From d547eccd2bd5131f2e9457528386f9418074bea0 Mon Sep 17 00:00:00 2001
From: Susan Hert <susanh@labkey.com>
Date: Wed, 22 Apr 2026 14:48:42 -0700
Subject: [PATCH] Suppress CVEs for PDFbox that does not affect us (#1349)

---
 dependencyCheckSuppression.xml | 45 ++++++++++++++++++++++++++++------
 gradle.properties              |  2 +-
 2 files changed, 38 insertions(+), 9 deletions(-)

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index d610e97a2b..7a3b3b8e8c 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -229,32 +229,60 @@
     -->
     <suppress>
         <notes><![CDATA[
-       file name: pdfbox-3.0.4.jar
-       ]]></notes>
+   file name: pdfbox-3.0.7.jar
+   ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox@.*$</packageUrl>
         <cve>CVE-2026-23907</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
-       file name: pdfbox-debugger-3.0.4.jar
-       ]]></notes>
+   file name: pdfbox-debugger-3.0.7.jar
+   ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-debugger@.*$</packageUrl>
         <cve>CVE-2026-23907</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
-       file name: pdfbox-io-3.0.4.jar
-       ]]></notes>
+   file name: pdfbox-io-3.0.7.jar
+   ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-io@.*$</packageUrl>
         <cve>CVE-2026-23907</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
-       file name: pdfbox-tools-3.0.4.jar
-       ]]></notes>
+   file name: pdfbox-tools-3.0.7.jar
+   ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-tools@.*$</packageUrl>
         <cve>CVE-2026-23907</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+    file name: pdfbox-3.0.7.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox@.*$</packageUrl>
+        <cve>CVE-2026-33929</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+    file name: pdfbox-debugger-3.0.7.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-debugger@.*$</packageUrl>
+        <cve>CVE-2026-33929</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+    file name: pdfbox-io-3.0.7.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-io@.*$</packageUrl>
+        <cve>CVE-2026-33929</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+    file name: pdfbox-tools-3.0.7.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-tools@.*$</packageUrl>
+        <cve>CVE-2026-33929</cve>
+    </suppress>
 
     <!--
     False-positives
@@ -275,4 +303,5 @@
         <packageUrl regex="true">^pkg:maven/org\.springframework\.ai/mcp-spring-webmvc@.*$</packageUrl>
         <cpe>cpe:/a:vmware:vmware_server</cpe>
     </suppress>
+
 </suppressions>
diff --git a/gradle.properties b/gradle.properties
index fbc8e3d822..4c59a7fa57 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -264,7 +264,7 @@ opencsvVersion=2.3
 openTracingVersion=0.33.0
 
 # sync with version Tika ships
-pdfboxVersion=3.0.4
+pdfboxVersion=3.0.7
 
 # sync with version Tika ships
 poiVersion=5.4.0