From 71d0344aef53a6669c456671447be93a3c5b9d0f Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Fri, 9 Feb 2024 12:49:56 +0000
Subject: [PATCH 01/29] [WFLY-18073] Add the OWASP Dependency Check Plugin

---
 pom.xml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 98996b7b0e81..bb6f2bb2cee4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1354,7 +1354,21 @@
                     </execution>
                 </executions>
             </plugin>
-
+            <plugin>
+              <groupId>org.owasp</groupId>
+              <artifactId>dependency-check-maven</artifactId>
+              <version>9.0.9</version>
+              <configuration>
+                  <nvdApiServerId>nvd</nvdApiServerId>
+              </configuration>
+              <executions>
+                  <execution>
+                      <goals>
+                          <goal>aggregate</goal>
+                      </goals>
+                  </execution>
+              </executions>
+            </plugin>
         </plugins>
     </build>
 

From 1d8884e02063ef44c1ba821dbb8d78c5782f9fb1 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Fri, 9 Feb 2024 14:52:10 +0000
Subject: [PATCH 02/29] [WFLY-18073] Add a supression file and start by
 excluding ApacheDS as only used for tests.

---
 pom.xml                             |  1 +
 sca-overrides/owasp-supressions.xml | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 sca-overrides/owasp-supressions.xml

diff --git a/pom.xml b/pom.xml
index bb6f2bb2cee4..96620c7687a2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1360,6 +1360,7 @@
               <version>9.0.9</version>
               <configuration>
                   <nvdApiServerId>nvd</nvdApiServerId>
+                  <suppressionFile>./sca-overrides/owasp-supressions.xml</suppressionFile>
               </configuration>
               <executions>
                   <execution>
diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
new file mode 100644
index 000000000000..ca1f750d8662
--- /dev/null
+++ b/sca-overrides/owasp-supressions.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+   <!-- CVE Expressions -->
+
+   <!-- In this section specific CVEs are supressed where we have triaged we are not interested in them being reported. -->
+
+   <!-- If we specify an until in 12 months time, it will give us an opportunity to check again,
+        also if it no longer triggers after this date we can remove the supression. -->
+   <suppress until="2025-02-09">
+      <notes><![CDATA[
+      file name: apacheds-interceptors-admin-2.0.0.AM26.jar
+      ]]></notes>
+      <!-- The regex was adjusted to match all apacheds artefacts, in most other cases we would use the rule as-proposed. -->
+      <packageUrl regex="true">^pkg:maven/org\.apache\.directory\.server/apacheds\-.*@.*$</packageUrl>
+      <cve>CVE-2010-1151</cve>
+   </suppress>
+</suppressions>

From d3dbd10cbf088e6294b105016179904184db9f3a Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Fri, 9 Feb 2024 15:14:19 +0000
Subject: [PATCH 03/29] [WFLY-18073] Add CPE supressions for the Artemis
 integration artefact.

---
 sca-overrides/owasp-supressions.xml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index ca1f750d8662..1f44d533db3d 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -1,5 +1,28 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+   <!-- CPE Supressions -->
+   <!-- Sometimes the mapping from GAV to CPE creates a bad match, this section supresses those matches. -->
+   <suppress>
+      <notes><![CDATA[
+      file name: artemis-wildfly-integration-2.0.2.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jboss\.activemq\.artemis\.integration/artemis\-wildfly\-integration@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:integration</cpe>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: artemis-wildfly-integration-2.0.2.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jboss\.activemq\.artemis\.integration/artemis\-wildfly\-integration@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: artemis-wildfly-integration-2.0.2.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jboss\.activemq\.artemis\.integration/artemis\-wildfly\-integration@.*$</packageUrl>
+      <cpe>cpe:/a:wildfly:wildfly</cpe>
+   </suppress>
    <!-- CVE Expressions -->
 
    <!-- In this section specific CVEs are supressed where we have triaged we are not interested in them being reported. -->

From 56195a10d83c5673445c2f9abb23a3a7ae77a4b1 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Fri, 9 Feb 2024 16:21:58 +0000
Subject: [PATCH 04/29] [WFLY-18073] Supress the expressly to glassfish CPE
 mapping.

