From d9bb57fc6c4d5fb90593da5d4bf33a0fd31cd4ae Mon Sep 17 00:00:00 2001
From: Joe Di Pol <joe.dipol@oracle.com>
Date: Tue, 12 Sep 2023 08:45:31 -0700
Subject: [PATCH] Upgrade dependency-check-maven plugin and add suppression

---
 etc/dependency-check-suppression.xml | 13 +++++++++++++
 pom.xml                              |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/etc/dependency-check-suppression.xml b/etc/dependency-check-suppression.xml
index dfc3a8c25b9..8597fd61bbd 100644
--- a/etc/dependency-check-suppression.xml
+++ b/etc/dependency-check-suppression.xml
@@ -108,4 +108,17 @@
    <cve>CVE-2023-35116</cve>
 </suppress>
 
+<!--
+    This CVE is is concerning proper use of Netty's hostname verification. Helidon enables hostname
+    verification by default and therefore this CVE does not apply. Some more info on the CVE here:
+    https://github.com/jeremylong/DependencyCheck/issues/5912
+-->
+<suppress>
+   <notes><![CDATA[
+   file name: netty-handler-4.1.94.Final.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/io\.netty/netty\-handler@.*$</packageUrl>
+   <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
+</suppress>
+
 </suppressions>
diff --git a/pom.xml b/pom.xml
index fce203a36fd..b345cdfbb14 100644
--- a/pom.xml
+++ b/pom.xml
@@ -118,7 +118,7 @@
         <version.plugin.source>3.0.1</version.plugin.source>
         <version.plugin.spotbugs>4.4.2.2</version.plugin.spotbugs>
         <version.plugin.findsecbugs>1.11.0</version.plugin.findsecbugs>
-        <version.plugin.dependency-check>8.3.1</version.plugin.dependency-check>
+        <version.plugin.dependency-check>8.4.0</version.plugin.dependency-check>
         <version.plugin.surefire>3.0.0-M5</version.plugin.surefire>
         <version.plugin.toolchains>1.1</version.plugin.toolchains>
         <version.plugin.version-plugin>2.3</version.plugin.version-plugin>