From 0b573c376ccd74fc72f2c6221185a5d4ad8342a1 Mon Sep 17 00:00:00 2001
From: Stefan Miklosovic <smiklosovic@apache.org>
Date: Fri, 6 Feb 2026 13:58:48 +1100
Subject: [PATCH] Cleanup of dependency-check-suppressions.xml, suppressing
 CVE-2025-67735

patch by Stefan Miklosovic; reviewed by TBD for CASSANDRA-21159
---
 .../owasp/dependency-check-suppressions.xml   | 23 +++----------------
 .snyk                                         | 12 ++--------
 2 files changed, 5 insertions(+), 30 deletions(-)

diff --git a/.build/owasp/dependency-check-suppressions.xml b/.build/owasp/dependency-check-suppressions.xml
index 7e05bffecf90..7cdb5a811c69 100644
--- a/.build/owasp/dependency-check-suppressions.xml
+++ b/.build/owasp/dependency-check-suppressions.xml
@@ -34,26 +34,9 @@
         <cve>CVE-2025-58057</cve>
     </suppress>
 
-    <!-- https://issues.apache.org/jira/browse/CASSANDRA-19142 -->
-    <!-- https://issues.apache.org/jira/browse/CASSANDRA-20412 -->
+    <!-- https://issues.apache.org/jira/browse/CASSANDRA-21159 -->
     <suppress>
-        <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
-        <cve>CVE-2023-6378</cve>
-        <cve>CVE-2023-6481</cve>
-        <cve>CVE-2024-12798</cve>
-        <cve>CVE-2024-12801</cve>
-    </suppress>
-    <suppress>
-        <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-classic@.*$</packageUrl>
-        <cve>CVE-2023-6378</cve>
-        <cve>CVE-2023-6481</cve>
-        <cve>CVE-2024-12798</cve>
-        <cve>CVE-2024-12801</cve>
-    </suppress>
-
-    <!-- https://issues.apache.org/jira/browse/CASSANDRA-20024 -->
-    <suppress>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.lucene/lucene\-.*@9.7.0$</packageUrl>
-        <cve>CVE-2024-45772</cve>
+        <packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl>
+        <cve>CVE-2025-67735</cve>
     </suppress>
 </suppressions>
diff --git a/.snyk b/.snyk
index 7412b1de025a..b2128a60d59b 100644
--- a/.snyk
+++ b/.snyk
@@ -4,18 +4,8 @@ version: v1.25.0
 ignore:
   CVE-2023-44487:
     - reason: https://issues.apache.org/jira/browse/CASSANDRA-20924 -- ^pkg:maven/io\.netty/netty\-.*@.*$
-  CVE-2023-6378:
-    - reason: Suppressed due to internal review, see project's .build/dependency-check-suppressions.xml
-  CVE-2023-6481:
-    - reason: Suppressed due to internal review, see project's .build/dependency-check-suppressions.xml
-  CVE-2024-12798:
-    - reason: Suppressed due to internal review, see project's .build/dependency-check-suppressions.xml
-  CVE-2024-12801:
-    - reason: Suppressed due to internal review, see project's .build/dependency-check-suppressions.xml
   CVE-2024-29025:
     - reason: https://issues.apache.org/jira/browse/CASSANDRA-20924 -- ^pkg:maven/io\.netty/netty\-.*@.*$
-  CVE-2024-45772:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-20024 -- ^pkg:maven/org\.apache\.lucene/lucene\-.*@9.7.0$
   CVE-2024-47535:
     - reason: https://issues.apache.org/jira/browse/CASSANDRA-20924 -- ^pkg:maven/io\.netty/netty\-.*@.*$
   CVE-2025-24970:
@@ -28,3 +18,5 @@ ignore:
     - reason: https://issues.apache.org/jira/browse/CASSANDRA-20924 -- ^pkg:maven/io\.netty/netty\-.*@.*$
   CVE-2025-58057:
     - reason: https://issues.apache.org/jira/browse/CASSANDRA-20924 -- ^pkg:maven/io\.netty/netty\-.*@.*$
+  CVE-2025-67735:
+    - reason: https://issues.apache.org/jira/browse/CASSANDRA-21159 -- ^pkg:maven/io\.netty/netty\-.*@.*$