From 488795bf23316484b89427cb539b7433e9be5205 Mon Sep 17 00:00:00 2001
From: Keerthana Srikanth <ksrikanth@confluent.io>
Date: Thu, 14 Dec 2023 00:14:05 +0530
Subject: [PATCH] Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878
 (#15522)

* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878
* add CVE suppression and notes, since vulnerability scan still shows this CVE
* Add tests to improve coverage
---
 extensions-core/druid-pac4j/pom.xml           |   2 +-
 .../druid/security/pac4j/Pac4jFilter.java     |  17 +-
 .../security/pac4j/Pac4jSessionStore.java     |  21 +-
 .../security/pac4j/Pac4jSessionStoreTest.java |  78 +-
 licenses.yaml                                 |   6 +-
 owasp-dependency-check-suppressions.xml       | 952 +++++++-----------
 6 files changed, 471 insertions(+), 605 deletions(-)

diff --git a/extensions-core/druid-pac4j/pom.xml b/extensions-core/druid-pac4j/pom.xml
index a8cb8b3a08bf..a330f34c71f6 100644
--- a/extensions-core/druid-pac4j/pom.xml
+++ b/extensions-core/druid-pac4j/pom.xml
@@ -34,7 +34,7 @@
   </parent>
 
   <properties>
-    <pac4j.version>3.8.3</pac4j.version>
+    <pac4j.version>4.5.7</pac4j.version>
 
     <!-- Following must be updated along with any updates to pac4j version -->
     <nimbus.lang.tag.version>1.7</nimbus.lang.tag.version>
diff --git a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java
index 4463e43ca29d..452a22609460 100644
--- a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java
+++ b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java
@@ -23,14 +23,15 @@
 import org.apache.druid.server.security.AuthConfig;
 import org.apache.druid.server.security.AuthenticationResult;
 import org.pac4j.core.config.Config;
-import org.pac4j.core.context.J2EContext;
+import org.pac4j.core.context.JEEContext;
 import org.pac4j.core.context.session.SessionStore;
 import org.pac4j.core.engine.CallbackLogic;
 import org.pac4j.core.engine.DefaultCallbackLogic;
 import org.pac4j.core.engine.DefaultSecurityLogic;
 import org.pac4j.core.engine.SecurityLogic;
+import org.pac4j.core.exception.http.HttpAction;
 import org.pac4j.core.http.adapter.HttpActionAdapter;
-import org.pac4j.core.profile.CommonProfile;
+import org.pac4j.core.profile.UserProfile;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -47,12 +48,12 @@ public class Pac4jFilter implements Filter
 {
   private static final Logger LOGGER = new Logger(Pac4jFilter.class);
 
-  private static final HttpActionAdapter<String, J2EContext> NOOP_HTTP_ACTION_ADAPTER = (int code, J2EContext ctx) -> null;
+  private static final HttpActionAdapter<String, JEEContext> NOOP_HTTP_ACTION_ADAPTER = (HttpAction code, JEEContext ctx) -> null;
 
   private final Config pac4jConfig;
-  private final SecurityLogic<String, J2EContext> securityLogic;
-  private final CallbackLogic<String, J2EContext> callbackLogic;
-  private final SessionStore<J2EContext> sessionStore;
+  private final SecurityLogic<String, JEEContext> securityLogic;
+  private final CallbackLogic<String, JEEContext> callbackLogic;
+  private final SessionStore<JEEContext> sessionStore;
 
   private final String name;
   private final String authorizerName;
@@ -88,7 +89,7 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
 
     HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
     HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
-    J2EContext context = new J2EContext(httpServletRequest, httpServletResponse, sessionStore);
+    JEEContext context = new JEEContext(httpServletRequest, httpServletResponse, sessionStore);
 
     if (Pac4jCallbackResource.SELF_URL.equals(httpServletRequest.getRequestURI())) {
       callbackLogic.perform(
@@ -101,7 +102,7 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
       String uid = securityLogic.perform(
           context,
           pac4jConfig,
-          (J2EContext ctx, Collection<CommonProfile> profiles, Object... parameters) -> {
+          (JEEContext ctx, Collection<UserProfile> profiles, Object... parameters) -> {
             if (profiles.isEmpty()) {
               LOGGER.warn("No profiles found after OIDC auth.");
               return null;
diff --git a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jSessionStore.java b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jSessionStore.java
index 069a4ff2eb9a..6c5c57a33198 100644
--- a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jSessionStore.java
+++ b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jSessionStore.java
@@ -25,12 +25,12 @@
 import org.apache.druid.java.util.common.logger.Logger;
 import org.pac4j.core.context.ContextHelper;
 import org.pac4j.core.context.Cookie;
-import org.pac4j.core.context.Pac4jConstants;
 import org.pac4j.core.context.WebContext;
 import org.pac4j.core.context.session.SessionStore;
 import org.pac4j.core.exception.TechnicalException;
 import org.pac4j.core.profile.CommonProfile;
 import org.pac4j.core.util.JavaSerializationHelper;
+import org.pac4j.core.util.Pac4jConstants;
 
 import javax.annotation.Nullable;
 import java.io.ByteArrayInputStream;
@@ -38,6 +38,7 @@
 import java.io.IOException;
 import java.io.Serializable;
 import java.util.Map;
+import java.util.Optional;
 import java.util.zip.GZIPInputStream;
 import java.util.zip.GZIPOutputStream;
 
@@ -78,7 +79,7 @@ public String getOrCreateSessionId(WebContext context)
 
   @Nullable
   @Override
-  public Object get(WebContext context, String key)
+  public Optional<Object> get(WebContext context, String key)
   {
     final Cookie cookie = ContextHelper.getCookie(context, PAC4J_SESSION_PREFIX + key);
     Object value = null;
@@ -86,7 +87,7 @@ public Object get(WebContext context, String key)
       value = uncompressDecryptBase64(cookie.getValue());
     }
     LOGGER.debug("Get from session: [%s] = [%s]", key, value);
-    return value;
+    return Optional.ofNullable(value);
   }
 
   @Override
@@ -142,7 +143,7 @@ private Serializable uncompressDecryptBase64(final String v)
     if (v != null && !v.isEmpty()) {
       byte[] bytes = StringUtils.decodeBase64String(v);
       if (bytes != null) {
-        return javaSerializationHelper.unserializeFromBytes(unCompress(cryptoService.decrypt(bytes)));
+        return javaSerializationHelper.deserializeFromBytes(unCompress(cryptoService.decrypt(bytes)));
       }
     }
     return null;
@@ -176,19 +177,19 @@ private Object clearUserProfile(final Object value)
   {
     if (value instanceof Map<?, ?>) {
       final Map<String, CommonProfile> profiles = (Map<String, CommonProfile>) value;
-      profiles.forEach((name, profile) -> profile.clearSensitiveData());
+      profiles.forEach((name, profile) -> profile.removeLoginData());
       return profiles;
     } else {
       final CommonProfile profile = (CommonProfile) value;
-      profile.clearSensitiveData();
+      profile.removeLoginData();
       return profile;
     }
   }
 
   @Override
-  public SessionStore buildFromTrackableSession(WebContext arg0, Object arg1)
+  public Optional<SessionStore<T>> buildFromTrackableSession(WebContext arg0, Object arg1)
   {
-    return null;
+    return Optional.empty();
   }
 
   @Override
@@ -198,9 +199,9 @@ public boolean destroySession(WebContext arg0)
   }
 
   @Override
-  public Object getTrackableSession(WebContext arg0)
+  public Optional getTrackableSession(WebContext arg0)
   {
-    return null;
+    return Optional.empty();
   }
 
   @Override
diff --git a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
index 0349a98a7ccd..772bef7ef6c3 100644
--- a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
+++ b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
@@ -25,15 +25,23 @@
 import org.junit.Test;
 import org.pac4j.core.context.Cookie;
 import org.pac4j.core.context.WebContext;
+import org.pac4j.core.profile.CommonProfile;
+import org.pac4j.core.profile.definition.CommonProfileDefinition;
 
 import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
 
 public class Pac4jSessionStoreTest
 {
+  private static final String COOKIE_PASSPHRASE = "test-cookie-passphrase";
+
   @Test
   public void testSetAndGet()
   {
-    Pac4jSessionStore<WebContext> sessionStore = new Pac4jSessionStore("test-cookie-passphrase");
+    Pac4jSessionStore<WebContext> sessionStore = new Pac4jSessionStore(COOKIE_PASSPHRASE);
 
