From ccb68a843cddf186680edf3c921d1a73e4c30b1e Mon Sep 17 00:00:00 2001
From: Joe Di Pol <joe.dipol@oracle.com>
Date: Tue, 8 Oct 2024 11:47:53 -0700
Subject: [PATCH 1/2] Upgrade dependency check plugin

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 90c1f9ed4a2..76e80c73cc7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -119,7 +119,7 @@
         <version.plugin.source>3.3.0</version.plugin.source>
         <version.plugin.spotbugs>4.4.2.2</version.plugin.spotbugs>
         <version.plugin.findsecbugs>1.11.0</version.plugin.findsecbugs>
-        <version.plugin.dependency-check>10.0.2</version.plugin.dependency-check>
+        <version.plugin.dependency-check>10.0.4</version.plugin.dependency-check>
         <version.plugin.surefire>3.0.0</version.plugin.surefire>
         <version.plugin.toolchains>1.1</version.plugin.toolchains>
         <version.plugin.version-plugin>2.3</version.plugin.version-plugin>

From 828fbef1e86b3b9be505c05b80edd4b25f15c8b4 Mon Sep 17 00:00:00 2001
From: Joe Di Pol <joe.dipol@oracle.com>
Date: Tue, 8 Oct 2024 11:48:12 -0700
Subject: [PATCH 2/2] Suppress glassfish false positive

---
 etc/dependency-check-suppression.xml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/etc/dependency-check-suppression.xml b/etc/dependency-check-suppression.xml
index 771312c2cb0..4e5518a3ad8 100644
--- a/etc/dependency-check-suppression.xml
+++ b/etc/dependency-check-suppression.xml
@@ -2,6 +2,21 @@
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 <!-- For information see https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
 
+<!-- False Positive
+     This CVE is against the GlassFish application server, but is mistakenly being
+     identified in various org.glassfish artifacts
+https://github.com/jeremylong/DependencyCheck/issues/7021
+https://github.com/jeremylong/DependencyCheck/issues/7020
+https://github.com/jeremylong/DependencyCheck/issues/7019
+-->
+<suppress>
+   <notes><![CDATA[
+   file name: jakarta.el-4.0.2.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/org\.glassfish.*/(jakarta\.el|jakarta\.json|jaxb-core|jaxb-runtime|osgi-resource-locator|txw2)@.*$</packageUrl>
+   <cve>CVE-2024-9329</cve>
+</suppress>
+
 <!--
     This CVE is against DOMPurify brought in by javascript in the smallrye UI component.
     In 4.x we made this component "provided". We can't do that in 2.x and 3.x due to compatiblity concerns.