From 5cdcd59fcd4cf12cb39e69d5e3ad274138bc7bf2 Mon Sep 17 00:00:00 2001
From: Trask Stalnaker <trask.stalnaker@gmail.com>
Date: Thu, 6 Feb 2025 19:19:00 -0800
Subject: [PATCH] Suppress false positive OWASP violation (#1705)

---
 .../main/kotlin/otel.java-conventions.gradle.kts    |  1 +
 buildscripts/dependency-check-suppressions.xml      | 13 +++++++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 buildscripts/dependency-check-suppressions.xml

diff --git a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
index 8e7211d0..e65c6953 100644
--- a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
+++ b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
@@ -192,6 +192,7 @@ afterEvaluate {
 
 dependencyCheck {
   scanConfigurations = mutableListOf("runtimeClasspath")
+  suppressionFile = "buildscripts/dependency-check-suppressions.xml"
   failBuildOnCVSS = 7.0f // fail on high or critical CVE
   nvd.apiKey = System.getenv("NVD_API_KEY")
   nvd.delay = 3500 // until next dependency check release (https://github.com/jeremylong/DependencyCheck/pull/6333)
diff --git a/buildscripts/dependency-check-suppressions.xml b/buildscripts/dependency-check-suppressions.xml
new file mode 100644
index 00000000..a808ebe9
--- /dev/null
+++ b/buildscripts/dependency-check-suppressions.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <!-- this package is misidentified by OWASP as an Android app named "Wire" -->
+    <packageUrl regex="true">^pkg:maven/com\.squareup\.wire/wire-runtime-jvm@.*$</packageUrl>
+    <cpe>cpe:/a:wire:wire</cpe>
+  </suppress>
+  <suppress>
+    <!-- this package is misidentified by OWASP as Prometheus server -->
+    <packageUrl regex="true">^pkg:maven/io\.opentelemetry/opentelemetry-exporter-prometheus@.*$</packageUrl>
+    <cpe>cpe:/a:prometheus:prometheus</cpe>
+  </suppress>
+</suppressions>