     WebContext webContext1 = EasyMock.mock(WebContext.class);
     EasyMock.expect(webContext1.getScheme()).andReturn("https");
@@ -54,7 +62,73 @@ public void testSetAndGet()
     WebContext webContext2 = EasyMock.mock(WebContext.class);
     EasyMock.expect(webContext2.getRequestCookies()).andReturn(Collections.singletonList(cookie));
     EasyMock.replay(webContext2);
+    Assert.assertEquals("value", Objects.requireNonNull(sessionStore.get(webContext2, "key")).orElse(null));
+  }
+
+  @Test
+  public void testSetAndGetClearUserProfile()
+  {
+    Pac4jSessionStore<WebContext> sessionStore = new Pac4jSessionStore(COOKIE_PASSPHRASE);
+
+    WebContext webContext1 = EasyMock.mock(WebContext.class);
+    EasyMock.expect(webContext1.getScheme()).andReturn("https");
+    Capture<Cookie> cookieCapture = EasyMock.newCapture();
+
+    webContext1.addResponseCookie(EasyMock.capture(cookieCapture));
+    EasyMock.replay(webContext1);
+
+    CommonProfile profile = new CommonProfile();
+    profile.addAttribute(CommonProfileDefinition.DISPLAY_NAME, "name");
+    sessionStore.set(webContext1, "pac4jUserProfiles", profile);
+
+    Cookie cookie = cookieCapture.getValue();
+    Assert.assertTrue(cookie.isSecure());
+    Assert.assertTrue(cookie.isHttpOnly());
+    Assert.assertTrue(cookie.isSecure());
+    Assert.assertEquals(900, cookie.getMaxAge());
+
+
+    WebContext webContext2 = EasyMock.mock(WebContext.class);
+    EasyMock.expect(webContext2.getRequestCookies()).andReturn(Collections.singletonList(cookie));
+    EasyMock.replay(webContext2);
+    Optional<Object> value = sessionStore.get(webContext2, "pac4jUserProfiles");
+    Assert.assertTrue(Objects.requireNonNull(value).isPresent());
+    Assert.assertEquals("name", ((CommonProfile) value.get()).getAttribute(CommonProfileDefinition.DISPLAY_NAME));
+  }
+
+  @Test
+  public void testSetAndGetClearUserMultipleProfile()
+  {
+    Pac4jSessionStore<WebContext> sessionStore = new Pac4jSessionStore(COOKIE_PASSPHRASE);
+
+    WebContext webContext1 = EasyMock.mock(WebContext.class);
+    EasyMock.expect(webContext1.getScheme()).andReturn("https");
+    Capture<Cookie> cookieCapture = EasyMock.newCapture();
+
+    webContext1.addResponseCookie(EasyMock.capture(cookieCapture));
+    EasyMock.replay(webContext1);
 
-    Assert.assertEquals("value", sessionStore.get(webContext2, "key"));
+    CommonProfile profile1 = new CommonProfile();
+    profile1.addAttribute(CommonProfileDefinition.DISPLAY_NAME, "name1");
+    CommonProfile profile2 = new CommonProfile();
+    profile2.addAttribute(CommonProfileDefinition.DISPLAY_NAME, "name2");
+    Map<String, CommonProfile> profiles = new HashMap<>();
+    profiles.put("profile1", profile1);
+    profiles.put("profile2", profile2);
+    sessionStore.set(webContext1, "pac4jUserProfiles", profiles);
+
+    Cookie cookie = cookieCapture.getValue();
+    Assert.assertTrue(cookie.isSecure());
+    Assert.assertTrue(cookie.isHttpOnly());
+    Assert.assertTrue(cookie.isSecure());
+    Assert.assertEquals(900, cookie.getMaxAge());
+
+
+    WebContext webContext2 = EasyMock.mock(WebContext.class);
+    EasyMock.expect(webContext2.getRequestCookies()).andReturn(Collections.singletonList(cookie));
+    EasyMock.replay(webContext2);
+    Optional<Object> value = sessionStore.get(webContext2, "pac4jUserProfiles");
+    Assert.assertTrue(Objects.requireNonNull(value).isPresent());
+    Assert.assertEquals(2, ((Map<String, CommonProfile>) value.get()).size());
   }
 }
diff --git a/licenses.yaml b/licenses.yaml
index 1d5fe8c0d0d4..2d9fd869edaa 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -776,7 +776,7 @@ name: pac4j-oidc java security library
 license_category: binary
 module: extensions/druid-pac4j
 license_name: Apache License version 2.0
-version: 3.8.3
+version: 4.5.7
 libraries:
   - org.pac4j: pac4j-oidc
 
@@ -786,7 +786,7 @@ name: pac4j-core java security library
 license_category: binary
 module: extensions/druid-pac4j
 license_name: Apache License version 2.0
-version: 3.8.3
+version: 4.5.7
 libraries:
   - org.pac4j: pac4j-core
 
@@ -837,7 +837,7 @@ name: com.sun.mail javax.mail
 license_category: binary
 module: extensions/druid-pac4j
 license_name: CDDL 1.1
-version: 1.6.1
+version: 1.6.2
 libraries:
   - com.sun.mail: javax.mail
 
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 688baaddfcb7..12cabf7842b8 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -18,458 +18,139 @@
   ~ under the License.
   -->
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <!-- False positives -->
   <suppress>
-    <!-- druid-indexing-hadoop.jar is mistaken for hadoop -->
     <notes><![CDATA[
-   file name: org.apache.druid:druid-indexing-hadoop
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-indexing\-hadoop@.*$</packageUrl>
-    <cve>CVE-2012-4449</cve>
-    <cve>CVE-2017-3162</cve>
-    <cve>CVE-2018-8009</cve>
-    <cve>CVE-2022-26612</cve>
-  </suppress>
-  <suppress>
-    <!-- druid-processing.jar is mistaken for org.processing:processing -->
-    <notes><![CDATA[
-   file name: org.apache.druid:druid-processing
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-processing@.*$</packageUrl>
-    <cve>CVE-2018-1000840</cve>
-  </suppress>
-  <suppress>
-    <!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
-    <notes><![CDATA[
-   file name: openstack-swift
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-swift@.*$</packageUrl>
-    <cve>CVE-2013-7109</cve>
-    <cve>CVE-2016-0737</cve>
-    <cve>CVE-2016-0738</cve>
-    <cve>CVE-2017-16613</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-   file name: openstack-keystone-1.9.1.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-keystone@.*$</packageUrl>
-    <!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
-    <cve>CVE-2015-7546</cve>
-    <cve>CVE-2020-12689</cve>
-    <cve>CVE-2020-12690</cve>
-    <cve>CVE-2020-12691</cve>
-
-    <!-- This CVE affects the server -->
-    <cve>CVE-2021-3563</cve>
-  </suppress>
-
-  <suppress>
-    <notes><![CDATA[
-     file name: json-path-2.3.0.jar
+     file name: json-path-2.3.0.jar jackson-core-2.12.7.jar
      ]]></notes>
-    <packageUrl regex="true">^pkg:maven/net\.minidev/json\-path@.*$</packageUrl>
     <cve>CVE-2022-45688</cve>
+    <cve>CVE-2023-35116</cve>
   </suppress>
 
   <suppress>
-    <!-- Not much for us to do as a user of the client lib, and no patch is available,
-     see https://github.com/kubernetes/kubernetes/issues/97076 -->
     <notes><![CDATA[
-   file name: client-java-10.0.1.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/io\.kubernetes/client\-java.*@10.0.1$</packageUrl>
-    <cve>CVE-2020-8554</cve>
+      file name: grpc-context-1.27.2.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.grpc/grpc-context@1.27.2$</packageUrl>
+    <cve>CVE-2023-4785</cve> <!-- Not applicable to gRPC Java - https://nvd.nist.gov/vuln/detail/CVE-2023-4785 -->
+    <cve>CVE-2023-33953</cve> <!-- Not applicable to gRPC Java - https://cloud.google.com/support/bulletins#gcp-2023-022 -->
+    <cve>CVE-2023-32732</cve>
   </suppress>
 
