From cdac7abb37b9c5bcf5a61b0e9a122bdcb8eba7a0 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Mon, 4 Mar 2024 17:32:04 +0000
Subject: [PATCH 1/3] [WFLY-18073] Add dependency-check to 31.x

---
 pom.xml                              |  28 ++++
 sca-overrides/owasp-suppressions.xml | 200 +++++++++++++++++++++++++++
 2 files changed, 228 insertions(+)
 create mode 100644 sca-overrides/owasp-suppressions.xml

diff --git a/pom.xml b/pom.xml
index f780879e47a7..78008358f6a4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1402,6 +1402,34 @@
                 <module>docs</module>
             </modules>
         </profile>
+        <profile>
+            <id>dependency-check</id>
+            <activation>
+                <property>
+                    <name>dependency-check</name>
+                </property>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                      <groupId>org.owasp</groupId>
+                      <artifactId>dependency-check-maven</artifactId>
+                      <version>9.0.9</version>
+                      <configuration>
+                          <nvdApiServerId>nvd</nvdApiServerId>
+                          <suppressionFile>./sca-overrides/owasp-suppressions.xml</suppressionFile>
+                      </configuration>
+                      <executions>
+                          <execution>
+                              <goals>
+                                  <goal>aggregate</goal>
+                              </goals>
+                          </execution>
+                      </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
 
         <!--
           Name: jpda
diff --git a/sca-overrides/owasp-suppressions.xml b/sca-overrides/owasp-suppressions.xml
new file mode 100644
index 000000000000..7731ff4ecd8b
--- /dev/null
+++ b/sca-overrides/owasp-suppressions.xml
@@ -0,0 +1,200 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+   <!-- CPE Supressions -->
+   <!-- Sometimes the mapping from GAV to CPE creates a bad match, this section supresses those matches. -->
+   <suppress>
+      <notes><![CDATA[
+      file name: expressly-5.0.0.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.glassfish\.expressly/expressly@.*$</packageUrl>
+      <cpe>cpe:/a:eclipse:glassfish</cpe>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: jakarta-client-resteasy-3.0.3.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly\.security\.jakarta/jakarta\-client\-resteasy@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:resteasy</cpe>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: jboss-iiop-client-2.0.1.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jboss/jboss\-iiop\-client@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:jboss-ejb-client</cpe>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: mvc-krazo-subsystem-0.8.2.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly/mvc\-krazo\-subsystem@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: mvc-krazo-galleon-shared-0.8.2.Final.pom
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly/mvc\-krazo\-galleon\-shared@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: transformer-7.0.0.Beta2.jar (shaded: org.wildfly.extras.batavia:transformer-api:1.0.12.Final)
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly\.extras\.batavia/transformer\-api@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: wildfly-elytron-audit-2.3.1.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly\.security/wildfly\-elytron\-audit@.*$</packageUrl>
+      <cpe>cpe:/a:linux_audit_project:linux_audit</cpe>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      Match all components from WildFly Core, these should use CPE redhat:wildfly-core
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly\.core/wildfly\-.*@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: wildfly-plugin-core-4.1.1.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly\.plugins/wildfly\-plugin\-core@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
+      <cpe>cpe:/a:redhat:wildfly_core</cpe>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: transformer-7.0.0.Beta2.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly\.galleon\-plugins/transformer@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: wildfly-ee-9-deployment-transformer-1.0.0.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly\.deployment/wildfly\-ee\-9\-deployment\-transformer@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: wildfly-galleon-plugins-7.0.0.Beta2.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.wildfly\.galleon\-plugins/wildfly\-galleon\-plugins@.*$</packageUrl>
+      <cpe>cpe:/a:redhat:wildfly</cpe>
+   </suppress>
+
+   <!-- CVE Expressions -->
+
+   <!-- In this section specific CVEs are supressed where we have triaged we are not interested in them being reported. -->
+
+   <!-- If we specify an until in 12 months time, it will give us an opportunity to check again,
+        also if it no longer triggers after this date we can remove the supression. -->
+   <suppress until="2025-02-09">
+      <notes><![CDATA[
+      file name: apacheds-interceptors-admin-2.0.0.AM26.jar
+      ]]></notes>
+      <!-- The regex was adjusted to match all apacheds artefacts, in most other cases we would use the rule as-proposed. -->
+      <packageUrl regex="true">^pkg:maven/org\.apache\.directory\.server/apacheds\-.*@.*$</packageUrl>
+      <cve>CVE-2010-1151</cve>
+   </suppress>
+   <suppress until="2025-02-14">
+      <notes><![CDATA[
+      file name: mina-core-2.1.3.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.apache\.mina/mina\-core@.*$</packageUrl>
+      <cve>CVE-2021-41973</cve>
+   </suppress>
+   <suppress until="2025-02-09">
+      <notes><![CDATA[
+      file name: grpc-api-1.58.0.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-api@.*$</packageUrl>
+      <cve>CVE-2023-44487</cve> <!-- This CVE specifically affects grpc-go not grpc-api -->
+   </suppress>
+   <suppress until="2025-02-09">
+      <notes><![CDATA[
+      file name: h2-2.2.224.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
+      <!-- Disputed by h2database https://github.com/h2database/h2database/issues/1294 -->
+      <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
+   </suppress>
+   <suppress until="2025-02-09">
+      <notes><![CDATA[
+      file name: jackson-databind-2.15.3.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+      <!-- Disputed by FasterXML that this is a vulnerability https://github.com/FasterXML/jackson-databind/issues/3972 -->
+      <cve>CVE-2023-35116</cve>
+   </suppress>
+   <suppress until="2025-02-09">
+      <notes><![CDATA[
+      file name: jakarta.security.enterprise-3.0.3.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.glassfish\.soteria/jakarta\.security\.enterprise@.*$</packageUrl>
+      <vulnerabilityName>CVE-2020-1732</vulnerabilityName>
+   </suppress>
+   <suppress until="2025-02-09">
+      <notes><![CDATA[
+      file name: jgroups-aws-3.0.0.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jgroups\.aws/jgroups\-aws@.*$</packageUrl>
+      <cve>CVE-2016-2141</cve>
+   </suppress>
+   <suppress until="2025-03-04">
+      <notes><![CDATA[
+      file name: commons-compress-1.24.0.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.apache\.commons/commons\-compress@.*$</packageUrl>
+      <cve>CVE-2024-25710</cve>
+      <cve>CVE-2024-26308</cve>
+      <cve>CVE-2023-42503</cve>
+   </suppress>
+   <suppress until="2025-03-04">
+      <notes><![CDATA[
+      file name: opentelemetry-proto-0.20.0-alpha.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/io\.opentelemetry\.proto/opentelemetry\-proto@.*$</packageUrl>
+      <cve>CVE-2023-43810</cve> <!-- CVE within the Python library. -->
+      <cve>CVE-2023-45142</cve> <!-- CVE within the Go library. -->
+      <cve>CVE-2023-47108</cve> <!-- CVE within the Go library. -->
+   </suppress>
+   <suppress until="2025-03-04">
+      <notes><![CDATA[
+      file name: resteasy-spring-3.0.4.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy\.spring/resteasy\-spring@.*$</packageUrl>
+      <cve>CVE-2016-9606</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
+      <cve>CVE-2014-3490</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
+      <cve>CVE-2020-1695</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
+      <cve>CVE-2020-10688</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
+      <cve>CVE-2023-0482</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
+      <cve>CVE-2020-25633</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
+      <cve>CVE-2021-20289</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: resteasy-tracing-api-2.0.1.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy/resteasy\-tracing\-api@.*$</packageUrl>
+      <cve>CVE-2016-9606</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
+      <cve>CVE-2020-10688</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
+      <cve>CVE-2023-0482</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
+      <cve>CVE-2020-25633</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
+      <cve>CVE-2021-20289</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
+      <cve>CVE-2011-5245</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
+      <cve>CVE-2012-0818</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
+   </suppress>
+   <suppress until="2025-03-04">
+      <notes><![CDATA[
+      file name: undertow-core-2.3.12.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/io\.undertow/undertow\-core@.*$</packageUrl>
+      <vulnerabilityName>CVE-2016-6311</vulnerabilityName>
+   </suppress>
+</suppressions>

