3.x: Suppress GlassFish false positives (#9339)

* Upgrade dependency check plugin * Suppress glassfish false positive
helidon-io · Oct 8, 2024 · 26f8d93 · 26f8d93
1 parent 316d0da
commit 26f8d93
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/etc/dependency-check-suppression.xml b/etc/dependency-check-suppression.xml
@@ -2,6 +2,21 @@
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 <!-- For information see https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
 
+<!-- False Positive
+     This CVE is against the GlassFish application server, but is mistakenly being
+     identified in various org.glassfish artifacts
+https://github.com/jeremylong/DependencyCheck/issues/7021
+https://github.com/jeremylong/DependencyCheck/issues/7020
+https://github.com/jeremylong/DependencyCheck/issues/7019
+-->
+<suppress>
+   <notes><![CDATA[
+   file name: jakarta.el-4.0.2.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/org\.glassfish.*/(jakarta\.el|jakarta\.json|jaxb-core|jaxb-runtime|osgi-resource-locator|txw2)@.*$</packageUrl>
+   <cve>CVE-2024-9329</cve>
+</suppress>
+
 <!--
     This CVE is against DOMPurify brought in by javascript in the smallrye UI component.
     In 4.x we made this component "provided". We can't do that in 2.x and 3.x due to compatiblity concerns.

diff --git a/pom.xml b/pom.xml
@@ -119,7 +119,7 @@
         <version.plugin.source>3.3.0</version.plugin.source>
         <version.plugin.spotbugs>4.4.2.2</version.plugin.spotbugs>
         <version.plugin.findsecbugs>1.11.0</version.plugin.findsecbugs>
-        <version.plugin.dependency-check>10.0.2</version.plugin.dependency-check>
+        <version.plugin.dependency-check>10.0.4</version.plugin.dependency-check>
         <version.plugin.surefire>3.0.0</version.plugin.surefire>
         <version.plugin.toolchains>1.1</version.plugin.toolchains>
         <version.plugin.version-plugin>2.3</version.plugin.version-plugin>