-  <!-- FIXME: These are suppressed so that CI can enforce that no new vulnerable dependencies are added. -->
-  <suppress>
-    <!--
-      ~ TODO: Fix by updating hibernate-validator.
-
-      ~ Note hibernate-validator:5.3.1 introduces a change that requires an EL implementation to be in the classpath:
-      ~ https://developer.jboss.org/wiki/HibernateValidatorMigrationGuide#jive_content_id_531Final
-      ~
-      ~ For example, updating hibernate-validator causes hadoop ingestion tasks to fail:
-      ~
-      ~   Error: com.google.inject.CreationException: Unable to create injector, see the following errors:
-      ~
-      ~   1) An exception was caught and reported. Message: HV000183: Unable to initialize 'javax.el.ExpressionFactory'. Check that you have the EL dependencies on the classpath, or use ParameterMessageInterpolator instead
-      ~     at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
-      ~
-      ~   2) No implementation for javax.validation.Validator was bound.
-      ~     at org.apache.druid.guice.ConfigModule.configure(ConfigModule.java:39)
-      ~
-      ~   2 errors
-      ~       at com.google.inject.internal.Errors.throwCreationExceptionIfErrorsExist(Errors.java:470)
-      ~       at com.google.inject.internal.InternalInjectorCreator.initializeStatically(InternalInjectorCreator.java:155)
-      ~       at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:107)
-      ~       at com.google.inject.Guice.createInjector(Guice.java:99)
-      ~       at com.google.inject.Guice.createInjector(Guice.java:73)
-      ~       at org.apache.druid.guice.GuiceInjectors.makeStartupInjector(GuiceInjectors.java:56)
-      ~       at org.apache.druid.indexer.HadoopDruidIndexerConfig.<clinit>(HadoopDruidIndexerConfig.java:102)
-      ~       at org.apache.druid.indexer.HadoopDruidIndexerMapper.setup(HadoopDruidIndexerMapper.java:53)
-      ~       at org.apache.druid.indexer.DetermineHashedPartitionsJob$DetermineCardinalityMapper.setup(DetermineHashedPartitionsJob.java:279)
-      ~       at org.apache.druid.indexer.DetermineHashedPartitionsJob$DetermineCardinalityMapper.run(DetermineHashedPartitionsJob.java:334)
-      ~       at org.apache.hadoop.mapred.MapTask.runNewMapper(MapTask.java:787)
-      ~       at org.apache.hadoop.mapred.MapTask.run(MapTask.java:341)
-      ~       at org.apache.hadoop.mapred.YarnChild$2.run(YarnChild.java:175)
-      ~       at java.security.AccessController.doPrivileged(Native Method)
-      ~       at javax.security.auth.Subject.doAs(Subject.java:422)
-      ~       at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1844)
-      ~       at org.apache.hadoop.mapred.YarnChild.main(YarnChild.java:169)
-      ~   Caused by: javax.validation.ValidationException: HV000183: Unable to initialize 'javax.el.ExpressionFactory'. Check that you have the EL dependencies on the classpath, or use ParameterMessageInterpolator instead
-      ~       at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.buildExpressionFactory(ResourceBundleMessageInterpolator.java:102)
-      ~       at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.<init>(ResourceBundleMessageInterpolator.java:45)
-      ~       at org.hibernate.validator.internal.engine.ConfigurationImpl.getDefaultMessageInterpolator(ConfigurationImpl.java:423)
-      ~       at org.hibernate.validator.internal.engine.ConfigurationImpl.getDefaultMessageInterpolatorConfiguredWithClassLoader(ConfigurationImpl.java:575)
-      ~       at org.hibernate.validator.internal.engine.ConfigurationImpl.getMessageInterpolator(ConfigurationImpl.java:364)
-      ~       at org.hibernate.validator.internal.engine.ValidatorFactoryImpl.<init>(ValidatorFactoryImpl.java:148)
-      ~       at org.hibernate.validator.HibernateValidator.buildValidatorFactory(HibernateValidator.java:38)
-      ~       at org.hibernate.validator.internal.engine.ConfigurationImpl.buildValidatorFactory(ConfigurationImpl.java:331)
-      ~       at javax.validation.Validation.buildDefaultValidatorFactory(Validation.java:110)
-      ~       at org.apache.druid.guice.ConfigModule.configure(ConfigModule.java:39)
-      ~       at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
-      ~       at com.google.inject.spi.Elements.getElements(Elements.java:110)
-      ~       at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
-      ~       at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
-      ~       ... 14 more
-      ~   Caused by: java.lang.NoSuchMethodError: javax.el.ExpressionFactory.newInstance()Ljavax/el/ExpressionFactory;
-      ~       at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.buildExpressionFactory(ResourceBundleMessageInterpolator.java:98)
-      ~       ... 27 more
-      -->
-    <notes><![CDATA[
-   file name: hibernate-validator-5.3.6.Final.jar
-   file name: hibernate-validator-5.2.5.Final.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.hibernate/hibernate\-validator@.*$</packageUrl>
-    <cve>CVE-2017-7536</cve>
-    <cve>CVE-2019-10219</cve> <!-- We don't use SafeHtml validator annotation https://nvd.nist.gov/vuln/detail/CVE-2019-10219 -->
-    <cve>CVE-2019-14900</cve> <!-- Not applicable to hibernate validator https://github.com/hibernate/hibernate-orm/pull/3438 -->
-    <cve>CVE-2020-10693</cve> <!-- We don't take user input in constraint violation message https://hibernate.atlassian.net/browse/HV-1774 -->
-    <cve>CVE-2020-25638</cve>
-  </suppress>
-  <suppress>
-    <!-- TODO: Fix by updating curator-x-discovery to > 4.2.0 and updating hadoop -->
-    <notes><![CDATA[
-   file name: jackson-mapper-asl-1.9.13.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@1.9.13$</packageUrl>
-    <cvssBelow>10</cvssBelow>  <!-- suppress all CVEs for jackson-mapper-asl:1.9.13 ince it is via curator-x-discovery -->
-  </suppress>
   <suppress>
-    <!-- TODO: Fix by updating org.apache.druid.java.util.http.client.NettyHttpClient to use netty 4 -->
+    <!-- Pulled in by io.kubernetes:client-java and kafka_2.13 but not fixed in either place yet -->
+    <!-- jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less -->
     <notes><![CDATA[
-   file name: netty-3.10.6.Final.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.6.Final$</packageUrl>
-    <cve>CVE-2019-16869</cve>
-    <cve>CVE-2019-20444</cve>
-    <cve>CVE-2019-20445</cve>
-    <cve>CVE-2020-11612</cve>
-    <cve>CVE-2021-21290</cve> <!-- We don't use HttpPostRequestDecoder or HttpPostMultiPartRequestDecoder which uses vulnerable AbstractDiskHttpData - https://github.com/advisories/GHSA-5mcr-gq6c-3hq2 -->
-    <cve>CVE-2021-21295</cve> <!-- We don't use HTTP2MultiplexCodec or Http2FrameCodec or Http2StreamFrameToHttpObjectCodec affected or convert HTTP/2 to HTTP/1.1 requests - https://github.com/advisories/GHSA-wm47-8v5p-wjpj -->
-    <cve>CVE-2021-21409</cve> <!-- We don't use Http2HeaderFrame or convert HTTP/2 to HTTP/1.1 requests https://github.com/advisories/GHSA-f256-j965-7f32 -->
-    <cve>CVE-2021-37136</cve>
-    <cve>CVE-2021-37137</cve>
-    <cve>CVE-2021-43797</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-wx5j-54mm-rqqq -->
-    <cve>CVE-2022-24823</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-269q-hmxg-m83q -->
-    <cve>CVE-2022-41881</cve>
-    <cve>CVE-2023-34462</cve>	<!-- Suppressed since netty requests in Druid are internal, and not user-facing -->
-  </suppress>
-  <suppress>
-    <!-- TODO: Fix by upgrading hadoop-auth version -->
-    <notes><![CDATA[
-   file name: nimbus-jose-jwt-4.41.1.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/com\.nimbusds/nimbus\-jose\-jwt@4.41.1$</packageUrl>
-    <cve>CVE-2019-17195</cve>
-  </suppress>
-  <suppress>
-    <!-- This CVE is a false positive. The CVE is not for apacheds-i18n -->
-    <notes><![CDATA[
-   file name: apacheds-i18n-2.0.0-M15.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.apache\.directory\.server/apacheds\-i18n@.*$</packageUrl>
-    <cve>CVE-2020-7791</cve>
-  </suppress>
-  <suppress>
-      <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
-      <notes><![CDATA[
-   file name: libthrift-0.6.1.jar
-   ]]></notes>
-      <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.6.1$</packageUrl>
-      <cve>CVE-2016-5397</cve>
-      <cve>CVE-2018-1320</cve>
-      <cve>CVE-2019-0205</cve>
+      file name: commons-compress-1.23.0.jar
+    ]]></notes>
+    <cve>CVE-2023-42503</cve>
   </suppress>
+
   <suppress>
-    <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage     -->
     <notes><![CDATA[
-    file name: jettison-1.*.jar
+      file name: guava-31.1-jre.jar
     ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.codehaus\.jettison/jettison@1.*$</packageUrl>
-    <cve>CVE-2022-40149</cve>
-    <cve>CVE-2022-40150</cve>
-    <cve>CVE-2022-45685</cve>
-    <cve>CVE-2022-45693</cve>
-    <cve>CVE-2023-1436</cve>
+    <cve>CVE-2020-8908</cve>
   </suppress>
-  <suppress>
-    <!-- The main use of snakeyaml in Druid is coming in test scope from:
-     com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.12.7
-     (version 1.27)
-     The contrib extension: druid-cassandra-storage uses version 1.6 in compile
-     scope
-     The integration tests use version 1.27 in compile scope.
-     Previous pinning of version to 1.33 forced the usage of the version across
-     all the modules, downgrading the version for some of them.
-     The removal of the pin in the main POM allows the modules choose which version
-     to be used, enabling the users to disable contrib extensions and use the
-     CVE free version of Snakeyaml in core extensions.
-      -->
 