---
 sca-overrides/owasp-supressions.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index 1f44d533db3d..31b87458a5c5 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -23,6 +23,13 @@
       <packageUrl regex="true">^pkg:maven/org\.jboss\.activemq\.artemis\.integration/artemis\-wildfly\-integration@.*$</packageUrl>
       <cpe>cpe:/a:wildfly:wildfly</cpe>
    </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: expressly-5.0.0.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.glassfish\.expressly/expressly@.*$</packageUrl>
+      <cpe>cpe:/a:eclipse:glassfish</cpe>
+   </suppress>   
    <!-- CVE Expressions -->
 
    <!-- In this section specific CVEs are supressed where we have triaged we are not interested in them being reported. -->

From e91589f122c2c8372767fb5d8f6916213e93c7d8 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Fri, 9 Feb 2024 16:32:06 +0000
Subject: [PATCH 05/29] [WFLY-18073] Supress CVE-2023-44487 against grpc-api as
 it applies to grpc-go

---
 sca-overrides/owasp-supressions.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index 31b87458a5c5..27558bba0c5f 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -44,4 +44,11 @@
       <packageUrl regex="true">^pkg:maven/org\.apache\.directory\.server/apacheds\-.*@.*$</packageUrl>
       <cve>CVE-2010-1151</cve>
    </suppress>
+   <suppress until="2025-02-09">
+      <notes><![CDATA[
+      file name: grpc-api-1.58.0.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-api@.*$</packageUrl>
+      <cve>CVE-2023-44487</cve> <!-- This CVE specifically affects grpc-go not grpc-api -->
+   </suppress>   
 </suppressions>

From 98721feee9fb175905534cf3e7500c60a346c6b1 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Fri, 9 Feb 2024 16:38:57 +0000
Subject: [PATCH 06/29] [WDLY-18073] Supress CVE-2018-14335 as rejected by
 h2database.

---
 sca-overrides/owasp-supressions.xml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index 27558bba0c5f..de881683d844 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -50,5 +50,13 @@
       ]]></notes>
       <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-api@.*$</packageUrl>
       <cve>CVE-2023-44487</cve> <!-- This CVE specifically affects grpc-go not grpc-api -->
-   </suppress>   
+   </suppress>
+   <suppress until="2025-02-09">
+      <notes><![CDATA[
+      file name: h2-2.2.224.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
+      <!-- Disputed by h2database https://github.com/h2database/h2database/issues/1294 -->
+      <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
+   </suppress>
 </suppressions>

From 56884378b747386837b887925f520a0c0e6050e5 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Fri, 9 Feb 2024 16:50:30 +0000
Subject: [PATCH 07/29] [WFLY-18073] Supress CVE-2023-35116 as FasterXML
 dispute that this is a vulnerability.

---
 sca-overrides/owasp-supressions.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index de881683d844..8a9ec9332fd7 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -59,4 +59,12 @@
       <!-- Disputed by h2database https://github.com/h2database/h2database/issues/1294 -->
       <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
    </suppress>
+   <suppress until="2025-02-09">
+      <notes><![CDATA[
+      file name: jackson-databind-2.15.3.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+      <!-- Disputed by FasterXML that this is a vulnerability https://github.com/FasterXML/jackson-databind/issues/3972 -->
+      <cve>CVE-2023-35116</cve>
+   </suppress>
 </suppressions>

From de46a49caa31345a9620ab5b836ef48b2cd9ab25 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Fri, 9 Feb 2024 16:57:41 +0000
Subject: [PATCH 08/29] [WFLY-18073] This module is the Elytron security
 integration with RestEasy so don't associate with the RestEasy CPE.

