helidon-io · barchetta · Oct 8, 2024 · Oct 8, 2024 · Oct 8, 2024
diff --git a/etc/dependency-check-suppression.xml b/etc/dependency-check-suppression.xml
@@ -2,6 +2,21 @@
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 <!-- For information see https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
 
+<!-- False Positive
+     This CVE is against the GlassFish application server, but is mistakenly being
+     identified in various org.glassfish artifacts
+https://github.com/jeremylong/DependencyCheck/issues/7021
+https://github.com/jeremylong/DependencyCheck/issues/7020
+https://github.com/jeremylong/DependencyCheck/issues/7019
+-->
+<suppress>
+   <notes><![CDATA[
+   file name: jakarta.el-4.0.2.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/org\.glassfish.*/(jakarta\.el|jakarta\.json|jaxb-core|jaxb-runtime|osgi-resource-locator|txw2)@.*$</packageUrl>
+   <cve>CVE-2024-9329</cve>
+</suppress>
+
 <!--
     This CVE is against DOMPurify brought in by javascript in the smallrye UI component.
     In 4.x we made this component "provided". We can't do that in 2.x and 3.x due to compatiblity concerns.

diff --git a/pom.xml b/pom.xml
@@ -119,7 +119,7 @@
         <version.plugin.source>3.3.0</version.plugin.source>
         <version.plugin.spotbugs>4.4.2.2</version.plugin.spotbugs>
         <version.plugin.findsecbugs>1.11.0</version.plugin.findsecbugs>
-        <version.plugin.dependency-check>10.0.2</version.plugin.dependency-check>
+        <version.plugin.dependency-check>10.0.4</version.plugin.dependency-check>
         <version.plugin.surefire>3.0.0</version.plugin.surefire>
         <version.plugin.toolchains>1.1</version.plugin.toolchains>
         <version.plugin.version-plugin>2.3</version.plugin.version-plugin>