-    <notes><![CDATA[
-    file name: snakeyaml-1.27.jar snakeyaml-1.33.jar
-    ]]></notes>
-    <!-- Snakeyaml is used only in test scope in Druid core with trusted inputs -->
-    <cve>CVE-2022-1471</cve>
-    <!-- false positive -->
-    <cve>CVE-2023-2251</cve>
-    <cve>CVE-2022-3064</cve>
+  <!-- CVE-2022-4244 is affecting plexus-utils package,
+  plexus-interpolation is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973 -->
+  <suppress base="true">
+    <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
+    <cve>CVE-2022-4244</cve>
+    <cve>CVE-2022-4245</cve>
   </suppress>
+
   <suppress>
+    <!-- This presumably applies to maven build system -->
     <notes><![CDATA[
-   file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-annotations:2.4.0)
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-annotations@2.4.0$</packageUrl>
-    <cvssBelow>10</cvssBelow>  <!-- suppress all CVEs for jackson-annotations:2.4.0 since it is via htrace-core4 -->
+     file name: maven-settings
+     ]]></notes>
+    <cve>CVE-2021-26291</cve>
   </suppress>
+
   <suppress>
+    <!-- LDAP authentication check bypass FP no exploitability analysis -->
     <notes><![CDATA[
-   file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-core:2.4.0)
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@2.4.0$</packageUrl>
-    <cvssBelow>10</cvssBelow>  <!-- suppress all CVEs for jackson-core:2.4.0 since it is via htrace-core4 -->
+     file name: derby-10.14.2.0.jar
+     ]]></notes>
+    <cve>CVE-2022-46337</cve>
   </suppress>
+
   <suppress>
-    <!--
-      ~ TODO: Fix by updating hadoop-common used by extensions-core/parquet-extensions. Possibly need to change
-      ~ HdfsStorageDruidModule.configure()->FileSystem.get(conf) as well.
-      -->
+    <!-- False positive fixed in 9.4.52
+    https://nvd.nist.gov/vuln/detail/CVE-2023-36479 -->
     <notes><![CDATA[
-   file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0)
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@2.4.0$</packageUrl>
-    <cve>CVE-2018-14721</cve>  <!-- cvss of 10.0 -->
-    <cvssBelow>10</cvssBelow>  <!-- suppress all CVEs for jackson-databind:2.4.0 since it is via htrace-core4 -->
+     file name: jetty-servlets-9.4.53.v20231009.jar
+     ]]></notes>
+    <cve>CVE-2023-36479</cve>
   </suppress>
+
   <suppress>
     <!--
-      ~ TODO: Fix by updating parquet version in extensions-core/parquet-extensions.
+      the suppressions here aren't currently applicable, but can be resolved once we update the version
       -->
     <notes><![CDATA[
-   file name: parquet-jackson-1.11.0.jar (shaded: com.fasterxml.jackson.core:jackson-{core,databind}:2.9.10)
+   file name: jackson-databind-2.10.5.1.jar
    ]]></notes>
-    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-.*@2.9.10$</packageUrl>
-    <cvssBelow>10</cvssBelow>  <!-- suppress all CVEs for jackson-{core,databind}:2.9.0 since it is via parquet transitive dependencies -->
+    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+    <!-- CVE-2022-42003 and CVE-2022-42004 are related to UNWRAP_SINGLE_VALUE_ARRAYS which we do not use
+    https://nvd.nist.gov/vuln/detail/CVE-2022-42003
+    https://nvd.nist.gov/vuln/detail/CVE-2022-42004
+     -->
+    <cve>CVE-2022-42003</cve>
+    <cve>CVE-2022-42004</cve>
   </suppress>
-  <suppress>
-     <notes><![CDATA[
-     file name: node-sass:4.13.1
-
-     The vulnerability is fixed in 4.13.1: https://github.com/sass/node-sass/issues/2816#issuecomment-575136455
 
