From 50cda9a2e6edfad281ad827f116f56d103d58977 Mon Sep 17 00:00:00 2001
From: exceptionfactory <exceptionfactory@apache.org>
Date: Sat, 1 Apr 2023 18:02:38 -0500
Subject: [PATCH] NIFI-11371 Upgraded Ranger from 2.3.0 to 2.4.0

- Updated Elasticsearch client false positive vulnerability suppressions for new Ranger transitive dependencies

Signed-off-by: Pierre Villard <pierre.villard.fr@gmail.com>

This closes #7109.
---
 nifi-dependency-check-maven/suppressions.xml | 13 +++++++++----
 pom.xml                                      |  2 +-
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml
index e348670685..83c36fae39 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -106,17 +106,17 @@
     </suppress>
     <suppress>
         <notes>Elasticsearch Server vulnerabilities do not apply to Elasticsearch Plugin</notes>
-        <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.plugin/.*?@7.6.0$</packageUrl>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.plugin/.*?@7.*$</packageUrl>
         <cpe regex="true">^cpe:/a:elastic.*$</cpe>
     </suppress>
     <suppress>
         <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-core</notes>
-        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-core@7.6.0$</packageUrl>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-core@7.*$</packageUrl>
         <cpe regex="true">^cpe:/a:elastic.*$</cpe>
     </suppress>
     <suppress>
         <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch</notes>
-        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@7.6.0$</packageUrl>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@7.*$</packageUrl>
         <cpe regex="true">^cpe:/a:elastic.*$</cpe>
     </suppress>
     <suppress>
@@ -129,9 +129,14 @@
         <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl>
         <cve>CVE-2020-7014</cve>
     </suppress>
+    <suppress>
+        <notes>CVE-2021-22145 applies to Elasticsearch Server not client libraries</notes>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@.*$</packageUrl>
+        <vulnerabilityName>CVE-2021-22145</vulnerabilityName>
+    </suppress>
     <suppress>
         <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch libraries</notes>
-        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-.*?@7.6.0$</packageUrl>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-.*?@7.*$</packageUrl>
         <cpe regex="true">^cpe:/a:elastic.*$</cpe>
     </suppress>
     <suppress>
diff --git a/pom.xml b/pom.xml
index b1c0003ecb..0416019679 100644
--- a/pom.xml
+++ b/pom.xml
@@ -119,7 +119,7 @@
         <org.bouncycastle.version>1.71</org.bouncycastle.version>
         <testcontainers.version>1.17.6</testcontainers.version>
         <org.slf4j.version>2.0.7</org.slf4j.version>
-        <ranger.version>2.3.0</ranger.version>
+        <ranger.version>2.4.0</ranger.version>
         <jetty.version>9.4.50.v20221201</jetty.version>
         <jackson.bom.version>2.14.2</jackson.bom.version>
         <avro.version>1.11.1</avro.version>