From 961b25d82f6c7704b884f86fdf020e5c4c637340 Mon Sep 17 00:00:00 2001
From: Lari Hotari <lhotari@apache.org>
Date: Fri, 29 Sep 2023 20:11:20 +0300
Subject: [PATCH] [fix][sec] Add OWASP Dependency Check suppressions

- add 2 suppressions.
  - CVE-2023-37475 is a false positive
  - CVE-2023-4586 is about Netty hostname verification and that is already covered in Pulsar code base with https://github.com/apache/pulsar/pull/15824 changes.
---
 src/owasp-dependency-check-suppressions.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/owasp-dependency-check-suppressions.xml b/src/owasp-dependency-check-suppressions.xml
index d5ddc28e884cb..b5bb58c3d0eaf 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -457,4 +457,16 @@
        ]]></notes>
         <cve>CVE-2023-35116</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+   This is a false positive in avro-protobuf. The vulnerability is in Hamba avro golang library.
+   ]]></notes>
+        <cve>CVE-2023-37475</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+    This CVE can be suppressed since it is covered in Pulsar by hostname verification changes made in https://github.com/apache/pulsar/pull/15824.
+   ]]></notes>
+        <cve>CVE-2023-4586</cve>
+    </suppress>
 </suppressions>