cleanup already resolved CVEs

[janjwerner-confluent]

Description

Remove the crud from the dependency-check suppression file

This PR has:

• been self-reviewed.
  • using the concurrency checklist (Remove this item if the PR doesn't have any relation to concurrency.)
• added documentation for new or modified features or behaviors.
• a release note entry in the PR description.
• added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
• added or updated version, license, or notice information in licenses.yaml
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
• added integration tests.
• been tested in a test Druid cluster.

[abhishekagarwal87]

In this PR, we had removed the dependency check on contrib extensions. Can you run the check manually to ensure that you are not removing genuine suppressions for contrib extensions?

[abhishekagarwal87]

left some comments. thanks for cleaning this up.

[abhishekagarwal87]

The justification is lost during refactoring

[janjwerner-confluent]

Added a bit of context.

[abhishekagarwal87]

can you add justifications for the suppressions?

[janjwerner-confluent]

Added a bit of context.

[janjwerner-confluent]

In this PR, we had removed the dependency check on contrib extensions. Can you run the check manually to ensure that you are not removing genuine suppressions for contrib extensions?

@abhishekagarwal87
Which PR do you refer to?

In this PR, we had removed the dependency check on contrib extensions. Can you run the check manually to ensure that you are not removing genuine suppressions for contrib extensions?

It seems I have removed suppressions for some of the contrib extensions, however as I started re-adding them, there is even more issues in them (re-enabled scans for all the contrib repos and oh my!)
How would you like to proceed given that those extensions are not scanned anyways?

[abhishekagarwal87]

oops. I missed to post the link - #15026

[abhishekagarwal87]

I was initially thinking that we keep the old suppressions anyway but it's probably better to get rid of those if we are not doing a scan anyway.

[janjwerner-confluent]

I'm almost done adding suppressions for the remaining modules - there are plenty missing from pre-pruning. I have not added reasoning to those.
Just checked the other PR and the discussion - are there criteria of removing an extension from Druid contrib? there are some pieces of code that were not touched for ~ 5 years.

[abhishekagarwal87]

To remove an extension that is not being maintained, you can start a thread on dev@druid.apache.org. If there is consensus, we can remove the extension.

[abhishekagarwal87]

I think they are because of hadoop-shaded-guava which has a version of 1.1.1

[janjwerner-confluent]

do we need additional justification for those?

[janjwerner-confluent]

the last run seems to be mis-reporting for a spurious failure in the run, end result is OK