From 7f51cf5fdc43cf9884ae6bb74972a6804ee34fe0 Mon Sep 17 00:00:00 2001
From: Tejaswini Bandlamudi <96047043+tejaswini-imply@users.noreply.github.com>
Date: Wed, 4 Oct 2023 11:59:01 +0530
Subject: [PATCH] Resolve reported CVEs (#15081)

---
 owasp-dependency-check-suppressions.xml | 10 ++++++++++
 pom.xml                                 |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 2813623f7a70..e33231ea9ee3 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -758,6 +758,7 @@
     https://github.com/apache/hadoop/commit/ad49ddda0e1d9632c8c9fcdc78fca8244e1248c9 -->
     <cve>CVE-2023-1370</cve>
     <cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 -->
+    <cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo -->
   </suppress>
   <suppress>
     <!-- from extensions using hadoop-client-api, these dependencies are shaded in the jar -->
@@ -801,4 +802,13 @@
     <cve>CVE-2023-4785</cve> <!-- Not applicable to gRPC Java - https://nvd.nist.gov/vuln/detail/CVE-2023-4785 -->
     <cve>CVE-2023-33953</cve> <!-- Not applicable to gRPC Java - https://cloud.google.com/support/bulletins#gcp-2023-022 -->
   </suppress>
+
+  <!-- CVE-2022-4244 is affecting plexus-utils package, plexus-interpolation is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973 -->
+  <suppress base="true">
+    <notes><![CDATA[
+   FP per issue #5973
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
+    <cve>CVE-2022-4244</cve>
+  </suppress>
 </suppressions>
diff --git a/pom.xml b/pom.xml
index fcd4cca3003f..6be27033ff92 100644
--- a/pom.xml
+++ b/pom.xml
@@ -810,7 +810,7 @@
             <dependency>
                 <groupId>org.xerial.snappy</groupId>
                 <artifactId>snappy-java</artifactId>
-                <version>1.1.10.3</version>
+                <version>1.1.10.4</version>
             </dependency>
             <dependency>
                 <groupId>com.google.protobuf</groupId>