From 1983ebebc708a5fdd81671646e1ee8b51f0cd571 Mon Sep 17 00:00:00 2001
From: Arnout Engelen <arnout@bzzt.net>
Date: Wed, 11 Oct 2023 11:18:19 -0300
Subject: [PATCH] MINOR: fix dependencycheck warnings (#14476)

Add suppressions and skip benchmarking/testing projects

Reviewers: Josep Prat <josep.prat@aiven.io>
---
 build.gradle                                  |  4 +++
 gradle/dependencies.gradle                    |  3 +++
 .../dependencycheck-suppressions.xml          | 27 +++++++++++++++++++
 3 files changed, 34 insertions(+)

diff --git a/build.gradle b/build.gradle
index eee62192200..9df240a7433 100644
--- a/build.gradle
+++ b/build.gradle
@@ -39,6 +39,9 @@ plugins {
   id 'org.nosphere.apache.rat' version "0.8.1"
   id "io.swagger.core.v3.swagger-gradle-plugin" version "${swaggerVersion}"
 
+  // When updating the spotbugs gradle plugin, check if it already
+  // includes spotbugs version 4.7.4, in which case CVE-2022-42920 can
+  // be dropped from gradle/resources/dependencycheck-suppressions.xml
   id "com.github.spotbugs" version '5.1.3' apply false
   id 'org.scoverage' version '7.0.1' apply false
   id 'com.github.johnrengelman.shadow' version '8.1.1' apply false
@@ -757,6 +760,7 @@ subprojects {
 
   dependencyCheck {
     suppressionFile = "$rootDir/gradle/resources/dependencycheck-suppressions.xml"
+    skipProjects = [ ":jmh-benchmarks", ":trogdor" ]
   }
 }
 
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 5ea6aac47cb..9c1db35e6f4 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -93,6 +93,9 @@ versions += [
   argparse4j: "0.7.0",
   bcpkix: "1.75",
   caffeine: "2.9.3", // 3.x supports JDK 11 and above
+  // when updating checkstyle, check whether the exclusion of
+  // CVE-2023-2976 and CVE-2020-8908 can be dropped from
+  // gradle/resources/dependencycheck-suppressions.xml
   checkstyle: "8.36.2",
   commonsCli: "1.4",
   commonsValidator: "1.7",
diff --git a/gradle/resources/dependencycheck-suppressions.xml b/gradle/resources/dependencycheck-suppressions.xml
index d6a8110595b..2458e85ab2a 100644
--- a/gradle/resources/dependencycheck-suppressions.xml
+++ b/gradle/resources/dependencycheck-suppressions.xml
@@ -23,4 +23,31 @@
     ]]></notes>
     <cve>CVE-2023-35116</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+      This older version of BCEL is only included in spotbugs.
+      CVE-2022-42920 is irrelevant for spotbugs
+      (https://github.com/spotbugs/spotbugs/discussions/2251),
+      This suppression will no longer be needed when spotbugs 4.7.4 is
+      released.
+    ]]></notes>
+    <cve>CVE-2022-42920</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+      This older version of Guava is only included in checkstyle.
+      CVE-2023-2976 and CVE-2020-8908 are irrelevant for checkstyle,
+      as it is not executed with elevated privileges.
+      This suppression will no longer be needed when checkstyle
+      is updated to 10.5.0 or later.
+    ]]></notes>
+    <cve>CVE-2020-8908</cve>
+    <cve>CVE-2023-2976</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+      Kafka does not use CgiServlet
+    ]]></notes>
+    <cve>CVE-2023-36479</cve>
+  </suppress>
 </suppressions>