From 5d89c21ccf96fd627f590afbd95569f95a481f03 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Fri, 8 Mar 2024 17:23:29 +0000
Subject: [PATCH 2/3] [WFLY-18073] Ignore CVE-2021-20293 for two reasons:  1.
 It is not matched against the correct components.  2. It was decided this is
 not a CVE and is the user's responsibility.

---
 sca-overrides/owasp-suppressions.xml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/sca-overrides/owasp-suppressions.xml b/sca-overrides/owasp-suppressions.xml
index 7731ff4ecd8b..4202838a4458 100644
--- a/sca-overrides/owasp-suppressions.xml
+++ b/sca-overrides/owasp-suppressions.xml
@@ -197,4 +197,18 @@
       <packageUrl regex="true">^pkg:maven/io\.undertow/undertow\-core@.*$</packageUrl>
       <vulnerabilityName>CVE-2016-6311</vulnerabilityName>
    </suppress>
+   <suppress until="2025-03-08">
+      <notes><![CDATA[
+      file name: resteasy-spring-3.0.4.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy\.spring/resteasy\-spring@.*$</packageUrl>
+      <cve>CVE-2021-20293</cve>
+   </suppress>
+   <suppress until="2025-03-08">
+      <notes><![CDATA[
+      file name: resteasy-tracing-api-2.0.1.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy/resteasy\-tracing\-api@.*$</packageUrl>
+      <cve>CVE-2021-20293</cve>
+   </suppress>
 </suppressions>

From b862dbb078fbf11a06754a671a4629b463036de7 Mon Sep 17 00:00:00 2001
From: Darran Lofthouse <darran.lofthouse@jboss.com>
Date: Wed, 10 Apr 2024 16:22:24 +0100
Subject: [PATCH 3/3] [WFLY-19224] Suppress CVE-2023-1973 as WildFly no longer
 uses Undertow's authentication mechanisms.

---
 sca-overrides/owasp-suppressions.xml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/sca-overrides/owasp-suppressions.xml b/sca-overrides/owasp-suppressions.xml
index 4202838a4458..a219162a486e 100644
--- a/sca-overrides/owasp-suppressions.xml
+++ b/sca-overrides/owasp-suppressions.xml
@@ -211,4 +211,21 @@
       <packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy/resteasy\-tracing\-api@.*$</packageUrl>
       <cve>CVE-2021-20293</cve>
    </suppress>
+   <suppress until="2025-03-15">
+      <notes><![CDATA[
+      file name: resteasy-spring-3.1.2.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy\.spring/resteasy\-spring@.*$</packageUrl>
+      <cve>CVE-2018-1051</cve>
+   </suppress>
+   <suppress until="2025-04-10">
+      <notes><![CDATA[
+      file name: undertow-core-2.3.12.Final.jar
+
+      [WFLY-19224] Since WildFly moved to using WildFly Elytron exclusively for security the
+      authentication mechanism from undertow-core is not used. This is a false positive.
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/io\.undertow/undertow\-core@.*$</packageUrl>
+      <vulnerabilityName>CVE-2023-1973</vulnerabilityName>
+   </suppress>
 </suppressions>