Suppress CVE's in master

distribution/bin/check-licenses.py

@@ -266,6 +266,8 @@ def build_compatible_license_names():
     compatible_licenses['Eclipse Public License - Version 1.0'] = 'Eclipse Public License 1.0'
     compatible_licenses['Eclipse Public License, Version 1.0'] = 'Eclipse Public License 1.0'
     compatible_licenses['Eclipse Public License v1.0'] = 'Eclipse Public License 1.0'
+    compatible_licenses['Eclipse Public License - v1.0'] = 'Eclipse Public License 1.0'
+    compatible_licenses['Eclipse Public License - v 1.0'] = 'Eclipse Public License 1.0'
     compatible_licenses['EPL 1.0'] = 'Eclipse Public License 1.0'
 
     compatible_licenses['Eclipse Public License 2.0'] = 'Eclipse Public License 2.0'

owasp-dependency-check-suppressions.xml

@@ -759,13 +759,15 @@
     <cve>CVE-2023-1370</cve>
     <cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 -->
     <cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo -->
+    <cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
   </suppress>
   <suppress>
     <!-- from extensions using hadoop-client-api, these dependencies are shaded in the jar -->
     <notes><![CDATA[
      file name: hadoop-client-api-3.3.6.jar: jquery.dataTables.min.js (pkg:javascript/[email protected])
      ]]></notes>
     <vulnerabilityName>prototype pollution</vulnerabilityName>
+    <cve>CVE-2020-28458</cve>
   </suppress>
   <suppress>
     <notes><![CDATA[
@@ -811,4 +813,25 @@
     <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
     <cve>CVE-2022-4244</cve>
   </suppress>
+
+  <!-- CVE-2023-5072 has a too broad CPE that flags all versions of json-java - https://github.com/jeremylong/DependencyCheck/issues/5991 -->
+  <suppress base="true">
+    <notes><![CDATA[
+   FP per issue #5991
+   ]]></notes>
+    <cve>CVE-2023-5072</cve>
+  </suppress>
+
+  <!--
+    ~ CVE-2023-44981 seems to affect Zookeeper servers. While we ship with a previous version of the Zookeeper, Druid only
+    ~ only uses the client classes of the Zookeeper. We do use the older version in the quickstart & example docker file,
+    ~ however in production it is recomended to use your own Zookeeper server with the CVE patched up, which the Druid's
+    ~ older ZK library is still compatible with.
+    -->
+  <suppress>
+    <notes><![CDATA[
+      file name: zookeeper-3.5.10.jar
+    ]]></notes>
+    <cve>CVE-2023-44981</cve>
+  </suppress>
 </suppressions>