4.x: Ugprade dependency check plugin and clean up suppression file (#…

…9142) * Upgrade dependency check to 10.0.3 * Clean up dependency check suppression file
helidon-io · Aug 13, 2024 · ade9166 · ade9166
1 parent fd9425d
commit ade9166
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 88 deletions.
diff --git a/etc/dependency-check-suppression.xml b/etc/dependency-check-suppression.xml
@@ -23,65 +23,6 @@
    <cve>CVE-2022-45868</cve>
 </suppress>
 
-<!-- okhttp is a transitive fourth party dependency of Jaeger client. This CVE is considered
-     by the okhttp team as not exploitable unless the class in question is used
-     directly by an application (highly unlikely). See https://github.com/square/okhttp/issues/6724
-     They have only fixed this in 4.9.3 and newer. We can't force upgrade due to a tangle of
-     dependencies, compatibility, and issues with dependency convergence.
--->
-<suppress>
-   <notes><![CDATA[
-   file name: okhttp-3.14.9.jar
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp3/okhttp@.*$</packageUrl>
-   <vulnerabilityName>CVE-2021-0341</vulnerabilityName>
-</suppress>
-
-<!-- False Positive. This CVE is against graphql-java, not the microprofile-graphql-api
--->
-<suppress>
-   <notes><![CDATA[
-   file name: microprofile-graphql-api-2.0.jar
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.graphql/microprofile\-graphql\-api@.*$</packageUrl>
-   <cve>CVE-2022-37734</cve>
-</suppress>
-
-<!-- False Positive. This CVE is against graphql-java, not graphql-java-dataloader
-     See https://github.com/jeremylong/DependencyCheck/issues/5641
--->
-<suppress>
-   <notes><![CDATA[
-   file name: java-dataloader-3.1.0.jar
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/com\.graphql\-java/java\-dataloader@.*$</packageUrl>
-   <cve>CVE-2023-28867</cve>
-</suppress>
-
-<!-- False Postives. CVE CVE-2022-45129 is against Payara not jakarta.resource-api nor microprofile
- -->
-<suppress>
-   <notes><![CDATA[
-   file name: jakarta.resource-api-2.0.0.jar
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/jakarta\.resource/jakarta\.resource\-api@.*$</packageUrl>
-   <cve>CVE-2022-45129</cve>
-</suppress>
-<suppress>
-   <notes><![CDATA[
-   file name: microprofile-config-api-3.0.1.jar
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.config/microprofile\-config\-api@.*$</packageUrl>
-   <cve>CVE-2022-45129</cve>
-</suppress>
-<suppress>
-   <notes><![CDATA[
-   file name: microprofile-jwt-auth-api-2.0.jar
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.jwt/microprofile\-jwt\-auth\-api@.*$</packageUrl>
-   <cve>CVE-2022-45129</cve>
-</suppress>
-
 <!-- False Positive. This CVE is against H2 1.x.
 -->
 <suppress>
@@ -92,17 +33,6 @@
    <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
 </suppress>
 
-<!-- This is a low priority CVE against a deprecated method in Guava. We don't use guava directly.
-     This CVE bounces in and out of being "fixed" in version 30 and later.
--->
-<suppress>
-   <notes><![CDATA[
-   file name: guava-31.1-jre.jar
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
-   <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
-</suppress>
-
 <!-- False Positive. This CVE is against the Maven plugins listed here:
      https://maven.apache.org/security.html
      Our dependency is on  maven-artifact-manager which is not in this list.
@@ -155,19 +85,6 @@
    <vulnerabilityName>CVE-2024-21138</vulnerabilityName>
 </suppress>
 
-<!--
-    This CVE is is concerning proper use of Netty's hostname verification. Helidon enables hostname
-    verification by default and therefore this CVE does not apply. Some more info on the CVE here:
-    https://github.com/jeremylong/DependencyCheck/issues/5912
--->
-<suppress>
-   <notes><![CDATA[
-   file name: netty-handler-4.1.94.Final.jar
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl>
-   <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
-</suppress>
-
 <!--
     This is a FP. We have upgrade jgit to a fixed version, but it is still getting flagged.
     Probably due to the funky version string used by jgit. See
@@ -237,7 +154,8 @@
    <cve>CVE-2023-28360</cve>
 </suppress>
 
-<!-- False Positives. This was identifying Helidon's dbclient mongodb support artifact with MongoDB itself -->
+<!-- False Positives. This was identifying Helidon's dbclient mongodb support artifact with MongoDB itself
+-->
 <suppress>
    <notes><![CDATA[
    file name: io.helidon.dbclient:helidon-dbclient-mongodb:4.0.0-SNAPSHOT
@@ -246,9 +164,8 @@
    <cpe>cpe:/a:mongodb:mongodb</cpe>
 </suppress>
 
-
-
-<!-- False Positives. This was identifying Helidon's mysql support artifact with MySQL itself -->
+<!-- False Positives. This was identifying Helidon's mysql support artifact with MySQL itself
+ -->
 <suppress>
    <notes><![CDATA[
    file name: io.helidon.integrations.db:helidon-integrations-db-mysql:4.0.0-SNAPSHOT

diff --git a/pom.xml b/pom.xml
@@ -135,7 +135,7 @@
         <version.plugin.source>3.0.1</version.plugin.source>
         <version.plugin.spotbugs>4.7.3.5</version.plugin.spotbugs>
         <version.plugin.findsecbugs>1.12.0</version.plugin.findsecbugs>
-        <version.plugin.dependency-check>10.0.2</version.plugin.dependency-check>
+        <version.plugin.dependency-check>10.0.3</version.plugin.dependency-check>
         <version.plugin.surefire>3.1.0</version.plugin.surefire>
         <version.plugin.toolchains>1.1</version.plugin.toolchains>
         <version.plugin.version-plugin>2.3</version.plugin.version-plugin>