NIFI-9213 Upgraded Dependency Check Plugin to 6.3.1

- Suppressed false positive for ftpserver
- Suppressed false positive for com.metamx:http-client
- Suppressed false positive for Jetty servlet-api
- Suppressed false positive for Testcontainers MySQL
- Suppressed false positive for vorbis-java-tika

This closes #5384

Signed-off-by: Joe Gresock <jgresock@gmail.com>

nifi-dependency-check-maven/suppressions.xml

@@ -15,13 +15,38 @@
 -->
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <suppress>
-        <notes>Suppress false positives for Apache NiFi packages</notes>
+        <notes>NiFi packages contain other project names, which can cause incorrect identification</notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.nifi/.*$</packageUrl>
         <cpe regex="true">^cpe:.*$</cpe>
     </suppress>
     <suppress>
-        <notes>Suppress false positives for Jetty Test Helper</notes>
+        <notes>Jetty Test Helper is incorrectly identified as part of Jetty Server</notes>
         <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty-test-helper.*$</packageUrl>
         <cpe regex="true">^cpe:.*$</cpe>
     </suppress>
+    <suppress>
+        <notes>Apache FTP Server library is incorrectly identified with Apache HTTP Server</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/ftpserver\-core@.*$</packageUrl>
+        <cpe>cpe:/a:apache:http_server</cpe>
+    </suppress>
+    <suppress>
+        <notes>Meta MX HTTP Client is incorrectly identified as Netty</notes>
+        <packageUrl regex="true">^pkg:maven/com\.metamx/http\-client@.*$</packageUrl>
+        <cpe>cpe:/a:netty:netty</cpe>
+    </suppress>
+    <suppress>
+        <notes>Servlet API libraries with the Jetty package are incorrectly associated with Jetty Server</notes>
+        <packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/servlet\-api@.*$</packageUrl>
+        <cpe regex="true">^cpe:/a:.*:jetty:.*$</cpe>
+    </suppress>
+    <suppress>
+        <notes>Testcontainers MySQL is incorrectly identified with MySQL server</notes>
+        <packageUrl regex="true">^pkg:maven/org\.testcontainers/mysql@.*$</packageUrl>
+        <cpe>cpe:/a:mysql:mysql</cpe>
+    </suppress>
+    <suppress>
+        <notes>Vorbis Java Tika is incorrectly linked to flac_project</notes>
+        <packageUrl regex="true">^pkg:maven/org\.gagravarr/vorbis\-java\-tika@.*$</packageUrl>
+        <cpe>cpe:/a:flac_project:flac</cpe>
+    </suppress>
 </suppressions>

pom.xml

@@ -1109,7 +1109,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>6.1.5</version>
+                        <version>6.3.1</version>
                         <executions>
                             <execution>
                                 <inherited>false</inherited>
@@ -1118,6 +1118,8 @@
                                 </goals>
                                 <configuration>
                                     <suppressionFiles>nifi-dependency-check-maven/suppressions.xml</suppressionFiles>
+                                    <!-- Skip System Scope to avoid dependency resolution errors with jdk.tools on Java 8 -->
+                                    <skipSystemScope>true</skipSystemScope>
                                 </configuration>
                             </execution>
                         </executions>