From 5840e2df6bf88f8a5996691e1513d4d6890e2579 Mon Sep 17 00:00:00 2001
From: Laksh Singla <lakshsingla@gmail.com>
Date: Mon, 23 Oct 2023 15:08:00 +0530
Subject: [PATCH 1/3] suppress CVEs

---
 distribution/bin/check-licenses.py      |  2 ++
 owasp-dependency-check-suppressions.xml | 23 +++++++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/distribution/bin/check-licenses.py b/distribution/bin/check-licenses.py
index ae07e5a03733..b069d9545b36 100755
--- a/distribution/bin/check-licenses.py
+++ b/distribution/bin/check-licenses.py
@@ -266,6 +266,8 @@ def build_compatible_license_names():
     compatible_licenses['Eclipse Public License - Version 1.0'] = 'Eclipse Public License 1.0'
     compatible_licenses['Eclipse Public License, Version 1.0'] = 'Eclipse Public License 1.0'
     compatible_licenses['Eclipse Public License v1.0'] = 'Eclipse Public License 1.0'
+    compatible_licenses['Eclipse Public License - v1.0'] = 'Eclipse Public License 1.0'
+    compatible_licenses['Eclipse Public License - v 1.0'] = 'Eclipse Public License 1.0'
     compatible_licenses['EPL 1.0'] = 'Eclipse Public License 1.0'
 
     compatible_licenses['Eclipse Public License 2.0'] = 'Eclipse Public License 2.0'
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index e33231ea9ee3..f23eaec18ec5 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -759,6 +759,7 @@
     <cve>CVE-2023-1370</cve>
     <cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 -->
     <cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo -->
+    <cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
   </suppress>
   <suppress>
     <!-- from extensions using hadoop-client-api, these dependencies are shaded in the jar -->
@@ -766,6 +767,7 @@
      file name: hadoop-client-api-3.3.6.jar: jquery.dataTables.min.js (pkg:javascript/jquery.datatables@1.10.18)
      ]]></notes>
     <vulnerabilityName>prototype pollution</vulnerabilityName>
+    <cve>CVE-2020-28458</cve>
   </suppress>
   <suppress>
     <notes><![CDATA[
@@ -811,4 +813,25 @@
     <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
     <cve>CVE-2022-4244</cve>
   </suppress>
+
+  <!-- CVE-2023-5072 has a too broad CPE that flags all versions of json-java - https://github.com/jeremylong/DependencyCheck/issues/5991 -->
+  <suppress base="true">
+    <notes><![CDATA[
+   FP per issue #5991
+   ]]></notes>
+    <cve>CVE-2023-5072</cve>
+  </suppress>
+
+  <!--
+    ~ CVE-2023-44981 seems to affect Zookeeper servers. While we ship with a previous version of the Zookeeper, Druid only
+    ~ only uses the client classes of the Zookeeper. We do use the older version in the quickstart & example docker file,
+    ~ however in production it is recomended to use your own Zookeeper server with the CVE patched up, which the Druid's
+    ~ older ZK library is still compatible with.
+    -->
+  <suppress>
+    <notes><![CDATA[
+      file name: zookeeper-3.5.10.jar
+    ]]></notes>
+    <cve>CVE-2023-44981</cve>
+  </suppress>
 </suppressions>

From 0693de0f2ef629b4fe9f930466c6cf078b77d540 Mon Sep 17 00:00:00 2001
From: Laksh Singla <lakshsingla@gmail.com>
Date: Thu, 26 Oct 2023 13:47:08 +0530
Subject: [PATCH 2/3] comments

---
 owasp-dependency-check-suppressions.xml | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index f23eaec18ec5..a5d556901a54 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -807,18 +807,13 @@
 
   <!-- CVE-2022-4244 is affecting plexus-utils package, plexus-interpolation is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973 -->
   <suppress base="true">
-    <notes><![CDATA[
-   FP per issue #5973
-   ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
     <cve>CVE-2022-4244</cve>
   </suppress>
 
-  <!-- CVE-2023-5072 has a too broad CPE that flags all versions of json-java - https://github.com/jeremylong/DependencyCheck/issues/5991 -->
+  <!-- CVE-2023-5072 has a too broad CPE that seems to be flagging dependencies like json-*. Neither Druid nor any of its
+    ~ transitive dependency use json-java which contains the vulnerability-->
   <suppress base="true">
-    <notes><![CDATA[
-   FP per issue #5991
-   ]]></notes>
     <cve>CVE-2023-5072</cve>
   </suppress>
 

From f5958a9ad7ada2f631b4bff9610da97b241bfe85 Mon Sep 17 00:00:00 2001
From: Laksh Singla <lakshsingla@gmail.com>
Date: Thu, 26 Oct 2023 23:05:55 +0530
Subject: [PATCH 3/3] suppress netty CVE

---
 owasp-dependency-check-suppressions.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index a5d556901a54..ab6e6176994f 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -829,4 +829,14 @@
     ]]></notes>
     <cve>CVE-2023-44981</cve>
   </suppress>
+
+  <!--
+   ~ Hostname verification is disabled by default in Netty 4.x, therefore the version that Druid is using gets flagged,
+   ~ however Druid enables it in ChannelResourceFactory therefore this is a false positive-->
+  <suppress>
+    <notes><![CDATA[
+      file name: netty-transport-4.1.100.Final.jar
+    ]]></notes>
+    <cve>CVE-2023-4586</cve>
+  </suppress>
 </suppressions>