[fix][ci][branch-2.10] Fix owasp ci failure on branch-2.10

[Jason918]

Motivation

Currently owasp ci check fails on branch-2.10.
See https://github.com/Jason918/pulsar/actions/runs/3088190603/jobs/4994380011#step:8:53

Error:  Failed to execute goal org.owasp:dependency-check-maven:7.1.0:aggregate (default) on project distribution: 
Error:  
Error:  One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
Error:  
Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: aether-connector-asynchttpclient-1.13.1.jar: CVE-2017-14063(7.5), CVE-2021-43138(7.8)
Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: async-http-client-1.6.5.jar: CVE-2021-43138(7.8)
Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: grpc-netty-1.45.1.jar: CVE-2019-16869(7.5), CVE-2015-2156(7.5), CVE-2021-37136(7.5), CVE-2021-37137(7.5), CVE-2019-20445(9.1), CVE-2019-20444(9.1)
Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: logback-core-1.2.3.jar: CVE-2021-42[55](https://github.com/Jason918/pulsar/actions/runs/3088190603/jobs/4994380011#step:8:56)0(6.6)
Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: maven-compat-3.0.5.jar: CVE-2021-26291(9.1)
Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: maven-core-3.0.5.jar: CVE-2021-26291(9.1)
Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: maven-settings-3.0.5.jar: CVE-2021-26291(9.1)
Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: netty-3.10.6.Final.jar: CVE-2019-16869(7.5), CVE-2021-37136(7.5), CVE-2021-37137(7.5), CVE-2019-20445(9.1), CVE-2019-20444(9.1)
Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: okhttp-3.14.9.jar: CVE-2021-0341(7.5)
Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: plexus-utils-2.0.6.jar: CVE-2017-1000487(9.8)
Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: presto-cli-332.jar: CVE-2020-15087(8.8)
Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: presto-spi-332.jar: CVE-2020-15087(8.8)

Modifications

Exclude distribution and distribution/server from owasp check.

Verifying this change

• Make sure that the change passes the CI checks.

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

• Dependencies (add or upgrade a dependency)
• The public API
• The schema
• The default values of configurations
• The binary protocol
• The REST endpoints
• The admin CLI options
• Anything that affects deployment

Documentation

• doc-required
  (Your PR needs to update docs and you will update later)

• doc-not-needed
  bug fix

• doc
  (Your PR contains doc changes)

• doc-complete
  (Docs have been already added)

Matching PR in forked repository

PR in forked repository: Jason918#6
branch-2.10 in my fork contains this PR. See https://github.com/Jason918/pulsar/tree/branch-2.10

[Jason918]

@lhotari @nicoloboschi @dlg99 PTAL

[eolivelli]

why do we do this only on this branch ?

[Jason918]

why do we do this only on this branch ?

@eolivelli
This occurs after I triggered the last CI for release 2.10.2 in my fork Jason918#6.

The master branch won't have this issue as presto is upgraded in #16683.
As for other released branches, I will cherry-pick this if they have the same issue.

I am not sure when this owasp check starts failing. But I think we missed a step to trigger a full CI before cutting a release candidate. Currently owasp check will be skipped if there are no modifications on "pom" files. I will put some updates to the release process after this release.

[Jason918]

@nicoloboschi @lhotari
After a deeper look, it turns out that the problem is that the file name "pulsar-presto-distribution.tar.gz" dismatched the previous supression rule in the supression file. It's a simple fix now and it's validated in my fork. see https://github.com/Jason918/pulsar/actions/runs/3110052763/jobs/5040852313

[Jason918]

Current OWASP Dependency Check fails because of "CVE-2022-25857" which is fixed in #17457.