[Security] Owasp dependency check: check if suppressing of vulnerabilities is still reasonable

[hpvd]

Search before asking

• [X] I searched in the issues and found nothing similar.

Motivation

Since https://github.com/apache/pulsar/pull/10855 we are doing dependency scans for vulnerabilities on regular basis. That is really great!

Over time, more and more vulnerabilities are suppressed. This may

• not be necessary anymore if it's about suppressing false positive (since number of false positive are reduced with every new version of check tool)
• may hide some open vulnerabilities even if there is a solution available now

org.apache.pulsar:pulsar-server-distribution:2.11.0-SNAPSHOT: Vulnerabilities Suppressed: 23

org.apache.pulsar:pulsar-offloader-distribution:2.11.0-SNAPSHOT: Vulnerabilities Suppressed: 4

Solution

before every release: check for each suppressed vulnerability if it's still reasonable/necessary to suppress it otherwise we are possibly releasing with security flaws which could easily being solved

before: update check tool to latest version (which typical solves some false positive) 7.11+, the check today uses see 7.10 https://github.com/jeremylong/DependencyCheck/releases

Alternatives

Anything else?

No response

Are you willing to submit a PR?

• [ ] I'm willing to submit a PR!

[github-actions[bot]]

The issue had no activity for 30 days, mark with Stale label.