---
 sca-overrides/owasp-supressions.xml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index 8a9ec9332fd7..277eefcc2ee0 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -29,7 +29,14 @@
       ]]></notes>
       <packageUrl regex="true">^pkg:maven/org\.glassfish\.expressly/expressly@.*$</packageUrl>
       <cpe>cpe:/a:eclipse:glassfish</cpe>
-   </suppress>   
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: jakarta-client-resteasy-3.0.3.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly\.security\.jakarta/jakarta\-client\-resteasy@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:resteasy</cpe>
+   </suppress>
    <!-- CVE Expressions -->
 
    <!-- In this section specific CVEs are supressed where we have triaged we are not interested in them being reported. -->

From 9f090a5905eee316d6a7b96e2fec1c87b665cf1e Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Fri, 9 Feb 2024 17:54:45 +0000
Subject: [PATCH 09/29] [WFLY-18073] Supressing CVE-2020-1732, we have
 compensated for this by associating the CallbackHandler with a ThreadLocal.

---
 sca-overrides/owasp-supressions.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index 277eefcc2ee0..af998a37a11c 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -74,4 +74,11 @@
       <!-- Disputed by FasterXML that this is a vulnerability https://github.com/FasterXML/jackson-databind/issues/3972 -->
       <cve>CVE-2023-35116</cve>
    </suppress>
+   <suppress until="2025-02-09">
+      <notes><![CDATA[
+      file name: jakarta.security.enterprise-3.0.3.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.glassfish\.soteria/jakarta\.security\.enterprise@.*$</packageUrl>
+      <vulnerabilityName>CVE-2020-1732</vulnerabilityName>
+   </suppress>
 </suppressions>

From 3dd1d5328dc591c380d1b0aec60e1e6174b6aac7 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Fri, 9 Feb 2024 17:58:55 +0000
Subject: [PATCH 10/29] [WFLY-18073] The EJB client is different to the IIOP
 client.

---
 sca-overrides/owasp-supressions.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index af998a37a11c..02c397f4148f 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -37,6 +37,13 @@
       <packageUrl regex="true">^pkg:maven/org\.wildfly\.security\.jakarta/jakarta\-client\-resteasy@.*$</packageUrl>
       <cpe>cpe:/a:redhat:resteasy</cpe>
    </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: jboss-iiop-client-2.0.1.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jboss/jboss\-iiop\-client@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:jboss-ejb-client</cpe>
+   </suppress>
    <!-- CVE Expressions -->
 
    <!-- In this section specific CVEs are supressed where we have triaged we are not interested in them being reported. -->

From f7553604da533c9fa90edbe84be05cf53bdbc40d Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Fri, 9 Feb 2024 18:04:51 +0000
Subject: [PATCH 11/29] [WFLY-18073] Supress CVE-2016-2141 when reported
 against jgroups-aws as this applies to the top level jgroups project.

This is not a CPE supression as CVEs raised against this artefact could
use a similar CPE.
---
 sca-overrides/owasp-supressions.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index 02c397f4148f..921799827274 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -88,4 +88,11 @@
       <packageUrl regex="true">^pkg:maven/org\.glassfish\.soteria/jakarta\.security\.enterprise@.*$</packageUrl>
       <vulnerabilityName>CVE-2020-1732</vulnerabilityName>
    </suppress>
+   <suppress until="2025-02-09">
+      <notes><![CDATA[
+      file name: jgroups-aws-3.0.0.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jgroups\.aws/jgroups\-aws@.*$</packageUrl>
+      <cve>CVE-2016-2141</cve>
+   </suppress>
 </suppressions>

From 241d14bde41a5024196437a37dc316a624446eba Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Wed, 14 Feb 2024 11:53:21 +0000
Subject: [PATCH 12/29] [WFLY-18073] Remove supression rule with no matches.

