diff --git a/.github/workflows/maven-security.yml b/.github/workflows/maven-security.yml
index 9bb5e6ab..832dc2e0 100644
--- a/.github/workflows/maven-security.yml
+++ b/.github/workflows/maven-security.yml
@@ -26,7 +26,7 @@ jobs:
                   key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
                   restore-keys: ${{ runner.os }}-m2
             - name: Scan with OWASP
-              run: mvn -B -Powasp compile dependency-check:check -pl '!report'
+              run: mvn -B -Powasp compile dependency-check:check -pl '!report,!xoai-data-provider-tck'
             - name: Upload scan results as SARIF report to GitHub Security Tab
               uses: github/codeql-action/upload-sarif@v2
               if: always() # do not skip this step if OWASP fails the mvn build
diff --git a/owaspSuppression.xml b/owaspSuppression.xml
index fbf9371b..c968ce79 100644
--- a/owaspSuppression.xml
+++ b/owaspSuppression.xml
@@ -1,3 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+
+    <suppress base="true">
+        <notes>
+            <![CDATA[
+            False positive, as stax2-api is not the implementation and woodstox has been fixed with v6.4.0
+            ]]>
+        </notes>
+        <packageUrl>pkg:maven/org.codehaus.woodstox/stax2-api@4.2.1</packageUrl>
+        <cve>CVE-2022-40152</cve>
+    </suppress>
+
 </suppressions>