diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml
index be9ecb301d..16f768e997 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -19,21 +19,6 @@
^pkg:maven/org\.apache\.nifi.*$
^cpe:.*$
-
- CVE-2022-45868 requires running H2 from a command not applicable to project references
- ^pkg:maven/com\.h2database/h2@2.*$
- CVE-2022-45868
-
-
- CVE-2016-1000027 does not apply to Spring Web 5.3.20 and later
- ^pkg:maven/org\.springframework/spring\-web@.*$
- CVE-2016-1000027
-
-
- CVE-2020-5408 does not apply to Spring Security Crypto 5.7.1 and later
- ^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$
- CVE-2020-5408
-
CVE-2017-10355 does not apply to Xerces 2.12.2
^pkg:maven/xerces/xercesImpl@.*$
@@ -49,36 +34,6 @@
^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$
CVE-2007-6465
-
- CVE-2022-31159 applies to AWS S3 library not the SWF libraries
- ^pkg:maven/com\.amazonaws/aws\-java\-sdk\-swf\-libraries@.*$
- CVE-2022-31159
-
-
- Elasticsearch Server vulnerabilities do not apply to Elasticsearch Plugin
- ^pkg:maven/org\.elasticsearch\.plugin/.*?@7.*$
- ^cpe:/a:elastic.*$
-
-
- Elasticsearch Server vulnerabilities do not apply to elasticsearch-core
- ^pkg:maven/org\.elasticsearch/elasticsearch\-core@7.*$
- ^cpe:/a:elastic.*$
-
-
- Elasticsearch Server vulnerabilities do not apply to elasticsearch
- ^pkg:maven/org\.elasticsearch/elasticsearch@7.*$
- ^cpe:/a:elastic.*$
-
-
- CVE-2021-22145 applies to Elasticsearch Server not client libraries
- ^pkg:maven/org\.elasticsearch/elasticsearch@.*$
- CVE-2021-22145
-
-
- Elasticsearch Server vulnerabilities do not apply to elasticsearch libraries
- ^pkg:maven/org\.elasticsearch/elasticsearch\-.*?@7.*$
- ^cpe:/a:elastic.*$
-
Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client
^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$
@@ -94,11 +49,6 @@
^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$
CVE-2022-30187
-
- CVE-2022-39135 applies to Apache Calcite core not the Calcite Druid library
- ^pkg:maven/org\.apache\.calcite/calcite\-druid@.*$
- CVE-2022-39135
-
CVE-2010-1151 applies to mod_auth_shadow in Apache HTTP Server not the FTP server library
^pkg:maven/org\.apache\.ftpserver/.*$
@@ -109,11 +59,6 @@
^pkg:maven/com\.h2database/h2@.*$
CVE-2018-14335
-
- CVE-2023-25613 applies to an LDAP backend class for Apache Kerby not the Token Provider library
- ^pkg:maven/org\.apache\.kerby/token\-provider@.*$
- CVE-2023-25613
-
The Jetty Apache JSP library is not subject to Apache Tomcat vulnerabilities
^pkg:maven/org\.mortbay\.jasper/apache\-jsp@.*$
@@ -159,16 +104,6 @@
^pkg:maven/org\.apache\.kafka/kafka.*?@.*$
CVE-2023-25194
-
- CVE-2022-34917 applies to Kafka brokers not client libraries
- ^pkg:maven/org\.apache\.kafka/kafka.*?@.*$
- CVE-2022-34917
-
-
- CVE-2023-25613 applies to the LDAP Identity Backend for Kerby Server which is not used in runtime NiFi configurations
- ^pkg:maven/org\.apache\.kerby/kerb.*?@.*$
- CVE-2023-25613
-
CVE-2022-24823 applies to Netty HTTP decoding which is not applicable to Apache Kudu clients
^pkg:maven/io\.netty/netty.*?@.*$
@@ -189,31 +124,11 @@
^pkg:maven/com\.squareup\.wire/.*$
cpe:/a:wire:wire
-
- CVE-2023-44487 applies to Solr Server not Solr client libraries
- ^pkg:maven/org\.apache\.solr/solr\-solrj@.*$
- CVE-2023-44487
-
Avro project vulnerabilities do not apply to Parquet Avro
^pkg:maven/org\.apache\.parquet/parquet\-avro@.*$
cpe:/a:avro_project:avro
-
- CVE-2023-4759 is resolved in 6.7.0 which is already upgraded in nifi-registry
- ^pkg:maven/org\.eclipse\.jgit/.*$
- CVE-2023-4759
-
-
- CVE-2023-4586 is resolved in Netty 4.1.100 which is already upgraded
- ^pkg:maven/io\.netty/netty.*$
- CVE-2023-4586
-
-