---
 sca-overrides/owasp-supressions.xml | 21 ---------------------
 1 file changed, 21 deletions(-)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index 921799827274..9b609694e548 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -2,27 +2,6 @@
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <!-- CPE Supressions -->
    <!-- Sometimes the mapping from GAV to CPE creates a bad match, this section supresses those matches. -->
-   <suppress>
-      <notes><![CDATA[
-      file name: artemis-wildfly-integration-2.0.2.Final.jar
-      ]]></notes>
-      <packageUrl regex="true">^pkg:maven/org\.jboss\.activemq\.artemis\.integration/artemis\-wildfly\-integration@.*$</packageUrl>
-      <cpe>cpe:/a:redhat:integration</cpe>
-   </suppress>
-   <suppress>
-      <notes><![CDATA[
-      file name: artemis-wildfly-integration-2.0.2.Final.jar
-      ]]></notes>
-      <packageUrl regex="true">^pkg:maven/org\.jboss\.activemq\.artemis\.integration/artemis\-wildfly\-integration@.*$</packageUrl>
-      <cpe>cpe:/a:redhat:wildfly</cpe>
-   </suppress>
-   <suppress>
-      <notes><![CDATA[
-      file name: artemis-wildfly-integration-2.0.2.Final.jar
-      ]]></notes>
-      <packageUrl regex="true">^pkg:maven/org\.jboss\.activemq\.artemis\.integration/artemis\-wildfly\-integration@.*$</packageUrl>
-      <cpe>cpe:/a:wildfly:wildfly</cpe>
-   </suppress>
    <suppress>
       <notes><![CDATA[
       file name: expressly-5.0.0.jar

From eaf8d1b3cf9b111fa26515f39b21f345924c01c7 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Wed, 14 Feb 2024 12:00:02 +0000
Subject: [PATCH 13/29] [WFLY-18073] Supress CVE-2021-41973 for mina-core as
 this comes in via ApacheDS for testing.

---
 sca-overrides/owasp-supressions.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index 9b609694e548..a0ca10833a49 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -37,6 +37,13 @@
       <packageUrl regex="true">^pkg:maven/org\.apache\.directory\.server/apacheds\-.*@.*$</packageUrl>
       <cve>CVE-2010-1151</cve>
    </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: mina-core-2.1.3.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.apache\.mina/mina\-core@.*$</packageUrl>
+      <cve>CVE-2021-41973</cve>
+   </suppress>
    <suppress until="2025-02-09">
       <notes><![CDATA[
       file name: grpc-api-1.58.0.jar

From dfa23f13f08ba08fdeedfc95b93ee0b3aa8029b6 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Wed, 14 Feb 2024 12:11:49 +0000
Subject: [PATCH 14/29] [WFLY-18073] mvc-krazo is a separate project.

---
 sca-overrides/owasp-supressions.xml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index a0ca10833a49..75b80c25cb99 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -23,6 +23,20 @@
       <packageUrl regex="true">^pkg:maven/org\.jboss/jboss\-iiop\-client@.*$</packageUrl>
       <cpe>cpe:/a:redhat:jboss-ejb-client</cpe>
    </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: mvc-krazo-subsystem-0.8.2.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly/mvc\-krazo\-subsystem@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: mvc-krazo-galleon-shared-0.8.2.Final.pom
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly/mvc\-krazo\-galleon\-shared@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
+   </suppress>   
    <!-- CVE Expressions -->
 
    <!-- In this section specific CVEs are supressed where we have triaged we are not interested in them being reported. -->
@@ -37,7 +51,7 @@
       <packageUrl regex="true">^pkg:maven/org\.apache\.directory\.server/apacheds\-.*@.*$</packageUrl>
       <cve>CVE-2010-1151</cve>
    </suppress>
-   <suppress>
+   <suppress until="2025-02-14">
       <notes><![CDATA[
       file name: mina-core-2.1.3.jar
       ]]></notes>

From 1b7eb4a506640744ef67c198b2df69a41623aeaf Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Wed, 14 Feb 2024 12:57:52 +0000
Subject: [PATCH 15/29] [WFLY-18073] The transformer-api is maintained in a
 separate project to WildFly.

