Suppress CVE-2021-27568 from json-smart 2.3 dependency (#11438) Dependency on hadoop 2.8.5 is preventing us form updating this dependency to a later version. We don't believe that this is a major concern since Druid eats uncaught exceptions, and only displays them in logs. This issue also should only affect ingestion jobs, which can only be run by admin type users.

commit: 73711a456a03410e942a3464be01a1dea16f0200 [log] [tgz]
author: zachjsh <zachjsh@gmail.com> Mon Jul 12 22:58:06 2021 -0400
committer: GitHub <noreply@github.com> Mon Jul 12 22:58:06 2021 -0400
tree: 90da589ba2963ae15fe97c0fd5496ee77e818306
parent: 05d5dd9289c03c62bab8f5a8caf80804382e4829 [diff]
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 777fa9a..a5a5bda 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml

@@ -57,6 +57,19 @@
     <cve>CVE-2020-12690</cve>
     <cve>CVE-2020-12691</cve>
   </suppress>
+  <suppress>
+    <!--
+      ~ CVE-2021-27568:
+      ~ dependency on hadoop 2.8.5 is blocking us from updating this dependency. Not a major concern since Druid
+      ~ eats uncaught exceptions, and only displays them in logs. This issue also should only affect ingestion
+      ~ jobs which can only be run by admin type users.
+      -->
+    <notes><![CDATA[
+   file name: json-smart-2.3.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/net\.minidev/json\-smart@.*$</packageUrl>
+    <cve>CVE-2021-27568</cve>
+  </suppress>
 
 
   <suppress>
commit	73711a456a03410e942a3464be01a1dea16f0200	[log] [tgz]
author	zachjsh <zachjsh@gmail.com>	Mon Jul 12 22:58:06 2021 -0400
committer	GitHub <noreply@github.com>	Mon Jul 12 22:58:06 2021 -0400
tree	90da589ba2963ae15fe97c0fd5496ee77e818306
parent	05d5dd9289c03c62bab8f5a8caf80804382e4829 [diff]