From 6c6cb99b3808ea76f56c14899691c48ee5756ad9 Mon Sep 17 00:00:00 2001
From: exceptionfactory <exceptionfactory@apache.org>
Date: Tue, 14 Jun 2022 15:51:22 -0500
Subject: [PATCH] NIFI-10118 Upgraded OWASP Dependency Check from 7.1.0 to
 7.1.1

This closes #6127

Signed-off-by: David Handermann <exceptionfactory@apache.org>
---
 nifi-dependency-check-maven/suppressions.xml | 35 ++++++++++++++++++++
 pom.xml                                      |  2 +-
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml
index 9b1b2cdf2e..a48534c8f8 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -59,4 +59,39 @@
         <packageUrl regex="true">^pkg:maven/org\.apache\.twill/twill\-zookeeper@.*$</packageUrl>
         <cpe>cpe:/a:apache:zookeeper</cpe>
     </suppress>
+    <suppress>
+        <notes>H2 1.4.200 is shaded and repackaged without vulnerable components in nifi-h2-database for migration</notes>
+        <packageUrl>pkg:maven/com.h2database/h2@1.4.200</packageUrl>
+        <vulnerabilityName regex="true">^CVE.*$</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>H2 2 is not vulnerable to CVE-2018-14335</notes>
+        <packageUrl regex="true">^pkg:maven/com\.h2database/h2@2.*$</packageUrl>
+        <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>Jetty apache-jsp is not part of Apache Tomcat server</notes>
+        <packageUrl>pkg:maven/org.mortbay.jasper/apache-jsp@8.5.70</packageUrl>
+        <cpe>cpe:/a:apache:tomcat</cpe>
+    </suppress>
+    <suppress>
+        <notes>CVE-2016-1000027 does not apply to Spring Web 5.3.20 and later</notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-web@.*$</packageUrl>
+        <cve>CVE-2016-1000027</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2020-5408 does not apply to Spring Security Crypto 5.7.1 and later</notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
+        <vulnerabilityName>CVE-2020-5408</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>Spring Security Kerberos Core is an extension of the Spring Security project</notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.security\.kerberos/spring\-security\-kerberos.*$</packageUrl>
+        <cpe>cpe:/a:vmware:spring_security</cpe>
+    </suppress>
+    <suppress>
+        <notes>Servlet API 2.5 does not include Jetty Server vulnerabilities</notes>
+        <packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/servlet\-api@.*$</packageUrl>
+        <cpe regex="true">^cpe:.*$</cpe>
+    </suppress>
 </suppressions>
diff --git a/pom.xml b/pom.xml
index 2a3bf2e828..add3eaa21d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1245,7 +1245,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>7.1.0</version>
+                        <version>7.1.1</version>
                         <executions>
                             <execution>
                                 <inherited>false</inherited>