From 02b441c836486dc00d1f1ddd7daeafdee9784106 Mon Sep 17 00:00:00 2001
From: Joe Di Pol <joe.dipol@oracle.com>
Date: Tue, 12 Sep 2023 08:45:18 -0700
Subject: [PATCH] Upgrade dependency-check-maven plugin and add suppression

---
 etc/dependency-check-suppression.xml | 13 +++++++++++++
 pom.xml                              |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/etc/dependency-check-suppression.xml b/etc/dependency-check-suppression.xml
index f83e83e6689..73778eb9cc1 100644
--- a/etc/dependency-check-suppression.xml
+++ b/etc/dependency-check-suppression.xml
@@ -266,4 +266,17 @@
    <cve>CVE-2023-35116</cve>
 </suppress>
 
+<!--
+    This CVE is is concerning proper use of Netty's hostname verification. Helidon enables hostname
+    verification by default and therefore this CVE does not apply. Some more info on the CVE here:
+    https://github.com/jeremylong/DependencyCheck/issues/5912
+-->
+<suppress>
+   <notes><![CDATA[
+   file name: netty-handler-4.1.94.Final.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/io\.netty/netty\-handler@.*$</packageUrl>
+   <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
+</suppress>
+
 </suppressions>
diff --git a/pom.xml b/pom.xml
index f4e34940863..5c816051392 100644
--- a/pom.xml
+++ b/pom.xml
@@ -112,7 +112,7 @@
         <version.plugin.spotbugs>3.1.12</version.plugin.spotbugs>
         <version.plugin.surefire.provider.junit>1.0.3</version.plugin.surefire.provider.junit>
         <version.plugin.surefire>2.19.1</version.plugin.surefire>
-        <version.plugin.dependency-check>8.3.1</version.plugin.dependency-check>
+        <version.plugin.dependency-check>8.4.0</version.plugin.dependency-check>
         <version.plugin.toolchains>1.1</version.plugin.toolchains>
         <version.plugin.version-plugin>2.3</version.plugin.version-plugin>
         <version.plugin.buildnumber>1.4</version.plugin.buildnumber>