-     But the dependency check plugin thinks it's still broken as the affected/fixed versions has not been updated on
-     Sonatype OSS Index: https://ossindex.sonatype.org/vuln/c97f4ae7-be1f-4f71-b238-7c095b126e74
-     ]]></notes>
-     <packageUrl regex="true">^pkg:npm/node\-sass@.*$</packageUrl>
-     <vulnerabilityName>CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</vulnerabilityName>
-  </suppress>
-  <suppress>
-    <!--
-      ~ TODO: Fix when Apache Ranger 2.1 is released
-      -->
-    <notes><![CDATA[
-    file name: kafka_2.11-2.0.0.jar
-    ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka_2.11@2.0.0$</packageUrl>
-    <cve>CVE-2019-12399</cve>
-    <cve>CVE-2018-17196</cve>
-  </suppress>
-  <suppress>
-    <!--
-      ~ TODO: Fix when Apache Ranger 2.1 is released
-      - transitive dep from apache-ranger, upgrading to 2.1.0 adds other CVEs, staying at ranger 2.0.0 for now
-      -->
-    <notes><![CDATA[
-    file name: kafka-clients-2.0.0.jar
-    ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka-clients@2.0.0$</packageUrl>
-    <cve>CVE-2019-12399</cve>
-    <cve>CVE-2018-17196</cve>
-    <cve>CVE-2023-25194</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-    file name: kafka-clients-3.2.0.jar
-    ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka\-clients@.*$</packageUrl>
-    <cve>CVE-2022-34917</cve>
-  </suppress>
   <suppress>
-    <!--
-      ~ ambari-metrics-emitter, druid-ranger-security
-      -->
+    <!-- Avatica server itself is not affected. Vulnerability exists only on client. -->
     <notes><![CDATA[
-    file name: log4j-1.2.17.jar
-    ]]></notes>
-    <packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
-    <cve>CVE-2019-17571</cve>
-    <cve>CVE-2021-4104</cve>
-    <cve>CVE-2020-9493</cve>
-    <cve>CVE-2022-23307</cve>
-    <cve>CVE-2022-23305</cve>
-    <cve>CVE-2022-23302</cve>
-    <cve>CVE-2023-26464</cve>
+   file name: avatica-server-1.23.0.jar
+   ]]></notes>
+    <cve>CVE-2022-36364</cve>
+    <cve>CVE-2022-39135</cve>
+    <cve>CVE-2020-13955</cve>
   </suppress>
+
+  <!-- DoS when using expression evaluator.guess -->
   <suppress>
     <notes><![CDATA[
-    file name: log4j-core-2.17.1.jar
-    ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1$</packageUrl>
-    <cve>CVE-2022-33915</cve>
-  </suppress>
-  <suppress>
-     <notes><![CDATA[
-     file name: ambari-metrics-common-2.7.0.0.0.jar
+    file name: janino-3.1.9.jar
     ]]></notes>
-    <cve>CVE-2022-45855</cve>
-    <cve>CVE-2022-42009</cve>
-    <!-- Suppress hadoop CVEs that not applicable to hadoop-annotations -->
-    <cve>CVE-2022-25168</cve> <!-- Affected FileUtil.unTar(File, File) API isn't present in hadoop-annotations -->
-    <cve>CVE-2021-33036</cve> <!-- Only applicable to hadoop-yarn-server -->
+    <cve>CVE-2023-33546</cve>
   </suppress>
+
   <suppress>
-    <!--
-      - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
-      -->
+    <!-- from extensions using hadoop-client-runtime, these dependencies are shaded in the jar -->
     <notes><![CDATA[
-    file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
-    ]]></notes>
-    <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
-    <cve>CVE-2019-16869</cve>
-    <cve>CVE-2019-20444</cve>
-    <cve>CVE-2019-20445</cve>
-    <cve>CVE-2021-37136</cve>
-    <cve>CVE-2021-37137</cve>
-    <cve>CVE-2021-4104</cve>
-    <cve>CVE-2020-9493</cve>
-    <cve>CVE-2022-23307</cve>
-    <cve>CVE-2022-23305</cve>
-    <cve>CVE-2022-23302</cve>
-    <cve>CVE-2022-41881</cve>
-    <cve>CVE-2020-11612</cve>
-  </suppress>
-  <suppress>
-       <!--
-         - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
-         -->
-     <notes><![CDATA[
-     file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: org.apache.hadoop:hadoop-annotations:2.6.0)
+     file name: hadoop-client-runtime-3.3.6.jar
      ]]></notes>
-     <packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-annotations@.*$</packageUrl>
-     <cve>CVE-2015-1776</cve>
-     <cve>CVE-2016-3086</cve>
-     <cve>CVE-2016-5393</cve>
-     <cve>CVE-2016-6811</cve>
-     <cve>CVE-2017-3162</cve>
-     <cve>CVE-2018-11768</cve>
-     <cve>CVE-2018-1296</cve>
-     <cve>CVE-2018-8009</cve>
-     <cve>CVE-2018-8029</cve>
+    <!-- this one is windows only - https://nvd.nist.gov/vuln/detail/CVE-2022-26612 -->
+    <cve>CVE-2022-26612</cve>
+    <!-- this one seems to apply to backend server - https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->
+    <cve>CVE-2023-25613</cve>
+    <cve>CVE-2023-2976</cve> <!-- hadoop-client-runtime isn't using com.google.common.io.FileBackedOutputStream -->
+    <!-- CVE from shaded dependency nimbus-jose-jwt, fixed in upcoming Hadoop release version -
+    https://github.com/apache/hadoop/commit/ad49ddda0e1d9632c8c9fcdc78fca8244e1248c9 -->
+    <cve>CVE-2023-1370</cve>
+    <cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 -->
+    <cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate vulnerability. But there is no fix as of yet in Hadoop repo -->
+    <cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
+    <cve>CVE-2023-36478</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
   </suppress>
+
+  <!-- those are false positives, no other tools report any of those CVEs in the hadoop package -->
   <suppress>
     <notes><![CDATA[
-     file name: hadoop-*-3.3.1.jar
-     ]]></notes>
-    <cve>CVE-2018-11765</cve>
-    <cve>CVE-2020-9492</cve>
+      file name: hadoop-*-3.3.1.jar
+      ]]></notes>
+    <cve>CVE-2015-7430</cve>
+    <cve>CVE-2017-3162</cve>
     <cve>CVE-2021-31684</cve>
-    <cve>CVE-2021-35517</cve>
-    <cve>CVE-2021-35516</cve>
-    <cve>CVE-2021-35515</cve>
-    <cve>CVE-2021-36090</cve>
-    <cve>CVE-2022-2048</cve>
     <cve>CVE-2022-3509</cve>
     <cve>CVE-2022-40152</cve>
   </suppress>
-  <suppress>
-    <!-- The CVE is not applicable to kafka-clients. -->
-    <notes><![CDATA[
-     file name: kafka-clients-2.8.0.jar
-     ]]></notes>
-    <cve>CVE-2021-26291</cve>
-  </suppress>
-  <suppress until="2021-12-30">
-    <!-- Suppress this until https://github.com/apache/druid/issues/11028 is resolved. -->
-    <notes><![CDATA[
-     This vulnerability should be fixed soon and the suppression should be removed.
-     ]]></notes>
-    <cve>CVE-2020-13949</cve>
-  </suppress>
 
-  <suppress>
-     <!-- (ranger, ambari, and aliyun-oss) these vulnerabilities are legit, but their latest releases still use the vulnerable jackson version -->
-     <notes><![CDATA[
-     file name: jackson-xc-1.9.x.jar or jackson-jaxrs-1.9.x.jar
-     ]]></notes>
-     <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl>
-     <cve>CVE-2018-14718</cve>
-     <cve>CVE-2018-7489</cve>
-     <cve>CVE-2022-42003</cve>
-     <cve>CVE-2022-42004</cve>
-  </suppress>
-  <suppress>
-    <!-- aliyun-oss -->
-    <notes><![CDATA[
-    file name: ini4j-0.5.4.jar
-    ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.ini4j/ini4j@.*$</packageUrl>
-    <vulnerabilityName>CVE-2022-41404</vulnerabilityName>
-  </suppress>
-  <suppress>
-    <!-- Transitive dependency from apache-ranger, latest ranger version 2.1.0 still uses solr 7.7.1-->
-    <notes><![CDATA[
-     file name: solr-solrj-7.7.1.jar
-     ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.apache\.solr/solr-solrj@7.7.1$</packageUrl>
-    <cve>CVE-2020-13957</cve>
-    <cve>CVE-2019-17558</cve>
-    <cve>CVE-2019-0193</cve>
-    <cve>CVE-2020-13941</cve>
-    <cve>CVE-2021-29943</cve>
-    <cve>CVE-2021-27905</cve>
-    <cve>CVE-2021-29262</cve>
-    <cve>CVE-2021-44548</cve>
-  </suppress>
-
-  <suppress>
-    <!-- Transitive dependency from aliyun-sdk-oss, there is currently no newer version of jdom2 as well-->
-    <notes><![CDATA[
-     file name: jdom2-2.0.6.jar
-     ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.jdom/jdom2@2.0.6$</packageUrl>
-    <cve>CVE-2021-33813</cve>
-  </suppress>
-
-  <suppress>
-    <!-- Upgrading to libthrift-0.14.2 adds many tomcat CVEs, suppress and stay at 0.13.0 for now-->
-    <notes><![CDATA[
-     file name: libthrift-0.13.0.jar
-     ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.13.0$</packageUrl>
-    <cve>CVE-2020-13949</cve>
-  </suppress>
   <suppress>
     <!--
       1. hive-storage-api has the thrift vulnerability too
@@ -479,20 +160,12 @@
     <notes><![CDATA[
      file name: hive-storage-api-2.8.1.jar
      ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.apache\.hive/hive-storage-api@2.8.1$</packageUrl>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.hive.*</packageUrl>
     <cve>CVE-2020-13949</cve>
     <cve>CVE-2021-34538</cve>
     <cve>CVE-2021-4125</cve>
   </suppress>
-  <suppress>
-    <!--
-    the scanner misattributes this to Apache DataSketches
-    the actual vulnerability affects some collaboration tool called Sketch, and impacts some 'library feeds' feature
-    which seems to relate to how the tool handles sharing designs or something, so we are doing a blanket ignore
-    because it seems nearly impossible for us to be affected by this
-     -->
-    <cve>CVE-2021-40531</cve>
-  </suppress>
+
   <suppress>
     <!-- These are for wildfly-openssl. -->
     <notes><![CDATA[
@@ -504,157 +177,167 @@
     <cve>CVE-2022-1278</cve>
   </suppress>
 