---
 sca-overrides/owasp-supressions.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index 75b80c25cb99..616956aca0ea 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -36,6 +36,13 @@
       ]]></notes>
       <packageUrl regex="true">^pkg:maven/org\.wildfly/mvc\-krazo\-galleon\-shared@.*$</packageUrl>
       <cpe>cpe:/a:redhat:wildfly</cpe>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: transformer-7.0.0.Beta2.jar (shaded: org.wildfly.extras.batavia:transformer-api:1.0.12.Final)
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly\.extras\.batavia/transformer\-api@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
    </suppress>   
    <!-- CVE Expressions -->
 

From 375cdb49ee5fb78e940b022d7ab5746bff39adb0 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Mon, 4 Mar 2024 11:19:41 +0000
Subject: [PATCH 16/29] [WFLY-18073] Supress CVE-2024-25710 and CVE-2024-26308
 as commons-compress is a test dependency via testcontainer.

---
 sca-overrides/owasp-supressions.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index 616956aca0ea..e8a1e8025cd9 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -102,4 +102,13 @@
       <packageUrl regex="true">^pkg:maven/org\.jgroups\.aws/jgroups\-aws@.*$</packageUrl>
       <cve>CVE-2016-2141</cve>
    </suppress>
+   <suppress until="2025-03-04">
+      <notes><![CDATA[
+      file name: commons-compress-1.24.0.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.apache\.commons/commons\-compress@.*$</packageUrl>
+      <cve>CVE-2024-25710</cve>
+      <cve>CVE-2024-26308</cve>
+   </suppress>
+
 </suppressions>

From 6387d4d349896962082c0fc169c35526ea04fa4f Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Mon, 4 Mar 2024 11:27:45 +0000
Subject: [PATCH 17/29] [WFLY-18073] Supress the OTel CVEs as these are against
 other components such as Python and Go.

---
 sca-overrides/owasp-supressions.xml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index e8a1e8025cd9..e7df4334d5b5 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -110,5 +110,13 @@
       <cve>CVE-2024-25710</cve>
       <cve>CVE-2024-26308</cve>
    </suppress>
-
+   <suppress until="2025-03-04">
+      <notes><![CDATA[
+      file name: opentelemetry-proto-0.20.0-alpha.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/io\.opentelemetry\.proto/opentelemetry\-proto@.*$</packageUrl>
+      <cve>CVE-2023-43810</cve> <!-- CVE within the Python library. -->
+      <cve>CVE-2023-45142</cve> <!-- CVE within the Go library. -->
+      <cve>CVE-2023-47108</cve> <!-- CVE within the Go library. -->
+   </suppress>
 </suppressions>

From cc31ca98149e6e0b398a63cebfc64fb4fd9eeb90 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Mon, 4 Mar 2024 13:53:44 +0000
Subject: [PATCH 18/29] [WFLY-18073] Supress CPE
 cpe:2.3:a:linux_audit_project:linux_audit:2.3.1:*:*:*:*:*:*:*  as this is a
 bad match for Elytron.

---
 sca-overrides/owasp-supressions.xml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index e7df4334d5b5..08a8d06d7b7c 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -43,7 +43,14 @@
       ]]></notes>
       <packageUrl regex="true">^pkg:maven/org\.wildfly\.extras\.batavia/transformer\-api@.*$</packageUrl>
       <cpe>cpe:/a:redhat:wildfly</cpe>
-   </suppress>   
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: wildfly-elytron-audit-2.3.1.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly\.security/wildfly\-elytron\-audit@.*$</packageUrl>
+      <cpe>cpe:/a:linux_audit_project:linux_audit</cpe>
+   </suppress>
    <!-- CVE Expressions -->
 
    <!-- In this section specific CVEs are supressed where we have triaged we are not interested in them being reported. -->

From f33627ef20ff91fa54e717c0e9a9050afee2b66a Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Mon, 4 Mar 2024 15:23:37 +0000
Subject: [PATCH 19/29] [WFLY-18073] Set of Rest Easy supressions that relate
 to RestEasy iteself not these separate projects.

