From 95f270ca1cd350dfbc050ed62efd5380041eeefe Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 9 Jun 2025 18:41:00 +0000
Subject: [PATCH 1/2] Bump org.owasp:dependency-check-maven in the plugins
 group

Bumps the plugins group with 1 update: [org.owasp:dependency-check-maven](https://github.com/dependency-check/DependencyCheck).


Updates `org.owasp:dependency-check-maven` from 12.1.1 to 12.1.2
- [Release notes](https://github.com/dependency-check/DependencyCheck/releases)
- [Changelog](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md)
- [Commits](https://github.com/dependency-check/DependencyCheck/compare/v12.1.1...v12.1.2)

---
updated-dependencies:
- dependency-name: org.owasp:dependency-check-maven
  dependency-version: 12.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: plugins
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 392eaa0d15..db933918a9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -57,7 +57,7 @@
     <javadoc.plugin.version>3.11.2</javadoc.plugin.version>
     <license.plugin.version>5.0.0</license.plugin.version>
     <nexus.plugin.version>1.7.0</nexus.plugin.version>
-    <owasp.plugin.version>12.1.1</owasp.plugin.version>
+    <owasp.plugin.version>12.1.2</owasp.plugin.version>
     <projectinfo.plugin.version>3.9.0</projectinfo.plugin.version>
     <pmd.plugin.version>3.26.0</pmd.plugin.version>
     <site.plugin.version>3.21.0</site.plugin.version>

From 366b0112ed9589b5f3050e7c99a2bb3089fa5dca Mon Sep 17 00:00:00 2001
From: Aaron Coburn <aaronc@inrupt.com>
Date: Mon, 9 Jun 2025 14:14:26 -0500
Subject: [PATCH 2/2] Adjust OWASP suppression list

---
 build-tools/owasp/suppressions.xml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/build-tools/owasp/suppressions.xml b/build-tools/owasp/suppressions.xml
index 3c6fe8095d..cee3ddc4dc 100644
--- a/build-tools/owasp/suppressions.xml
+++ b/build-tools/owasp/suppressions.xml
@@ -8,6 +8,27 @@
     <packageUrl regex="true">^pkg:maven/com\.inrupt\.client/inrupt\-client\-openid@.*$</packageUrl>
     <cpe>cpe:/a:openid:openid</cpe>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+        This suppresses a false positive CPE match
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.roaringbitmap/RoaringBitmap@.*$</packageUrl>
+    <cpe>cpe:/a:bitmap_project:bitmap</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+        The json-java artifact is not a dependency of this project.
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/(com\.inrupt\.client/inrupt\-client\-jsonb|com\.github\.jsonld\-java/jsonld\-java|net\.javacrumbs\.json\-unit/json\-unit\-core)@.*$</packageUrl>
+    <cve>CVE-2023-5072</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+        The json-java artifact is not a dependency of this project.
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/(com\.inrupt\.client/inrupt\-client\-jsonb|com\.github\.jsonld\-java/jsonld\-java|net\.javacrumbs\.json\-unit/json\-unit\-core)@.*$</packageUrl>
+    <cve>CVE-2022-45688</cve>
+  </suppress>
 
   <!-- Suppressed vulnerabilities. These need monthly review. -->
   <suppress until="2025-08-10Z">