From 26d02fff490805fb71047afa034d5597c02382d8 Mon Sep 17 00:00:00 2001
From: exceptionfactory <exceptionfactory@apache.org>
Date: Mon, 19 Jun 2023 20:52:44 -0500
Subject: [PATCH] NIFI-11729 Upgraded OWASP Dependency Check from 8.2.1 to
 8.3.1

- Updated OWASP suppressions to exclude several JSON and Kafka false positives
- Excluded JUnit dependency from Hive 3 JDBC

This closes #7411

Signed-off-by: Mike Thomsen <mthomsen@apache.org>
---
 nifi-dependency-check-maven/suppressions.xml  | 70 +++++++++----------
 .../nifi-hive3-processors/pom.xml             |  4 ++
 pom.xml                                       |  2 +-
 3 files changed, 40 insertions(+), 36 deletions(-)

diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml
index 83c36fae39..e4e0cdac1d 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -19,11 +19,6 @@
         <packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl>
         <cpe regex="true">^cpe:.*$</cpe>
     </suppress>
-    <suppress>
-        <notes>Jetty SSLEngine is incorrectly identified with Jetty Server</notes>
-        <packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/jetty\-sslengine@.*$</packageUrl>
-        <cpe regex="true">^cpe:.*$</cpe>
-    </suppress>
     <suppress>
         <notes>CVE-2022-45868 requires running H2 from a command not applicable to project references</notes>
         <packageUrl regex="true">^pkg:maven/com\.h2database/h2@2.*$</packageUrl>
@@ -149,11 +144,6 @@
         <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client-sniffer@.*$</packageUrl>
         <cpe regex="true">^cpe:/a:elastic.*$</cpe>
     </suppress>
-    <suppress>
-        <notes>CVE-2022-34271 applies to Atlas Server not the Atlas client library</notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.atlas/.*$</packageUrl>
-        <cve>CVE-2022-34271</cve>
-    </suppress>
     <suppress>
         <notes>CVE-2022-30187 applies to Azure Blob not the EventHubs Checkpoint Store Blob library</notes>
         <packageUrl regex="true">^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$</packageUrl>
@@ -164,21 +154,11 @@
         <packageUrl regex="true">^pkg:maven/org\.apache\.calcite/calcite\-druid@.*$</packageUrl>
         <cve>CVE-2022-39135</cve>
     </suppress>
-    <suppress>
-        <notes>CVE-2018-8016 applies to Apache Cassandra server not the client library</notes>
-        <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$</packageUrl>
-        <cve>CVE-2018-8016</cve>
-    </suppress>
     <suppress>
         <notes>CVE-2018-1000873 applies to Jackson Java 8 Time modules not Jackson Annotations</notes>
         <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-annotations@.*$</packageUrl>
         <cve>CVE-2018-1000873</cve>
     </suppress>
-    <suppress>
-        <notes>CVE-2021-34371 applies to Neo4j server not the driver library</notes>
-        <packageUrl regex="true">^pkg:maven/org\.opencypher\.gremlin/cypher\-gremlin\-neo4j\-driver@.*$</packageUrl>
-        <cve>CVE-2021-34371</cve>
-    </suppress>
     <suppress>
         <notes>CVE-2010-1151 applies to mod_auth_shadow in Apache HTTP Server not the FTP server library</notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl>
@@ -189,21 +169,6 @@
         <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
         <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
     </suppress>
-    <suppress>
-        <notes>CVE-2022-31160 included in hadoop-client-api is not used</notes>
-        <packageUrl regex="true">^pkg:javascript/jquery\-ui@.*$</packageUrl>
-        <cve>CVE-2022-31160</cve>
-    </suppress>
-    <suppress>
-        <notes>CVE-2021-37533 applies to the Commons Net FTP Client which is not used in the version bundled with hadoop-client-runtime for Accumulo</notes>
-        <packageUrl regex="true">^pkg:maven/commons\-net/commons\-net@.*$</packageUrl>
-        <cve>CVE-2021-37533</cve>
-    </suppress>
-    <suppress>
-        <notes>CVE-2021-0341 applies to Android not OkHttp</notes>
-        <packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp/okhttp@.*$</packageUrl>
-        <vulnerabilityName>CVE-2021-0341</vulnerabilityName>
-    </suppress>
     <suppress>
         <notes>CVE-2023-25613 applies to an LDAP backend class for Apache Kerby not the Token Provider library</notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.kerby/token\-provider@.*$</packageUrl>
@@ -259,4 +224,39 @@
         <packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-hadoop2\-compat@.*$</packageUrl>
         <cpe>cpe:/a:apache:hadoop</cpe>
     </suppress>
+    <suppress>
+        <notes>CVE-2022-45688 applies to hutools-json not org.json</notes>
+        <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
+        <cve>CVE-2022-45688</cve>
+    </suppress>
+    <suppress>
+        <notes>The Jackson maintainers dispute the applicability of CVE-2023-35116 based on cyclic nature of reported concern</notes>
+        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-35116</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>CVE-2023-25194 applies to Kafka Connect workers not client libraries</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl>
+        <cve>CVE-2023-25194</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2022-34917 applies to Kafka brokers not client libraries</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl>
+        <cve>CVE-2022-34917</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2023-25613 applies to the LDAP Identity Backend for Kerby Server which is not used in runtime NiFi configurations</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.kerby/kerb.*?@.*$</packageUrl>
+        <cve>CVE-2023-25613</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2022-24823 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients</notes>
+        <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl>
+        <cve>CVE-2022-24823</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2022-41915 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients</notes>
+        <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl>
+        <cve>CVE-2022-41915</cve>
+    </suppress>
 </suppressions>
diff --git a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
index 7778b87691..7629db7eaa 100644
--- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
@@ -129,6 +129,10 @@
                     <groupId>com.google.code.findbugs</groupId>
                     <artifactId>jsr305</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>junit</groupId>
+                    <artifactId>junit</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
diff --git a/pom.xml b/pom.xml
index 81ef2d0d6e..afa8570591 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1154,7 +1154,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>8.2.1</version>
+                        <version>8.3.1</version>
                         <executions>
                             <execution>
                                 <inherited>false</inherited>