Suppress CVE-2025-49128 for jackson-core shaded in hadoop-client-runtime

owasp-dependency-check-suppressions.xml

@@ -142,7 +142,8 @@
     <cve>CVE-2024-47561</cve> <!--  This seems to be a legitimate vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk v2 dependency work to finish -->
     <cve>CVE-2024-29131</cve> <!--  This seems to be a legitimate vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk v2 dependency work to finish -->
     <cve>CVE-2024-22201</cve> <!--  This seems to be a legitimate vulnerability. We would need to go to a hadoop-client which was not yet released  -->
-    <cve>CVE-2025-52999</cve> <!--  This is vulneraability in all versions of hadoop-client-runtime and has not been fixed by hadoop yet -->
+    <cve>CVE-2025-52999</cve> <!--  This is vulnerability in all versions of hadoop-client-runtime and has not been fixed by hadoop yet -->
+    <cve>CVE-2025-49128</cve> <!--  jackson-core is shaded inside hadoop-client-runtime at an older version; Druid's standalone jackson-core is 2.19.2 which is not affected. No fix available in hadoop-client 3.3.x yet -->
     <cve>CVE-2024-9823</cve> <!-- This is in hadoop's shadded jetty. no version of hadoop has updated to fixed version. It is a jetty server vuln, which should not be exploitable in hadoop client code -->
     <cve>CVE-2025-27821</cve> <!-- native hdfs vulnerability -->
     <cve>CVE-2025-5115</cve> <!-- netty issue in shaded hadoop -->