From a7bf2763cd61a7f8541c199ba6daef73851dceda Mon Sep 17 00:00:00 2001
From: exceptionfactory <exceptionfactory@apache.org>
Date: Fri, 2 Dec 2022 07:57:20 -0600
Subject: [PATCH] NIFI-10933 Upgraded OWASP Dependency Check from 7.1.2 to
 7.3.2

- Removed non-applicable suppressions
- Added suppressions for Elasticsearch client libraries and other false positives

Signed-off-by: Pierre Villard <pierre.villard.fr@gmail.com>

This closes #6751.
---
 nifi-dependency-check-maven/suppressions.xml | 84 +++++++++++---------
 pom.xml                                      |  2 +-
 2 files changed, 48 insertions(+), 38 deletions(-)

diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml
index 90d67d1063..b2b982eb4d 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -19,26 +19,6 @@
         <packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl>
         <cpe regex="true">^cpe:.*$</cpe>
     </suppress>
-    <suppress>
-        <notes>Meta MX HTTP Client is incorrectly identified as Netty</notes>
-        <packageUrl regex="true">^pkg:maven/com\.metamx/http\-client@.*$</packageUrl>
-        <cpe>cpe:/a:netty:netty</cpe>
-    </suppress>
-    <suppress>
-        <notes>Testcontainers MySQL is incorrectly identified with MySQL server</notes>
-        <packageUrl regex="true">^pkg:maven/org\.testcontainers/mysql@.*$</packageUrl>
-        <cpe>cpe:/a:mysql:mysql</cpe>
-    </suppress>
-    <suppress>
-        <notes>StumbleUpon Async is incorrectly identified as the JavaScript Async library</notes>
-        <packageUrl regex="true">^pkg:maven/com\.stumbleupon/async@.*$</packageUrl>
-        <cve>CVE-2021-43138</cve>
-    </suppress>
-    <suppress>
-        <notes>HBase Async is incorrectly identified as the JavaScript Async library</notes>
-        <packageUrl regex="true">^pkg:maven/org\.hbase/asynchbase@.*$</packageUrl>
-        <cve>CVE-2021-43138</cve>
-    </suppress>
     <suppress>
         <notes>Jetty SSLEngine is incorrectly identified with Jetty Server</notes>
         <packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/jetty\-sslengine@.*$</packageUrl>
@@ -49,11 +29,6 @@
         <packageUrl regex="true">^pkg:maven/com\.zendesk/mysql\-binlog\-connector\-java@.*$</packageUrl>
         <cpe>cpe:/a:mysql:mysql</cpe>
     </suppress>
-    <suppress>
-        <notes>Testcontainers MariaDB is incorrectly identified with MariaDB server</notes>
-        <packageUrl regex="true">^pkg:maven/org\.testcontainers/mariadb@.*$</packageUrl>
-        <cpe>cpe:/a:mariadb:mariadb</cpe>
-    </suppress>
     <suppress>
         <notes>Twill ZooKeeper is incorrectly identified with ZooKeeper server</notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.twill/twill\-zookeeper@.*$</packageUrl>
@@ -65,14 +40,9 @@
         <vulnerabilityName regex="true">^CVE.*$</vulnerabilityName>
     </suppress>
     <suppress>
-        <notes>H2 2 is not vulnerable to CVE-2018-14335</notes>
+        <notes>CVE-2022-45868 requires running H2 from a command not applicable to project references</notes>
         <packageUrl regex="true">^pkg:maven/com\.h2database/h2@2.*$</packageUrl>
-        <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes>Jetty apache-jsp is not part of Apache Tomcat server</notes>
-        <packageUrl>pkg:maven/org.mortbay.jasper/apache-jsp@8.5.70</packageUrl>
-        <cpe>cpe:/a:apache:tomcat</cpe>
+        <vulnerabilityName>CVE-2022-45868</vulnerabilityName>
     </suppress>
     <suppress>
         <notes>CVE-2016-1000027 does not apply to Spring Web 5.3.20 and later</notes>
@@ -84,11 +54,6 @@
         <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
         <vulnerabilityName>CVE-2020-5408</vulnerabilityName>
     </suppress>
-    <suppress>
-        <notes>Spring Security Kerberos Core is an extension of the Spring Security project</notes>
-        <packageUrl regex="true">^pkg:maven/org\.springframework\.security\.kerberos/spring\-security\-kerberos.*$</packageUrl>
-        <cpe>cpe:/a:vmware:spring_security</cpe>
-    </suppress>
     <suppress>
         <notes>Servlet API 2.5 does not include Jetty Server vulnerabilities</notes>
         <packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/servlet\-api@.*$</packageUrl>
@@ -204,4 +169,49 @@
         <packageUrl regex="true">^pkg:maven/com\.amazonaws/aws\-java\-sdk\-swf\-libraries@.*$</packageUrl>
         <cve>CVE-2022-31159</cve>
     </suppress>
+    <suppress>
+        <notes>Hive vulnerabilities do not apply to Iceberg Hive Metadata</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.iceberg/iceberg\-hive\-metastore@.*$</packageUrl>
+        <cpe>cpe:/a:apache:hive</cpe>
+    </suppress>
+    <suppress>
+        <notes>Elasticsearch Server vulnerabilities do not apply to Elasticsearch Plugin</notes>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.plugin/.*?@7.6.0$</packageUrl>
+        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
+    </suppress>
+    <suppress>
+        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-core</notes>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-core@7.6.0$</packageUrl>
+        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
+    </suppress>
+    <suppress>
+        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch</notes>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@7.6.0$</packageUrl>
+        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
+    </suppress>
+    <suppress>
+        <notes>Elasticsearch Server CVE-2020-7009 does not apply to elasticsearch client libraries</notes>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl>
+        <cve>CVE-2020-7009</cve>
+    </suppress>
+    <suppress>
+        <notes>Elasticsearch Server CVE-2020-7014 does not apply to elasticsearch client libraries</notes>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl>
+        <cve>CVE-2020-7014</cve>
+    </suppress>
+    <suppress>
+        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch libraries</notes>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch\-.*?@7.6.0$</packageUrl>
+        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
+    </suppress>
+    <suppress>
+        <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client</notes>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$</packageUrl>
+        <cpe regex="true">^cpe:/a:elastic.*$</cpe>
+    </suppress>
+    <suppress>
+        <notes>HTTP server vulnerabilities do not apply to Apache FTP Server</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl>
+        <cpe>cpe:/a:apache:apache_http_server</cpe>
+    </suppress>
 </suppressions>
diff --git a/pom.xml b/pom.xml
index 14a0b77e1f..468b5987d7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1158,7 +1158,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>7.1.2</version>
+                        <version>7.3.2</version>
                         <executions>
                             <execution>
                                 <inherited>false</inherited>