From cb451e475ea61d919658c0bfe328ffc2978de70d Mon Sep 17 00:00:00 2001
From: joohyukkim <beanskobe@gmail.com>
Date: Wed, 12 Jul 2023 20:30:20 +0900
Subject: [PATCH 1/5] add suppression

---
 src/owasp-dependency-check-suppressions.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/owasp-dependency-check-suppressions.xml b/src/owasp-dependency-check-suppressions.xml
index 2cb82677db087..4e13b3d1dfa55 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -181,6 +181,15 @@
         <sha1>fa9a1ccda7d78edb51a3a33d3493566092786a30</sha1>
         <cve>CVE-2021-25263</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+        file name: clickhouse-jdbc-0.4.6-all.jar
+        CVE cannot take effect, as covered by
+        See(PR) https://github.com/apache/pulsar/pull/20699
+    ]]></notes>
+        <sha1>6efc73bb044a64add5555d676a8074b8389632e6</sha1>
+        <cve>CVE-2023-2976</cve>
+    </suppress>
     <suppress>
         <notes><![CDATA[
      file name: logback-core-1.1.3.jar

From 3c4a7b996b332a2227afeb439165f796b09a3dae Mon Sep 17 00:00:00 2001
From: joohyukkim <beanskobe@gmail.com>
Date: Wed, 12 Jul 2023 20:38:43 +0900
Subject: [PATCH 2/5] Add more URL

---
 src/owasp-dependency-check-suppressions.xml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/owasp-dependency-check-suppressions.xml b/src/owasp-dependency-check-suppressions.xml
index 4e13b3d1dfa55..bf568178bbcd4 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -184,8 +184,9 @@
     <suppress>
         <notes><![CDATA[
         file name: clickhouse-jdbc-0.4.6-all.jar
-        CVE cannot take effect, as covered by
-        See(PR) https://github.com/apache/pulsar/pull/20699
+        file link: https://github.com/ClickHouse/clickhouse-java/releases/tag/v0.4.6
+        CVE cannot take effect
+        Already covered by PR https://github.com/apache/pulsar/pull/20699
     ]]></notes>
         <sha1>6efc73bb044a64add5555d676a8074b8389632e6</sha1>
         <cve>CVE-2023-2976</cve>

From a19fdfea41333b03416d45b3693adbab542d05de Mon Sep 17 00:00:00 2001
From: joohyukkim <beanskobe@gmail.com>
Date: Tue, 18 Jul 2023 23:53:46 +0900
Subject: [PATCH 3/5] Fix mismatched checksu and add canal.client

---
 src/owasp-dependency-check-suppressions.xml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/owasp-dependency-check-suppressions.xml b/src/owasp-dependency-check-suppressions.xml
index bf568178bbcd4..2b74f40343071 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -109,6 +109,15 @@
         <sha1>b87878db57d5cfc2ca7d3972cc8f7486bf02fbca</sha1>
         <cve>CVE-2020-8908</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+        file name: canal.client-1.1.5.jar (shaded: com.google.guava:guava:32.1.1)
+        CVE cannot take effect.
+        Already covered by PR https://github.com/apache/pulsar/pull/20699
+    ]]></notes>
+        <sha1>b87878db57d5cfc2ca7d3972cc8f7486bf02fbca</sha1>
+        <cve>CVE-2023-2976</cve>
+    </suppress>
 
     <!-- clickhouse: security scan matches client lib to the server CVEs -->
     <suppress>
@@ -183,12 +192,12 @@
     </suppress>
     <suppress>
         <notes><![CDATA[
-        file name: clickhouse-jdbc-0.4.6-all.jar
+        file name: clickhouse-jdbc-0.4.6.jar
         file link: https://github.com/ClickHouse/clickhouse-java/releases/tag/v0.4.6
         CVE cannot take effect
         Already covered by PR https://github.com/apache/pulsar/pull/20699
     ]]></notes>
-        <sha1>6efc73bb044a64add5555d676a8074b8389632e6</sha1>
+        <sha1>0ea8674ff292c7e093d90981241fa7874c6dd657</sha1>
         <cve>CVE-2023-2976</cve>
     </suppress>
     <suppress>

From 8311d3097f57f3ce2d9c737446417450a6d87ea6 Mon Sep 17 00:00:00 2001
From: joohyukkim <beanskobe@gmail.com>
Date: Wed, 19 Jul 2023 01:19:56 +0900
Subject: [PATCH 4/5] Update owasp-dependency-check-suppressions.xml

---
 src/owasp-dependency-check-suppressions.xml | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/src/owasp-dependency-check-suppressions.xml b/src/owasp-dependency-check-suppressions.xml
index 2b74f40343071..aea2e4311f000 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -111,14 +111,13 @@
     </suppress>
     <suppress>
         <notes><![CDATA[
-        file name: canal.client-1.1.5.jar (shaded: com.google.guava:guava:32.1.1)
-        CVE cannot take effect.
-        Already covered by PR https://github.com/apache/pulsar/pull/20699
+    file name: canal.client-1.1.5.jar (shaded: com.google.guava:guava:32.1.1)
+    CVE cannot take effect.
+    Already covered by PR https://github.com/apache/pulsar/pull/20699
     ]]></notes>
         <sha1>b87878db57d5cfc2ca7d3972cc8f7486bf02fbca</sha1>
         <cve>CVE-2023-2976</cve>
     </suppress>
-
     <!-- clickhouse: security scan matches client lib to the server CVEs -->
     <suppress>
         <notes><![CDATA[
@@ -192,12 +191,11 @@
     </suppress>
     <suppress>
         <notes><![CDATA[
-        file name: clickhouse-jdbc-0.4.6.jar
-        file link: https://github.com/ClickHouse/clickhouse-java/releases/tag/v0.4.6
-        CVE cannot take effect
-        Already covered by PR https://github.com/apache/pulsar/pull/20699
+    file name: clickhouse-jdbc-0.4.6-all.jar (shaded: com.google.guava:guava:32.1.1)
+    CVE cannot take effect.
+    Already covered by PR https://github.com/apache/pulsar/pull/20699
     ]]></notes>
-        <sha1>0ea8674ff292c7e093d90981241fa7874c6dd657</sha1>
+        <sha1>6efc73bb044a64add5555d676a8074b8389632e6</sha1>
         <cve>CVE-2023-2976</cve>
     </suppress>
     <suppress>

From af2a5f170c3b4bfaa1463acac0b70184df235c90 Mon Sep 17 00:00:00 2001
From: joohyukkim <beanskobe@gmail.com>
Date: Wed, 19 Jul 2023 19:55:54 +0900
Subject: [PATCH 5/5] Update owasp-dependency-check-suppressions.xml

---
 src/owasp-dependency-check-suppressions.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/owasp-dependency-check-suppressions.xml b/src/owasp-dependency-check-suppressions.xml
index aea2e4311f000..d5ddc28e884cb 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -195,7 +195,7 @@
     CVE cannot take effect.
     Already covered by PR https://github.com/apache/pulsar/pull/20699
     ]]></notes>
-        <sha1>6efc73bb044a64add5555d676a8074b8389632e6</sha1>
+        <sha1>d3b929509399a698915b24ff47db781d0c526760</sha1>
         <cve>CVE-2023-2976</cve>
     </suppress>
     <suppress>