---
 sca-overrides/owasp-supressions.xml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index 08a8d06d7b7c..cd4a23dc7ca3 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -126,4 +126,30 @@
       <cve>CVE-2023-45142</cve> <!-- CVE within the Go library. -->
       <cve>CVE-2023-47108</cve> <!-- CVE within the Go library. -->
    </suppress>
+   <suppress until="2025-03-04">
+      <notes><![CDATA[
+      file name: resteasy-spring-3.0.4.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy\.spring/resteasy\-spring@.*$</packageUrl>
+      <cve>CVE-2016-9606</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
+      <cve>CVE-2014-3490</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
+      <cve>CVE-2020-1695</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
+      <cve>CVE-2020-10688</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
+      <cve>CVE-2023-0482</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
+      <cve>CVE-2020-25633</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
+      <cve>CVE-2021-20289</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: resteasy-tracing-api-2.0.1.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy/resteasy\-tracing\-api@.*$</packageUrl>
+      <cve>CVE-2016-9606</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
+      <cve>CVE-2020-10688</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
+      <cve>CVE-2023-0482</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
+      <cve>CVE-2020-25633</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
+      <cve>CVE-2021-20289</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
+      <cve>CVE-2011-5245</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
+      <cve>CVE-2012-0818</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
+   </suppress>
 </suppressions>

From dcfd1f2befc99b14da6a086612b5f0a96ac1dc5e Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Mon, 4 Mar 2024 15:24:43 +0000
Subject: [PATCH 20/29] [WFLY-18073] Supress CVE-2016-6311 for Undertow as
 WildFly contains it's own fix.

---
 sca-overrides/owasp-supressions.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index cd4a23dc7ca3..fbf4628a2fd6 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -152,4 +152,11 @@
       <cve>CVE-2011-5245</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
       <cve>CVE-2012-0818</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
    </suppress>
+   <suppress until="2025-03-04">
+      <notes><![CDATA[
+      file name: undertow-core-2.3.12.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/io\.undertow/undertow\-core@.*$</packageUrl>
+      <vulnerabilityName>CVE-2016-6311</vulnerabilityName>
+   </suppress>
 </suppressions>

From a94fc5f4dbd722d6278ec6c6edf09ba93646315e Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Mon, 4 Mar 2024 15:48:48 +0000
Subject: [PATCH 21/29] [WFLY-18073] Exclude all WildFly Core components mapped
 to redhat:wildfly CPE.

---
 sca-overrides/owasp-supressions.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index fbf4628a2fd6..080e58b3a27f 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -51,6 +51,14 @@
       <packageUrl regex="true">^pkg:maven/org\.wildfly\.security/wildfly\-elytron\-audit@.*$</packageUrl>
       <cpe>cpe:/a:linux_audit_project:linux_audit</cpe>
    </suppress>
+   <suppress>
+      <notes><![CDATA[
+      Match all components from WildFly Core, these should use CPE redhat:wildfly-core
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly\.core/wildfly\-.*@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
+   </suppress>
+
    <!-- CVE Expressions -->
 
    <!-- In this section specific CVEs are supressed where we have triaged we are not interested in them being reported. -->

From ebf324679f1160fffd066824cba832c4e1e17347 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Mon, 4 Mar 2024 15:53:47 +0000
Subject: [PATCH 22/29] [WFLY-18073] wildfly-plugins-core is not WildFly and
 not WildFly Core so add supressions.

---
 sca-overrides/owasp-supressions.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index 080e58b3a27f..da5454d5634e 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -58,6 +58,14 @@
       <packageUrl regex="true">^pkg:maven/org\.wildfly\.core/wildfly\-.*@.*$</packageUrl>
       <cpe>cpe:/a:redhat:wildfly</cpe>
    </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: wildfly-plugin-core-4.1.1.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly\.plugins/wildfly\-plugin\-core@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
+      <cpe>cpe:/a:redhat:wildfly_core</cpe>
+   </suppress>
 
    <!-- CVE Expressions -->
 

From ea06db87497538c2153bbd254683f57e96b46da7 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Mon, 4 Mar 2024 16:00:18 +0000
Subject: [PATCH 23/29] [WFLY-18073] The Galleon Plugins transformer artifact
 should not match cpe redhat:wildfly.