- CVE-2023-35887 applies to MINA SSHD not MINA core libraries
- ^pkg:maven/org\.apache\.mina/mina\-core@.*$
- CVE-2023-35887
-
CVE-2016-5397 applies to Apache Thrift Go not Java
^pkg:maven/org\.apache\.thrift/libthrift@.*$
@@ -274,36 +189,16 @@
^pkg:maven/org\.apache\.thrift/libfb303@.*$
CVE-2019-3559
-
- CVE-2023-36479 was resolved in Jetty 10.0.16
- ^pkg:maven/org\.eclipse\.jetty/jetty\-servlets@.*$
- CVE-2023-36479
-
The jetty-servlet-api is versioned according to the Java Servlet API version not the Jetty version
^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-servlet\-api@.*$
cpe:/a:eclipse:jetty
-
- CVE-2023-31419 applies to Elasticsearch Server not client libraries
- ^pkg:maven/org\.elasticsearch/elasticsearch@.*$
- CVE-2023-31419
-
CVE-2023-37475 applies to Hamba Avro in Go not Apache Avro for Java
^pkg:maven/org\.apache\.avro/.*$
CVE-2023-37475
-
- CVE-2023-45860 is resolved in Hazelcast 5.3.5
- ^pkg:maven/com\.hazelcast/hazelcast@.*$
- CVE-2023-45860
-
-
- CVE-2023-36414 applies to Azure Identity for .NET not Java
- ^pkg:maven/com\.azure/azure\-identity@.*$
- CVE-2023-36414
-
CVE-2023-36415 applies to Azure Identity for Python not Java
^pkg:maven/com\.azure/azure\-identity@.*$
@@ -329,11 +224,6 @@
^pkg:maven/org\.apache\.parquet/parquet\-hadoop\-bundle@.*$
cpe:/a:apache:hadoop
-
- CVE-2017-7525 applies to Jackson 2 not Jackson 1
- ^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$
- CVE-2017-7525
-
CVE-2019-11358 applies to bundled copies of jQuery not used in the project
^pkg:javascript/jquery@.*$
@@ -349,11 +239,6 @@
^pkg:javascript/jquery@.*$
CVE-2020-11023
-
- CVE-2020-23064 applies to bundled copies of jQuery not used in the project
- ^pkg:javascript/jquery@.*$
- CVE-2020-23064
-
CVE-2011-4969 applies to bundled copies of jQUery not used in the project
^pkg:javascript/jquery@.*$
@@ -379,16 +264,6 @@
^pkg:javascript/jquery@.*$
jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates
-
- CVE-2020-28458 applies to bundled copies of jQuery datatables not used in the project
- ^pkg:javascript/jquery\.datatables@.*$
- CVE-2020-28458
-
-
- CVE-2021-23445 applies to bundled copies of jQuery datatables not used in the project
- ^pkg:javascript/jquery\.datatables@.*$
- CVE-2021-23445
-
CVE-2023-44487 references gRPC for Go
^pkg:maven/io\.grpc/grpc.*$
@@ -404,21 +279,6 @@
^pkg:maven/com\.google\.guava/guava@.*$
CVE-2020-8908
-
- Bundled versions of jQuery DataTables are not used
- ^pkg:javascript/jquery\.datatables@.*$
- prototype pollution
-
-
- Bundled versions of jQuery DataTables are not used
- ^pkg:javascript/jquery\.datatables@.*$
- possible XSS
-
-
- Picocli misidentified as LINE library from Android so CVE-2015-0897 does not apply
- ^pkg:maven/info\.picocli/picocli@.*$
- CVE-2015-0897
-
CVE-2023-36052 applies to Azure CLI not Azure Java libraries
^pkg:maven/com\.azure/.*$
@@ -430,8 +290,23 @@
cpe:/a:amazon:ion
- JSON Path 2.9.0 resolves CVE-2023-51074
- ^pkg:maven/com\.jayway\.jsonpath/json\-path@2.9.0$
- CVE-2023-51074
+ CVE-2017-20189 applies to the Clojure library not the spec files which have a different version number
+ ^pkg:maven/org\.clojure/spec\.alpha@.*$
+ CVE-2017-20189
+
+
+ CVE-2017-20189 applies to the Clojure library not the spec files which have a different version number
+ ^pkg:maven/org\.clojure/core\.specs\.alpha@.*$
+ CVE-2017-20189
+
+
+ Findings for Apache Hadoop do not apply to the shaded Protobuf library
+ ^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-protobuf_3_21@.*$
+ cpe:/a:apache:hadoop
+
+
+ CVE-2024-22201 applies to Jetty Server 10.0.19 and not Jetty client usage in Solr
+ ^pkg:maven/org\.eclipse\.jetty\.http2/http2\-common@.*$
+ CVE-2024-22201