From b226da85ea9e92a38e652e9dd661e7b4b3d89a9f Mon Sep 17 00:00:00 2001
From: Christian Lohmann <der.chris@zalando.de>
Date: Sat, 25 Feb 2023 15:46:34 +0100
Subject: [PATCH 1/2]  * added coverage profile to reactor pom  * using profile
 while processing coverage data with coveralls

---
 .github/workflows/build.yaml |  2 +-
 pom.xml                      | 35 +++++++++++++++++++----------------
 2 files changed, 20 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 3c0f3d50f..d13b66902 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -43,4 +43,4 @@ jobs:
       run: ./mvnw verify -P "${{ matrix.profile }}" -B
     - name: Coverage
       if: github.event_name != 'pull_request'
-      run: ./mvnw coveralls:report -B -D repoToken=${{ secrets.COVERALLS_TOKEN }}
+      run: ./mvnw -P coverage coveralls:report -B -D repoToken=${{ secrets.COVERALLS_TOKEN }}
diff --git a/pom.xml b/pom.xml
index af509281e..842797cc6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -107,22 +107,25 @@
                 </plugins>
             </build>
         </profile>
+        <profile>
+            <id>coverage</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.eluder.coveralls</groupId>
+                        <artifactId>coveralls-maven-plugin</artifactId>
+                        <version>4.3.0</version>
+                        <dependencies>
+                            <dependency>
+                                <groupId>javax.xml.bind</groupId>
+                                <artifactId>jaxb-api</artifactId>
+                                <version>2.3.1</version>
+                            </dependency>
+                        </dependencies>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
     </profiles>
 
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.eluder.coveralls</groupId>
-                <artifactId>coveralls-maven-plugin</artifactId>
-                <version>4.3.0</version>
-                <dependencies>
-                    <dependency>
-                        <groupId>javax.xml.bind</groupId>
-                        <artifactId>jaxb-api</artifactId>
-                        <version>2.3.1</version>
-                    </dependency>
-                </dependencies>
-            </plugin>
-        </plugins>
-    </build>
 </project>

From c8665a0b205a6a98fc5f6134b370d68647003a91 Mon Sep 17 00:00:00 2001
From: Christian Lohmann <der.chris@zalando.de>
Date: Sun, 26 Feb 2023 14:43:44 +0100
Subject: [PATCH 2/2] suppressing CVE-2022-45688 as there are no bugfixes ready
 yet to mitigate

---
 cve-suppressions.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cve-suppressions.xml b/cve-suppressions.xml
index 664b9232b..1b8c30030 100644
--- a/cve-suppressions.xml
+++ b/cve-suppressions.xml
@@ -10,6 +10,8 @@
             <cve>CVE-2021-0341</cve>
             <!-- ktor requires a major upgrade. Suppressing until then -->
             <cve>CVE-2021-4277</cve>
+            <!-- so far jackson-core and json-path don't have bugfix releases yet for that cve -->
+            <cve>CVE-2022-45688</cve>
         </suppress>
 
 </suppressions>