From 8587f9749dd2482441ba5f6763ee99e8b12c58b2 Mon Sep 17 00:00:00 2001
From: Chris Bono <chris.bono@broadcom.com>
Date: Thu, 23 Jan 2025 19:13:00 -0600
Subject: [PATCH 1/2] Update ivy version to 2.5.2

Updates `org.apache.ivy:ivy` to version 2.5.2 to fix
CVE-2022-46751
---
 applications/processor/groovy-processor/pom.xml | 4 ----
 applications/processor/script-processor/pom.xml | 1 -
 2 files changed, 5 deletions(-)

diff --git a/applications/processor/groovy-processor/pom.xml b/applications/processor/groovy-processor/pom.xml
index 34e0244b..2f90ecaa 100644
--- a/applications/processor/groovy-processor/pom.xml
+++ b/applications/processor/groovy-processor/pom.xml
@@ -14,10 +14,6 @@
         <relativePath>../../stream-applications-core/pom.xml</relativePath>
     </parent>
 
-    <properties>
-        <apache-ivy.version>2.5.1</apache-ivy.version>
-    </properties>
-
     <dependencies>
 
         <dependency>
diff --git a/applications/processor/script-processor/pom.xml b/applications/processor/script-processor/pom.xml
index d3ca5554..afb3a2a8 100644
--- a/applications/processor/script-processor/pom.xml
+++ b/applications/processor/script-processor/pom.xml
@@ -17,7 +17,6 @@
     <properties>
         <jruby-complete.version>9.3.9.0</jruby-complete.version>
         <jython-standalone.version>2.7.3</jython-standalone.version>
-        <apache-ivy.version>2.5.1</apache-ivy.version>
         <graalvm.version>22.3.0</graalvm.version>
     </properties>
 

From a2898354a2c7eeae90bef1ee9b0468d9ff9460cb Mon Sep 17 00:00:00 2001
From: Chris Bono <chris.bono@broadcom.com>
Date: Thu, 23 Jan 2025 19:14:05 -0600
Subject: [PATCH 2/2] Add gRPC CVEs to trivyignore

Adds 2 CVEs due to `debezium-supplier` transitive dependencies.
---
 .github/workflows/common.yml |  1 +
 .trivyignore                 | 17 ++++++++++++++++-
 scan-jar.sh                  |  1 -
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/common.yml b/.github/workflows/common.yml
index 91ad9c85..953bcc4b 100644
--- a/.github/workflows/common.yml
+++ b/.github/workflows/common.yml
@@ -56,6 +56,7 @@ jobs:
           ignore-unfixed: true
           severity: 'CRITICAL,HIGH'
           exit-code: 1
+          trivyignores: .trivyignore
       - name: 'Scanned'
         shell: bash
         run: echo "::info ::Scanned"
diff --git a/.trivyignore b/.trivyignore
index 0016a0bc..7934daf1 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -1,2 +1,17 @@
+################################
+## From debezium-supplier
+################################
+CVE-2023-1428
+CVE-2023-32731
+
+################################
+# Snakeyaml 1.3.3
+# SCDF usage has been mitigated.
+################################
 CVE-2022-1471
-CVE-2016-1000027
\ No newline at end of file
+
+################################
+# Spring Web 5.3.x
+# SCDF not affected.
+################################
+CVE-2016-1000027
diff --git a/scan-jar.sh b/scan-jar.sh
index 284f04a1..481ea84c 100755
--- a/scan-jar.sh
+++ b/scan-jar.sh
@@ -4,7 +4,6 @@ SCDIR=$(realpath $SCDIR)
 if [[ "$1" != *"-sources.jar" ]] && [[ "$1" != *"-javadoc.jar" ]]; then
     if [ "$TRIVY_UPLOAD" == "true" ]; then
       echo "Scanning:$1"
-      echo "trivy rootfs --format sarif -o \"$1.sarif\" \"$1\""
       trivy rootfs --exit-code 1 --format sarif -o "$1.sarif" "$1"
       if [ -f "$1.sarif" ]; then
         if [ -f $SCDIR/runs.sarif ]; then