From ab61510c0364750b15f288d888dede8be414eb77 Mon Sep 17 00:00:00 2001
From: Trask Stalnaker <trask.stalnaker@gmail.com>
Date: Thu, 6 Feb 2025 12:22:19 -0800
Subject: [PATCH 1/2] Suppress false positive OWASP violation

---
 buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts | 1 +
 buildscripts/dependency-check-suppressions.xml            | 8 ++++++++
 2 files changed, 9 insertions(+)
 create mode 100644 buildscripts/dependency-check-suppressions.xml

diff --git a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
index 8e7211d0a..e65c69538 100644
--- a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
+++ b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
@@ -192,6 +192,7 @@ afterEvaluate {
 
 dependencyCheck {
   scanConfigurations = mutableListOf("runtimeClasspath")
+  suppressionFile = "buildscripts/dependency-check-suppressions.xml"
   failBuildOnCVSS = 7.0f // fail on high or critical CVE
   nvd.apiKey = System.getenv("NVD_API_KEY")
   nvd.delay = 3500 // until next dependency check release (https://github.com/jeremylong/DependencyCheck/pull/6333)
diff --git a/buildscripts/dependency-check-suppressions.xml b/buildscripts/dependency-check-suppressions.xml
new file mode 100644
index 000000000..8713cc968
--- /dev/null
+++ b/buildscripts/dependency-check-suppressions.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <!-- this package is misidentified by OWASP as an Android app named "Wire" -->
+    <packageUrl regex="true">^pkg:maven/com\.squareup\.wire/wire-runtime-jvm@.*$</packageUrl>
+    <cpe>cpe:/a:wire:wire</cpe>
+  </suppress>
+</suppressions>

From 3b25c048f4c13883d98e54b245acd1216a68dad2 Mon Sep 17 00:00:00 2001
From: fossabot <badges@fossa.io>
Date: Wed, 12 Feb 2025 17:36:18 -0500
Subject: [PATCH 2/2] Add license scan report and status

Signed off by: fossabot <badges@fossa.com>
---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index 74635c22f..19d53409e 100644
--- a/README.md
+++ b/README.md
@@ -2,6 +2,7 @@
 [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/open-telemetry/opentelemetry-java-contrib/badge)](https://scorecard.dev/viewer/?uri=github.com/open-telemetry/opentelemetry-java-contrib)
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9992/badge)](https://www.bestpractices.dev/projects/9992)
 [![Slack](https://img.shields.io/badge/slack-@cncf/otel--java-blue.svg?logo=slack)](https://cloud-native.slack.com/archives/C014L2KCTE3)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Ftrask%2Fopentelemetry-java-contrib.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Ftrask%2Fopentelemetry-java-contrib?ref=badge_shield)
 
 # OpenTelemetry Java Contrib
 
@@ -99,3 +100,7 @@ Thanks to all the people who already contributed!
 <a href="https://github.com/open-telemetry/opentelemetry-java-contrib/graphs/contributors">
   <img src="https://contributors-img.web.app/image?repo=open-telemetry/opentelemetry-java-contrib" />
 </a>
+
+
+## License
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Ftrask%2Fopentelemetry-java-contrib.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Ftrask%2Fopentelemetry-java-contrib?ref=badge_large)
\ No newline at end of file