+
   <suppress>
-    <!-- Suppress aws-java-sdk-bundle cves -->
     <notes><![CDATA[
-    file name: aws-java-sdk-bundle-1.11.901.jar
+    file name: kafka-clients-3.2.0.jar
     ]]></notes>
-    <cve>CVE-2020-8570</cve>
-    <cve>CVE-2015-8559</cve>
-    <cve>CVE-2021-20291</cve>
-    <cve>CVE-2017-17485</cve>
-    <cve>CVE-2018-5968</cve>
-    <cve>CVE-2017-15095</cve>
-    <cve>CVE-2019-16942</cve>
-    <cve>CVE-2020-25649</cve>
-    <cve>CVE-2020-35491</cve>
-    <cve>CVE-2019-16943</cve>
-    <cve>CVE-2020-35490</cve>
-    <cve>CVE-2019-20330</cve>
-    <cve>CVE-2020-10673</cve>
-    <cve>CVE-2018-11307</cve>
-    <cve>CVE-2018-7489</cve>
-    <cve>CVE-2019-17267</cve>
-    <cve>CVE-2019-17531</cve>
-    <cve>CVE-2019-16335</cve>
-    <cve>CVE-2019-14893</cve>
-    <cve>CVE-2019-14540</cve>
-    <cve>CVE-2021-37136</cve>
-    <cve>CVE-2021-37137</cve>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka\-clients@.*$</packageUrl>
+    <cve>CVE-2022-34917</cve>
+    <cve>CVE-2023-25194</cve>
   </suppress>
 
   <suppress>
-    <!-- Suppress hadoop-shaded-guava cves -->
     <notes><![CDATA[
-    file name: hadoop-shaded-guava-1.1.1.jar
+    file name: woodstox-core-6.2.4.jar
     ]]></notes>
-    <cve>CVE-2015-7430</cve>
-    <cve>CVE-2017-3162</cve>
+    <cve>CVE-2023-34411</cve>
   </suppress>
-  
+
   <suppress>
-    <!-- False alarm for the Async javascript library (https://github.com/caolan/async) which is a dev dependency for the web console -->
     <notes><![CDATA[
-   file name: async-http-client-netty-utils-2.5.3.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.asynchttpclient/async-http-client-netty-utils@2.5.3$</packageUrl>
-    <cve>CVE-2021-43138</cve>
+    file name: spatial4j-0.7.jar:
+    ]]></notes>
+    <cve>CVE-2014-125074</cve>
   </suppress>
 
   <suppress>
-    <!-- False alarm for the Async javascript library (https://github.com/caolan/async) which is a dev dependency for the web console -->
+    <!-- Pulled in by io.kubernetes:client-java and kafka_2.13 but not fixed in either place yet -->
+    <!-- jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less -->
     <notes><![CDATA[
-   file name: async-http-client-2.5.3.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.asynchttpclient/async-http-client@2.5.3$</packageUrl>
-    <cve>CVE-2021-43138</cve>
+    file name: jose4j-0.7.3.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.bitbucket\.b_c/jose4j@.*$</packageUrl>
+    <cve>CVE-2023-31582</cve>
   </suppress>
 
-
   <suppress>
-    <!-- Jackson CVEs when processing objects of large depth. Consider updating -->
-
+    <!-- okhttp -->
     <notes><![CDATA[
-   file name: *jackson-*.jar
+   file name: okhttp-*.jar
    ]]></notes>
-    <cve>CVE-2022-45688</cve>
+    <cve>CVE-2021-0341</cve>  <!-- Suppressed since okhttp requests in Druid are internal, and not user-facing -->
+    <cve>CVE-2016-2402</cve>	<!-- Suppressed since okhttp requests in Druid are internal, and not user-facing -->
+    <cve>CVE-2023-0833</cve>  <!-- Suppressed since okhttp requests in Druid are internal, and not user-facing -->
   </suppress>
 
   <suppress>
-    <!-- Non-applicable CVE for gson -->
+    <!-- TODO: Fix by updating curator-x-discovery to > 4.2.0 and updating hadoop -->
     <notes><![CDATA[
-   file name: gson-*.jar
+   file name: jackson-mapper-asl-1.9.13.jar
    ]]></notes>
-    <cve>CVE-2022-25647</cve>
+    <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@1.9.13$</packageUrl>
+    <cvssBelow>10</cvssBelow>  <!-- suppress all CVEs for jackson-mapper-asl:1.9.13 ince it is via curator-x-discovery -->
   </suppress>
 
   <suppress>
-    <!-- Non-applicable CVE for jedis, since we don't use lua scripts -->
+    <!-- TODO: Fix by updating org.apache.druid.java.util.http.client.NettyHttpClient to use netty 4 -->
     <notes><![CDATA[
-   file name: jedis-2.9.0.jar
+   file name: netty-3.10.6.Final.jar
    ]]></notes>
-    <cve>CVE-2021-32626</cve>
-    <cve>CVE-2022-24735</cve>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.6.Final$</packageUrl>
+    <cve>CVE-2019-16869</cve>
+    <cve>CVE-2019-20444</cve>
+    <cve>CVE-2019-20445</cve>
+    <cve>CVE-2020-11612</cve>
+    <cve>CVE-2021-21290</cve> <!-- We don't use HttpPostRequestDecoder or HttpPostMultiPartRequestDecoder which uses vulnerable AbstractDiskHttpData - https://github.com/advisories/GHSA-5mcr-gq6c-3hq2 -->
+    <cve>CVE-2021-21295</cve> <!-- We don't use HTTP2MultiplexCodec or Http2FrameCodec or Http2StreamFrameToHttpObjectCodec affected or convert HTTP/2 to HTTP/1.1 requests - https://github.com/advisories/GHSA-wm47-8v5p-wjpj -->
+    <cve>CVE-2021-21409</cve> <!-- We don't use Http2HeaderFrame or convert HTTP/2 to HTTP/1.1 requests https://github.com/advisories/GHSA-f256-j965-7f32 -->
+    <cve>CVE-2021-37136</cve>
+    <cve>CVE-2021-37137</cve>
+    <cve>CVE-2021-43797</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-wx5j-54mm-rqqq -->
+    <cve>CVE-2022-24823</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-269q-hmxg-m83q -->
+    <cve>CVE-2022-41881</cve>
+    <cve>CVE-2023-34462</cve>	<!-- Suppressed since netty requests in Druid are internal, and not user-facing -->
   </suppress>
 
   <suppress>
-    <!-- pac4j-core-3.8.3 -->
+    <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
     <notes><![CDATA[
-   file name: pac4j-core-3.8.3.jar
+   file name: libthrift-0.6.1.jar
    ]]></notes>
-    <cve>CVE-2021-44878</cve>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.6.1$</packageUrl>
+    <cve>CVE-2018-1320</cve>
+    <cve>CVE-2019-0205</cve>
   </suppress>
 
   <suppress>
-    <!-- cassandra-all-1.0.8.jar -->
+    <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage     -->
     <notes><![CDATA[
-   file name: cassandra-all-1.0.8.jar
-   ]]></notes>
-    <cve>CVE-2020-17516</cve>
+    file name: jettison-1.*.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.codehaus\.jettison/jettison@1.*$</packageUrl>
+    <cve>CVE-2022-40149</cve>
+    <cve>CVE-2022-40150</cve>
+    <cve>CVE-2022-45685</cve>
+    <cve>CVE-2022-45693</cve>
+    <cve>CVE-2023-1436</cve>
   </suppress>
 
   <suppress>
-    <!-- okhttp -->
+    <!-- We need to wait for 17.0.0 of https://github.com/kubernetes-client/java/releases -->
+    <!-- We need to update several other components to move to Snakeyaml 2.0 to address CVE-2022-1471 -->
+    <!-- Snakeyaml 1.33 added to dependencyManagement in main pom file -->
     <notes><![CDATA[
-   file name: okhttp-*.jar
-   ]]></notes>
-    <cve>CVE-2021-0341</cve>
-    <cve>CVE-2016-2402</cve>	<!-- Suppressed since okhttp requests in Druid are internal, and not user-facing -->
+    file name: snakeyaml-1.33.jar
+    ]]></notes>
+    <cve>CVE-2022-1471</cve>
+    <!-- false positive -->
+    <cve>CVE-2023-2251</cve>
+    <cve>CVE-2022-3064</cve>
   </suppress>
 
   <suppress>
-    <!-- parquet-format-structures-1.12.0.jar -->
     <notes><![CDATA[
-   file name: parquet-format-structures-1.12.0.jar
-   ]]></notes>
-    <cve>CVE-2021-41561</cve>
+     file name: node-sass:4.13.1
+
+     The vulnerability is fixed in 4.13.1: https://github.com/sass/node-sass/issues/2816#issuecomment-575136455
+
+     But the dependency check plugin thinks it's still broken as the affected/fixed versions has not been updated on
+     Sonatype OSS Index: https://ossindex.sonatype.org/vuln/c97f4ae7-be1f-4f71-b238-7c095b126e74
+     ]]></notes>
+    <packageUrl regex="true">^pkg:npm/node\-sass@.*$</packageUrl>
+    <vulnerabilityName>CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</vulnerabilityName>
   </suppress>
 
