From 363316b73c27138aef2c32a86e7aad482eebc839 Mon Sep 17 00:00:00 2001 From: mbiuki Date: Wed, 15 Apr 2026 16:26:27 -0400 Subject: [PATCH 1/3] fix: wire up owasp-suppressions.xml to the dependency-check Maven plugin Fixes #35339 parent/pom.xml referenced dependency-check-suppressions.xml which has never existed, causing the security-check profile to run with zero suppressions since Feb 2024 (commit 62e8d60061 / PR #27461). The actual suppression file is owasp-suppressions.xml at the repo root (21 documented false-positive suppressions for Elasticsearch client JARs). Correcting the filename so the plugin loads them. Co-Authored-By: Claude Sonnet 4.6 --- parent/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/parent/pom.xml b/parent/pom.xml index e845c17bd8cc..7f1845d32fa2 100644 --- a/parent/pom.xml +++ b/parent/pom.xml @@ -1924,7 +1924,7 @@ 0 - dependency-check-suppressions.xml + owasp-suppressions.xml true From e7a4128ff69782a4f0f573e6a1f516a5be6010b2 Mon Sep 17 00:00:00 2001 From: mbiuki Date: Wed, 15 Apr 2026 16:37:29 -0400 Subject: [PATCH 2/3] =?UTF-8?q?fix:=20correct=20path=20to=20owasp-suppress?= =?UTF-8?q?ions.xml=20=E2=80=94=20use=20absolute=20path=20from=20parent/po?= =?UTF-8?q?m.xml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The suppression file lives at the repo root, but parent/pom.xml is one level deeper in parent/. A bare filename resolves relative to the module basedir (parent/), so the correct path is \${project.basedir}/../owasp-suppressions.xml. Co-Authored-By: Claude Sonnet 4.6 --- parent/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/parent/pom.xml b/parent/pom.xml index 7f1845d32fa2..709ab2f4dc67 100644 --- a/parent/pom.xml +++ b/parent/pom.xml @@ -1924,7 +1924,7 @@ 0 - owasp-suppressions.xml + ${project.basedir}/../owasp-suppressions.xml true From dcaefb756a88887b45c59cb8e8dd528268f7eb70 Mon Sep 17 00:00:00 2001 From: mbiuki Date: Wed, 15 Apr 2026 16:38:15 -0400 Subject: [PATCH 3/3] fix: move owasp-suppressions.xml into parent/ alongside its pom.xml Co-located the suppression file with the pom that references it and updated the path to \${project.basedir}/owasp-suppressions.xml so it resolves cleanly without directory traversal. Co-Authored-By: Claude Sonnet 4.6 --- owasp-suppressions.xml => parent/owasp-suppressions.xml | 0 parent/pom.xml | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename owasp-suppressions.xml => parent/owasp-suppressions.xml (100%) diff --git a/owasp-suppressions.xml b/parent/owasp-suppressions.xml similarity index 100% rename from owasp-suppressions.xml rename to parent/owasp-suppressions.xml diff --git a/parent/pom.xml b/parent/pom.xml index 709ab2f4dc67..e8128bf913a8 100644 --- a/parent/pom.xml +++ b/parent/pom.xml @@ -1924,7 +1924,7 @@ 0 - ${project.basedir}/../owasp-suppressions.xml + ${project.basedir}/owasp-suppressions.xml true