From 9f7d4347c423fac32a6818ec8547e619fefcaa3d Mon Sep 17 00:00:00 2001
From: AmatyaAvadhanula <amatya.avadhanula@imply.io>
Date: Mon, 24 Jul 2023 18:01:56 +0530
Subject: [PATCH 1/3] Suppress ambari metrics CVEs (#14645)

* Suppress ambari metrics CVEs
---
 owasp-dependency-check-suppressions.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 465d4cb0b1c2..26766c11f1d9 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -391,6 +391,13 @@
     <packageUrl regex="true">^pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1$</packageUrl>
     <cve>CVE-2022-33915</cve>
   </suppress>
+  <suppress>
+     <notes><![CDATA[
+     file name: ambari-metrics-common-2.7.0.0.0.jar
+    ]]></notes>
+    <cve>CVE-2022-45855</cve>
+    <cve>CVE-2022-42009</cve>
+  </suppress>
   <suppress>
     <!--
       - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.

From c14d60dd546ce217cc08b6b2c02211f9a209db8d Mon Sep 17 00:00:00 2001
From: AmatyaAvadhanula <amatya.avadhanula@imply.io>
Date: Tue, 25 Jul 2023 13:37:50 +0530
Subject: [PATCH 2/3] Suppress CVEs (#14648)

CVE-2023-34462 - (Allows malicious allocation of resources without throttling) Not applicable as the Netty requests in Druid are internal, and not user facing.
CVE-2016-2402 - (Man in the middle with okhttp by sending certificate chains) Not applicable as okhttp requests in Druid are also internal
---
 owasp-dependency-check-suppressions.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 26766c11f1d9..8a3ec43419d4 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -230,6 +230,7 @@
     <cve>CVE-2021-43797</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-wx5j-54mm-rqqq -->
     <cve>CVE-2022-24823</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-269q-hmxg-m83q -->
     <cve>CVE-2022-41881</cve>
+    <cve>CVE-2023-34462</cve>	<!-- Suppressed since netty requests in Druid are internal, and not user-facing -->
   </suppress>
   <suppress>
     <!-- TODO: Fix by upgrading hadoop-auth version -->
@@ -688,6 +689,7 @@
    file name: okhttp-*.jar
    ]]></notes>
     <cve>CVE-2021-0341</cve>
+    <cve>CVE-2016-2402</cve>	<!-- Suppressed since okhttp requests in Druid are internal, and not user-facing -->
   </suppress>
 
   <suppress>

From b7f68f2a7865b5bf996e76ee4c3624b0004abf32 Mon Sep 17 00:00:00 2001
From: Amatya <amatya.avadhanula@imply.io>
Date: Tue, 25 Jul 2023 15:56:39 +0530
Subject: [PATCH 3/3] Suppress unrelated CVEs in kubernetes overlord extension

---
 owasp-dependency-check-suppressions.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 8a3ec43419d4..e24138f806c5 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -281,6 +281,7 @@
     <!-- false positive -->
     <cve>CVE-2023-2251</cve>
     <cve>CVE-2022-3064</cve>
+    <cve>CVE-2021-4235</cve>	<!-- Suppressed as we don't parse user provided yamls -->
   </suppress>
   <suppress>
     <notes><![CDATA[
@@ -860,4 +861,11 @@
     <cve>CVE-2020-8908</cve> <!-- We do not use com.google.common.io.Files.createTempDir() https://nvd.nist.gov/vuln/detail/CVE-2020-8908 -->
     <cve>CVE-2023-2976</cve> <!-- We do not use com.google.common.io.FileBackedOutputStream https://nvd.nist.gov/vuln/detail/CVE-2023-2976 -->
   </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+      file name: okio-1.15.0.jar
+    ]]></notes>
+    <cve>CVE-2023-3635</cve> <!-- We don't expect a DOS due to malformed gzip buffers because externally crafted gzip archives are not expected as input to Druid -->
+  </suppress>
 </suppressions>