Upgrade dependency-check-maven plugin and add suppression

helidon-io · Sep 12, 2023 · a7332e3 · a7332e3
1 parent 7a7ac64
commit a7332e3
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/etc/dependency-check-suppression.xml b/etc/dependency-check-suppression.xml
@@ -122,5 +122,18 @@
    <cve>CVE-2023-35116</cve>
 </suppress>
 
+<!--
+    This CVE is is concerning proper use of Netty's hostname verification. Helidon enables hostname
+    verification by default and therefore this CVE does not apply. Some more info on the CVE here:
+    https://github.com/jeremylong/DependencyCheck/issues/5912
+-->
+<suppress>
+   <notes><![CDATA[
+   file name: netty-handler-4.1.94.Final.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/io\.netty/netty\-handler@.*$</packageUrl>
+   <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
+</suppress>
+
 
 </suppressions>
diff --git a/pom.xml b/pom.xml
@@ -120,7 +120,7 @@
         <version.plugin.source>3.3.0</version.plugin.source>
         <version.plugin.spotbugs>4.4.2.2</version.plugin.spotbugs>
         <version.plugin.findsecbugs>1.11.0</version.plugin.findsecbugs>
-        <version.plugin.dependency-check>8.3.1</version.plugin.dependency-check>
+        <version.plugin.dependency-check>8.4.0</version.plugin.dependency-check>
         <version.plugin.surefire>3.0.0</version.plugin.surefire>
         <version.plugin.toolchains>1.1</version.plugin.toolchains>
         <version.plugin.version-plugin>2.3</version.plugin.version-plugin>