   <suppress>
-    <!-- Avatica server itself is not affected. Vulnerability exists only on client. -->
+    <!-- (ranger, ambari, and aliyun-oss) these vulnerabilities are legit, but their latest releases still use the vulnerable jackson version -->
     <notes><![CDATA[
-   file name: avatica-server-1.17.0.jar
-   ]]></notes>
-    <cve>CVE-2022-36364</cve>
-    <cve>CVE-2022-39135</cve>
+     file name: jackson-xc-1.9.x.jar or jackson-jaxrs-1.9.x.jar
+     ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl>
+    <cve>CVE-2018-14718</cve>
+    <cve>CVE-2018-7489</cve>
+    <cve>CVE-2022-42003</cve>
+    <cve>CVE-2022-42004</cve>
   </suppress>
+
   <suppress>
+    <!-- Upgrading to libthrift-0.14.2 adds many tomcat CVEs, suppress and stay at 0.13.0 for now-->
+    <!-- valid issue, worth investigating overhauling to e.g., 	0.19.0 -->
     <notes><![CDATA[
-    file name: calcite-core-1.21.0.jar
-    ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.apache\.calcite/calcite\-core@.*$</packageUrl>
-    <cve>CVE-2020-13955</cve>
+     file name: libthrift-0.13.0.jar
+     ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*</packageUrl>
+    <cve>CVE-2020-13949</cve>
   </suppress>
+
   <suppress>
-    <!-- avatica-server-1.17.0.jar -->
+    <!-- Non-applicable CVE for gson -->
     <notes><![CDATA[
-   file name: avatica-server-1.17.0.jar
+   file name: gson-*.jar
    ]]></notes>
-    <!--
-    We do not expose any of the SQL operators that were found vulnerable in this CVE.
-    -->
-    <cve>CVE-2022-39135</cve>
+    <cve>CVE-2022-25647</cve>
   </suppress>
 
   <suppress>
-    <!-- calcite-core-1.21.0.jar -->
+    <!-- 4.5.5 is a fixed version as per https://nvd.nist.gov/vuln/detail/CVE-2021-44878. -->
+    <!-- However, vulnerability scan still shows this CVE. Pac4j release notes mention 5.3.1 as "fully fixed" version. -->
+    <!-- Remove suppression once upgraded to 5.3.1. -->
     <notes><![CDATA[
-   file name: calcite-core-1.21.0.jar
+   file name: pac4j-core-4.5.7.jar
    ]]></notes>
-    <!--
-    We do not expose any of the SQL operators that were found vulnerable in this CVE.
-    -->
-    <cve>CVE-2022-39135</cve>
+    <cve>CVE-2021-44878</cve>
   </suppress>
 
   <suppress>
@@ -671,65 +354,55 @@
   </suppress>
 
   <suppress>
-     <notes><![CDATA[
+    <notes><![CDATA[
      file name: d3-color:2.0.0
      ]]></notes>
-     <packageUrl regex="true">^pkg:npm/d3\-color@.*$</packageUrl>
-     <vulnerabilityName>1084597</vulnerabilityName>
-   </suppress>
-   <suppress>
-     <notes><![CDATA[
+    <packageUrl regex="true">^pkg:npm/d3\-color@.*$</packageUrl>
+    <vulnerabilityName>1084597</vulnerabilityName>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
      file name: protobuf-java-3.11.0.jar
      ]]></notes>
-     <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl>
-     <cve>CVE-2022-3171</cve>
-   </suppress>
-   <suppress>
-     <notes><![CDATA[
+    <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl>
+    <cve>CVE-2022-3171</cve>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
      file name: protobuf-java-util-3.11.0.jar
      ]]></notes>
-     <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java\-util@.*$</packageUrl>
-     <cve>CVE-2022-3171</cve>
-   </suppress>
-   <suppress>
-     <notes><![CDATA[
+    <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java\-util@.*$</packageUrl>
+    <cve>CVE-2022-3171</cve>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
      file name: ansi-regex:5.0.0
      ]]></notes>
-     <packageUrl regex="true">^pkg:npm/ansi\-regex@.*$</packageUrl>
-     <vulnerabilityName>1084697</vulnerabilityName>
-     <cve>CVE-2021-3807</cve>
-   </suppress>
-   <suppress>
-     <notes><![CDATA[
+    <packageUrl regex="true">^pkg:npm/ansi\-regex@.*$</packageUrl>
+    <vulnerabilityName>1084697</vulnerabilityName>
+    <cve>CVE-2021-3807</cve>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
      file name: glob-parent:5.1.1
      ]]></notes>
-     <packageUrl regex="true">^pkg:npm/glob\-parent@.*$</packageUrl>
-     <vulnerabilityName>1081884</vulnerabilityName>
-     <cve>CVE-2020-28469</cve>
-   </suppress>
-   <suppress>
-     <notes><![CDATA[
-     file name: minimatch:3.0.4
-     ]]></notes>
-     <packageUrl regex="true">^pkg:npm/minimatch@.*$</packageUrl>
-     <vulnerabilityName>1084765</vulnerabilityName>
-   </suppress>
-   <suppress>
-     <notes><![CDATA[
-     file name: y18n:4.0.0
-     ]]></notes>
-     <packageUrl regex="true">^pkg:npm/y18n@.*$</packageUrl>
-     <vulnerabilityName>1070209</vulnerabilityName>
-     <cve>CVE-2020-7774</cve>
-   </suppress>
+    <packageUrl regex="true">^pkg:npm/glob\-parent@.*$</packageUrl>
+    <vulnerabilityName>1081884</vulnerabilityName>
+    <cve>CVE-2020-28469</cve>
+  </suppress>
+
   <suppress>
-    <!-- druid-ranger-security -->
     <notes><![CDATA[
-     file name: ranger-plugins-common-2.0.0.jar
+     file name: minimatch:3.0.4
      ]]></notes>
-    <!-- seems not applicable to plugin -->
-    <cve>CVE-2022-45048</cve>
+    <packageUrl regex="true">^pkg:npm/minimatch@.*$</packageUrl>
+    <vulnerabilityName>1084765</vulnerabilityName>
   </suppress>
+
   <suppress>
     <!-- from extensions using hadoop-client-runtime, these dependencies are shaded in the jar -->
     <notes><![CDATA[
@@ -748,6 +421,7 @@
     <cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
     <cve>CVE-2023-36478</cve> <!-- Occurs in the version of Hadoop used by Jetty, but it hasn't been fixed by Hadoop yet-->
   </suppress>
+
   <suppress>
     <!-- from extensions using hadoop-client-api, these dependencies are shaded in the jar -->
     <notes><![CDATA[
@@ -756,14 +430,7 @@
     <vulnerabilityName>prototype pollution</vulnerabilityName>
     <cve>CVE-2020-28458</cve>
   </suppress>
-  <suppress>
-    <notes><![CDATA[
-     file name: ranger-plugins-*-2.0.0.jar
-     ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.apache\.ranger/ranger\-plugins\-.*@2.0.0$</packageUrl>
-    <!-- applies to ranger-hive-plugin which afaict we do not use https://nvd.nist.gov/vuln/detail/CVE-2021-40331 -->
-    <cve>CVE-2021-40331</cve>
-  </suppress>
+
 
   <!-- filed against random script set, doesn't apply to any Maven artifacts - https://github.com/jeremylong/DependencyCheck/issues/5213 -->
   <suppress>
@@ -775,24 +442,15 @@
     <cve>CVE-2021-4277</cve>
   </suppress>
 
-<!-- the remaining uses of vulnerable okio are in contrib-extensions -->
+  <!-- the remaining uses of vulnerable okio are in contrib-extensions -->
   <suppress>
     <notes><![CDATA[
       file name: okio-1.17.2.jar, okio-1.15.0.jar
     ]]></notes>
-    <packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio@1..*$</packageUrl>
+    <packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio@..*$</packageUrl>
     <cve>CVE-2023-3635</cve>  <!-- Suppressed since okio requests in Druid are internal, and not user-facing -->
   </suppress>
 