---
 sca-overrides/owasp-supressions.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index da5454d5634e..75bca5d44a52 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -66,6 +66,13 @@
       <cpe>cpe:/a:redhat:wildfly</cpe>
       <cpe>cpe:/a:redhat:wildfly_core</cpe>
    </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: transformer-7.0.0.Beta2.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly\.galleon\-plugins/transformer@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
+   </suppress>
 
    <!-- CVE Expressions -->
 

From 63c966fdfa86df11812f1fc73ea50d636fab0ec6 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Mon, 4 Mar 2024 16:17:14 +0000
Subject: [PATCH 24/29] [WFLY-18073] Avoid deployment transformer getting
 mapped to redhat:wildfly CPE.

---
 sca-overrides/owasp-supressions.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index 75bca5d44a52..2fe8a63f3207 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -73,6 +73,13 @@
       <packageUrl regex="true">^pkg:maven/org\.wildfly\.galleon\-plugins/transformer@.*$</packageUrl>
       <cpe>cpe:/a:redhat:wildfly</cpe>
    </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: wildfly-ee-9-deployment-transformer-1.0.0.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly\.deployment/wildfly\-ee\-9\-deployment\-transformer@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
+   </suppress>
 
    <!-- CVE Expressions -->
 

From cedb66ab7cce7786d46ffd66a81106129cbb7080 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Mon, 4 Mar 2024 16:20:40 +0000
Subject: [PATCH 25/29] [WFLY-18073] Avoid wildfly-galleon-plugins mapping to
 redhat:wildfly CPE

---
 sca-overrides/owasp-supressions.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-supressions.xml
index 2fe8a63f3207..14290fbfe059 100644
--- a/sca-overrides/owasp-supressions.xml
+++ b/sca-overrides/owasp-supressions.xml
@@ -80,6 +80,13 @@
       <packageUrl regex="true">^pkg:maven/org\.wildfly\.deployment/wildfly\-ee\-9\-deployment\-transformer@.*$</packageUrl>
       <cpe>cpe:/a:redhat:wildfly</cpe>
    </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: wildfly-galleon-plugins-7.0.0.Beta2.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly\.galleon\-plugins/wildfly\-galleon\-plugins@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
+   </suppress>
 
    <!-- CVE Expressions -->
 

From e203bef86c15dfe60b853419d75977d2953333b5 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Mon, 4 Mar 2024 16:59:55 +0000
Subject: [PATCH 26/29] [WFLY-18073] Move the dependency-check plugin into it's
 own profile.

---
 pom.xml | 45 +++++++++++++++++++++++++++++----------------
 1 file changed, 29 insertions(+), 16 deletions(-)

diff --git a/pom.xml b/pom.xml
index 5e54ebab4085..e518d3013df1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1355,22 +1355,6 @@
                     </execution>
                 </executions>
             </plugin>
-            <plugin>
-              <groupId>org.owasp</groupId>
-              <artifactId>dependency-check-maven</artifactId>
-              <version>9.0.9</version>
-              <configuration>
-                  <nvdApiServerId>nvd</nvdApiServerId>
-                  <suppressionFile>./sca-overrides/owasp-supressions.xml</suppressionFile>
-              </configuration>
-              <executions>
-                  <execution>
-                      <goals>
-                          <goal>aggregate</goal>
-                      </goals>
-                  </execution>
-              </executions>
-            </plugin>
         </plugins>
     </build>
 
@@ -1419,6 +1403,35 @@
             </modules>
         </profile>
 
+        <profile>
+            <id>dependency-check</id>
+            <activation>
+                <property>
+                    <name>dependency-check</name>
+                </property>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                      <groupId>org.owasp</groupId>
+                      <artifactId>dependency-check-maven</artifactId>
+                      <version>9.0.9</version>
+                      <configuration>
+                          <nvdApiServerId>nvd</nvdApiServerId>
+                          <suppressionFile>./sca-overrides/owasp-supressions.xml</suppressionFile>
+                      </configuration>
+                      <executions>
+                          <execution>
+                              <goals>
+                                  <goal>aggregate</goal>
+                              </goals>
+                          </execution>
+                      </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+
         <!--
           Name: jpda
           Descr: Enable JPDA remote debuging

From 7b3d618eee8bbd2cd61528dc74b7f0b7c9d0afc1 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Mon, 4 Mar 2024 17:15:09 +0000
Subject: [PATCH 27/29] [WFLY-18073] Correct the name of the suppression file.

