Problem Statement
The `security-check` Maven profile in `parent/pom.xml` references a suppression file that has never existed:
```xml
dependency-check-suppressions.xml
```
The file `dependency-check-suppressions.xml` does not exist anywhere in the repository.
The actual suppression file is `owasp-suppressions.xml` (at the repo root), which contains 21 active CVE suppressions — all documented false positives for Elasticsearch client JARs. It has never been wired up to the Maven plugin.
Impact
When the `security-check` profile runs (`mvn dependency-check:check -P security-check`), the plugin starts with zero suppressions. All 21 suppressed CVEs (Elasticsearch server-side false positives) are treated as live findings, causing either:
- False-positive build failures, or
- Noisy security reports that require manual triage every time.
Root Cause
The filename mismatch was introduced in commit `62e8d60061` (PR #27461, Feb 2024). The suppression file was named `owasp-suppressions.xml` but the pom reference was written as `dependency-check-suppressions.xml`.
Expected Behavior
The plugin should load `owasp-suppressions.xml` and correctly suppress the 21 documented false positives.
Fix
One-line change in `parent/pom.xml`:
```xml
dependency-check-suppressions.xml
owasp-suppressions.xml
```
dotCMS Version
main (confirmed present since Feb 2024)
Severity
Medium — security scan produces false positives / incorrect results
Problem Statement
The `security-check` Maven profile in `parent/pom.xml` references a suppression file that has never existed:
```xml
dependency-check-suppressions.xml
```
The file `dependency-check-suppressions.xml` does not exist anywhere in the repository.
The actual suppression file is `owasp-suppressions.xml` (at the repo root), which contains 21 active CVE suppressions — all documented false positives for Elasticsearch client JARs. It has never been wired up to the Maven plugin.
Impact
When the `security-check` profile runs (`mvn dependency-check:check -P security-check`), the plugin starts with zero suppressions. All 21 suppressed CVEs (Elasticsearch server-side false positives) are treated as live findings, causing either:
Root Cause
The filename mismatch was introduced in commit `62e8d60061` (PR #27461, Feb 2024). The suppression file was named `owasp-suppressions.xml` but the pom reference was written as `dependency-check-suppressions.xml`.
Expected Behavior
The plugin should load `owasp-suppressions.xml` and correctly suppress the 21 documented false positives.
Fix
One-line change in `parent/pom.xml`:
```xml
dependency-check-suppressions.xml
owasp-suppressions.xml
```
dotCMS Version
main (confirmed present since Feb 2024)
Severity
Medium — security scan produces false positives / incorrect results