-  <suppress>
-    <notes><![CDATA[
-      file name: grpc-context-1.27.2.jar
-    ]]></notes>
-    <packageUrl regex="true">^pkg:maven/io\.grpc/grpc-context@1.27.2$</packageUrl>
-    <cve>CVE-2023-4785</cve> <!-- Not applicable to gRPC Java - https://nvd.nist.gov/vuln/detail/CVE-2023-4785 -->
-    <cve>CVE-2023-33953</cve> <!-- Not applicable to gRPC Java - https://cloud.google.com/support/bulletins#gcp-2023-022 -->
-  </suppress>
-
   <!-- CVE-2022-4244 is affecting plexus-utils package, plexus-interpolation is wrongly matched - https://github.com/jeremylong/DependencyCheck/issues/5973 -->
   <suppress base="true">
     <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-interpolation@.*$</packageUrl>
@@ -805,18 +463,6 @@
     <cve>CVE-2023-5072</cve>
   </suppress>
 
-  <!--
-    ~ CVE-2023-44981 seems to affect Zookeeper servers. While we ship with a previous version of the Zookeeper, Druid only
-    ~ only uses the client classes of the Zookeeper. We do use the older version in the quickstart & example docker file,
-    ~ however in production it is recomended to use your own Zookeeper server with the CVE patched up, which the Druid's
-    ~ older ZK library is still compatible with.
-    -->
-  <suppress>
-    <notes><![CDATA[
-      file name: zookeeper-3.8.3.jar
-    ]]></notes>
-    <cve>CVE-2023-44981</cve>
-  </suppress>
 
   <!--
    ~ Hostname verification is disabled by default in Netty 4.x, therefore the version that Druid is using gets flagged,
@@ -828,18 +474,162 @@
     <cve>CVE-2023-4586</cve>
   </suppress>
 
+  <!-- druid cassandra storage exclusions -->
+  <suppress>
+    <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
+    <notes><![CDATA[
+   file name: libthrift-0.6.1.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
+    <cve>CVE-2016-5397</cve>
+    <cve>CVE-2018-1320</cve>
+    <cve>CVE-2019-0205</cve>
+    <cve>CVE-2015-3254</cve>
+  </suppress>
+  <!-- mostly false positives, need to use dependencies from current decade  -->
+  <suppress>
+    <notes><![CDATA[
+   file name: avro-1.4.0-cassandra-1.jar  cassandra-all-1.0.8.jar
+   ]]></notes>
+    <cve>CVE-2012-6708</cve>
+    <cve>CVE-2015-9251</cve>
+    <cve>CVE-2019-11358</cve>
+    <cve>CVE-2020-11022</cve>
+    <cve>CVE-2020-11023</cve>
+    <cve>CVE-2020-7656</cve>
+    <cve>CVE-2011-4969</cve>
+    <cve>CVE-2020-17516</cve>
+    <cve>CVE-2020-13946</cve>
+  </suppress>
+  <!-- end of druid cassandra storage exclusions -->
+
+
+  <!-- druid-cloudfiles-extensions exclusions -->
   <suppress>
+    <!-- CVEs added for completeness in pretty much dead extension  -->
     <notes><![CDATA[
-      file name: jose4j-0.7.3.jar
+   file name: openstack*-2.5.0.jar
+   ]]></notes>
+    <cve>CVE-2020-12689</cve>
+    <cve>CVE-2020-12691</cve>
+    <cve>CVE-2020-12690</cve>
+    <cve>CVE-2021-3563</cve>
+    <cve>CVE-2016-0738</cve>
+    <cve>CVE-2017-16613</cve>
+  </suppress>
+  <!-- end of druid-cloudfiles-extensions exclusions -->
+
+  <!-- graphite-emitter exclusions -->
+  <suppress>
+    <!-- CVEs added for completeness  -->
+    <notes><![CDATA[
+   file name: amqp-client-5.17.0.jar
+   ]]></notes>
+    <cve>CVE-2023-46120</cve>
+  </suppress>
+  <!-- end of graphite-emitter exclusions -->
+
+  <!-- ambari-metics-emitter exclusions -->
+  <suppress>
+    <!--
+      - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
+      -->
+    <notes><![CDATA[
+     file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: org.apache.hadoop:hadoop-annotations:2.6.0)
+     ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-annotations@.*$</packageUrl>
+    <cve>CVE-2015-1776</cve>
+    <cve>CVE-2016-3086</cve>
+    <cve>CVE-2016-5393</cve>
+    <cve>CVE-2016-6811</cve>
+    <cve>CVE-2017-3162</cve>
+    <cve>CVE-2018-11768</cve>
+    <cve>CVE-2018-1296</cve>
+    <cve>CVE-2018-8009</cve>
+    <cve>CVE-2018-8029</cve>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+    file name: log4j-1.2.17.jar
     ]]></notes>
-    <cve>CVE-2023-31582</cve>
+    <packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
+    <cve>CVE-2019-17571</cve>
+    <cve>CVE-2021-4104</cve>
+    <cve>CVE-2020-9493</cve>
+    <cve>CVE-2022-23307</cve>
+    <cve>CVE-2022-23305</cve>
+    <cve>CVE-2022-23302</cve>
+    <cve>CVE-2023-26464</cve>
   </suppress>
 
-  <!--
-  ~ CVE-2022-46337 applies to configurations using authentication for Derby and is not applicable to Druid. Also, Derby isn't a suggested
-  ~ metadata store for production clusters.
-  -->
   <suppress>
-    <cve>CVE-2022-46337</cve>
+    <!--
+      - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
+      -->
+    <notes><![CDATA[
+    file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
+    <cve>CVE-2019-16869</cve>
+    <cve>CVE-2019-20444</cve>
+    <cve>CVE-2019-20445</cve>
+    <cve>CVE-2021-37136</cve>
+    <cve>CVE-2021-37137</cve>
+    <cve>CVE-2021-4104</cve>
+    <cve>CVE-2020-9493</cve>
+    <cve>CVE-2022-23307</cve>
+    <cve>CVE-2022-23305</cve>
+    <cve>CVE-2022-23302</cve>
+    <cve>CVE-2022-41881</cve>
+    <cve>CVE-2020-11612</cve>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+     file name: ambari-metrics-common-2.7.0.0.0.jar
+    ]]></notes>
+    <cve>CVE-2022-45855</cve>
+    <cve>CVE-2022-42009</cve>
+    <!-- Suppress hadoop CVEs that not applicable to hadoop-annotations -->
+    <cve>CVE-2022-25168</cve> <!-- Affected FileUtil.unTar(File, File) API isn't present in hadoop-annotations -->
+    <cve>CVE-2021-33036</cve> <!-- Only applicable to hadoop-yarn-server -->
+    <cve>CVE-2020-9492</cve> <!-- Applicable to webHDFS client -->
+  </suppress>
+  <!-- end of ambari-metics-emitter exclusions -->
+
+  <!-- aliyun-oss exclusions -->
+  <suppress>
+    <!-- Transitive dependency from aliyun-sdk-oss, -->
+    <notes><![CDATA[
+    file name: ini4j-0.5.4.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.ini4j/ini4j@.*$</packageUrl>
+    <vulnerabilityName>CVE-2022-41404</vulnerabilityName>
+  </suppress>
+
+  <suppress>
+    <!-- Transitive dependency from aliyun-sdk-oss, there is currently no newer version of jdom2 as well-->
+    <notes><![CDATA[
+     file name: jdom2-2.0.6.jar
+     ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jdom/jdom2@2.0.6$</packageUrl>
+    <cve>CVE-2021-33813</cve>
+  </suppress>
+  <!-- end of aliyun-oss exclusions -->
+
+  <!-- iceberg exclusions -->
+  <suppress>
+    <!-- Transitive dependency from aliyun-sdk-oss, there is currently no newer version of jdom2 as well-->
+    <notes><![CDATA[
+     file name: libfb303-0.9.3.jar libthrift-0.9.3.jar
+     ]]></notes>
+    <cve>CVE-2016-5397</cve>
+    <cve>CVE-2018-1320</cve>
+    <cve>CVE-2019-0210</cve>
+    <cve>CVE-2020-13949</cve>
+    <cve>CVE-2019-0205</cve>
+    <cve>CVE-2019-0210</cve>
+    <cve>CVE-2020-13949</cve>
   </suppress>
-</suppressions>
+</suppressions>
\ No newline at end of file