---
 pom.xml                                                         | 2 +-
 sca-overrides/{owasp-supressions.xml => owasp-suppressions.xml} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename sca-overrides/{owasp-supressions.xml => owasp-suppressions.xml} (100%)

diff --git a/pom.xml b/pom.xml
index e518d3013df1..2dec53c57f92 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1418,7 +1418,7 @@
                       <version>9.0.9</version>
                       <configuration>
                           <nvdApiServerId>nvd</nvdApiServerId>
-                          <suppressionFile>./sca-overrides/owasp-supressions.xml</suppressionFile>
+                          <suppressionFile>./sca-overrides/owasp-suppressions.xml</suppressionFile>
                       </configuration>
                       <executions>
                           <execution>
diff --git a/sca-overrides/owasp-supressions.xml b/sca-overrides/owasp-suppressions.xml
similarity index 100%
rename from sca-overrides/owasp-supressions.xml
rename to sca-overrides/owasp-suppressions.xml

From 7d85cd589e9b576abeda3a893c1d1479688a331c Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Fri, 8 Mar 2024 17:23:29 +0000
Subject: [PATCH 28/29] [WFLY-18073] Ignore CVE-2021-20293 for two reasons:  1.
 It is not matched against the correct components.  2. It was decided this is
 not a CVE and is the user's responsibility.

---
 sca-overrides/owasp-suppressions.xml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/sca-overrides/owasp-suppressions.xml b/sca-overrides/owasp-suppressions.xml
index 14290fbfe059..3339e52d141a 100644
--- a/sca-overrides/owasp-suppressions.xml
+++ b/sca-overrides/owasp-suppressions.xml
@@ -196,4 +196,18 @@
       <packageUrl regex="true">^pkg:maven/io\.undertow/undertow\-core@.*$</packageUrl>
       <vulnerabilityName>CVE-2016-6311</vulnerabilityName>
    </suppress>
+   <suppress until="2025-03-08">
+      <notes><![CDATA[
+      file name: resteasy-spring-3.0.4.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy\.spring/resteasy\-spring@.*$</packageUrl>
+      <cve>CVE-2021-20293</cve>
+   </suppress>
+   <suppress until="2025-03-08">
+      <notes><![CDATA[
+      file name: resteasy-tracing-api-2.0.1.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy/resteasy\-tracing\-api@.*$</packageUrl>
+      <cve>CVE-2021-20293</cve>
+   </suppress>
 </suppressions>

From 529d77d85d5d012b1f6c938cc81ae35d63b007a6 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Fri, 15 Mar 2024 15:44:39 +0000
Subject: [PATCH 29/29] [WFLY-18073] This CVE should not be matching against
 resteasy-spring, the affected functionality has also been removed from
 RestEasy already.

---
 sca-overrides/owasp-suppressions.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sca-overrides/owasp-suppressions.xml b/sca-overrides/owasp-suppressions.xml
index 3339e52d141a..ad151dc21519 100644
--- a/sca-overrides/owasp-suppressions.xml
+++ b/sca-overrides/owasp-suppressions.xml
@@ -210,4 +210,11 @@
       <packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy/resteasy\-tracing\-api@.*$</packageUrl>
       <cve>CVE-2021-20293</cve>
    </suppress>
+   <suppress until="2025-03-15">
+      <notes><![CDATA[
+      file name: resteasy-spring-3.1.2.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy\.spring/resteasy\-spring@.*$</packageUrl>
+      <cve>CVE-2018-1051</cve>
+   </suppress>   
 </suppressions>