976</cve> <!-- hadoop-client-runtime isn't using com.google.common.io.FileBackedOutputStream -->
   </suppress>
   <suppress>
     <!-- from extensions using hadoop-client-api, these dependencies are shaded in the jar -->

From fecb0ccafe693e89f3386eb09922b222e4b2070e Mon Sep 17 00:00:00 2001
From: "tejaswini.bandlamudi" <tejaswini.bandlamudi@imply.io>
Date: Wed, 5 Jul 2023 12:19:40 +0530
Subject: [PATCH 10/13] update comments

---
 owasp-dependency-check-suppressions.xml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 53f20081e1aa..e72225a54aa4 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -122,7 +122,8 @@
     https://github.com/FasterXML/jackson-databind/issues/3328
     -->
     <cve>CVE-2021-46877</cve>
-    <cve>CVE-2023-35116</cve> <!-- This vulnerability is currently awaiting analysis. -->
+    <!-- according to jackson community, this is not a security issue, see https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098, https://github.com/jeremylong/DependencyCheck/issues/5779 -->
+    <cve>CVE-2023-35116</cve>
   </suppress>
 
 
@@ -221,13 +222,13 @@
     <cve>CVE-2019-20444</cve>
     <cve>CVE-2019-20445</cve>
     <cve>CVE-2020-11612</cve>
-    <cve>CVE-2021-21290</cve> <!-- Not applicable to Netty Client -->
-    <cve>CVE-2021-21295</cve> <!-- Not applicable to Netty Client -->
-    <cve>CVE-2021-21409</cve> <!-- Not applicable to Netty Client -->
+    <cve>CVE-2021-21290</cve> <!-- We don't use HttpPostRequestDecoder or HttpPostMultiPartRequestDecoder which uses vulnerable AbstractDiskHttpData - https://github.com/advisories/GHSA-5mcr-gq6c-3hq2 -->
+    <cve>CVE-2021-21295</cve> <!-- We don't use HTTP2MultiplexCodec or Http2FrameCodec or Http2StreamFrameToHttpObjectCodec affected or convert HTTP/2 to HTTP/1.1 requests - https://github.com/advisories/GHSA-wm47-8v5p-wjpj -->
+    <cve>CVE-2021-21409</cve> <!-- We don't use Http2HeaderFrame or convert HTTP/2 to HTTP/1.1 requests https://github.com/advisories/GHSA-f256-j965-7f32 -->
     <cve>CVE-2021-37136</cve>
     <cve>CVE-2021-37137</cve>
-    <cve>CVE-2021-43797</cve> <!-- Not applicable to Netty Client -->
-    <cve>CVE-2022-24823</cve> <!-- Not applicable to Netty Client -->
+    <cve>CVE-2021-43797</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-wx5j-54mm-rqqq -->
+    <cve>CVE-2022-24823</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-269q-hmxg-m83q -->
     <cve>CVE-2022-41881</cve>
   </suppress>
   <suppress>

From 94a4f4e5bb97abcb5fa70d557f9ee532982a6db0 Mon Sep 17 00:00:00 2001
From: "tejaswini.bandlamudi" <tejaswini.bandlamudi@imply.io>
Date: Wed, 5 Jul 2023 19:12:21 +0530
Subject: [PATCH 11/13] force update snapshots

---
 .github/workflows/cron-job-its.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/cron-job-its.yml b/.github/workflows/cron-job-its.yml
index dffd6aa48508..0fb69f22b948 100644
--- a/.github/workflows/cron-job-its.yml
+++ b/.github/workflows/cron-job-its.yml
@@ -125,9 +125,11 @@ jobs:
           distribution: 'zulu'
           cache: maven
 
+      - name: maven build # needed to rebuild incase of maven snapshot resolution fails
+        run: ./it.sh ci
+
       - name: security vulnerabilities check
         env:
-          MVN: mvn --no-snapshot-updates
           HADOOP_PROFILE: ${{ matrix.HADOOP_PROFILE }}
         run: |
           mvn dependency-check:purge dependency-check:check ${HADOOP_PROFILE} || { echo "

From 47cc31fc4ec4105eb9571d308e0d97267fad8af6 Mon Sep 17 00:00:00 2001
From: "tejaswini.bandlamudi" <tejaswini.bandlamudi@imply.io>
Date: Thu, 6 Jul 2023 10:26:39 +0530
Subject: [PATCH 12/13] skip web console build

---
 .github/workflows/cron-job-its.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cron-job-its.yml b/.github/workflows/cron-job-its.yml
index 0fb69f22b948..3752b6c60eae 100644
--- a/.github/workflows/cron-job-its.yml
+++ b/.github/workflows/cron-job-its.yml
@@ -126,7 +126,7 @@ jobs:
           cache: maven
 
       - name: maven build # needed to rebuild incase of maven snapshot resolution fails
-        run: ./it.sh ci
+        run: mvn clean install dependency:go-offline -P dist -P skip-static-checks,skip-tests -Dmaven.javadoc.skip=true -Dcyclonedx.skip=true -Dweb.console.skip=true
 
       - name: security vulnerabilities check
         env:

From 3876641b678d95b38cedc34a257f7985d0e2f7a7 Mon Sep 17 00:00:00 2001
From: "tejaswini.bandlamudi" <tejaswini.bandlamudi@imply.io>
Date: Thu, 6 Jul 2023 19:39:28 +0530
Subject: [PATCH 13/13] address review comments

---
 owasp-dependency-check-suppressions.xml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index e72225a54aa4..2a2b2220b649 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -122,7 +122,7 @@
     https://github.com/FasterXML/jackson-databind/issues/3328
     -->
     <cve>CVE-2021-46877</cve>
-    <!-- according to jackson community, this is not a security issue, see https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098, https://github.com/jeremylong/DependencyCheck/issues/5779 -->
+    <!-- According to jackson community, this is not a security issue, see https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098, https://github.com/jeremylong/DependencyCheck/issues/5779 -->
     <cve>CVE-2023-35116</cve>
   </suppress>
 
@@ -855,9 +855,6 @@
     <cve>CVE-2021-4277</cve>
   </suppress>
 
-  <!--
-    ~ TODO: Update guava to any version after 29.0
-  -->
   <suppress>
     <notes><![CDATA[
       file name: guava-16.0.1.jar