Updating dependency with owasp check

This commit is contained in:
Martin Stockhammer 2020-07-01 22:27:51 +02:00
parent 509aad470c
commit f1ff872d43
10 changed files with 255 additions and 21 deletions

View File

@ -171,9 +171,6 @@
<systemProperty>archiva.cassandra.configuration.file=%ARCHIVA_BASE%/conf/archiva-cassandra.properties</systemProperty>
<systemProperty>org.apache.jackrabbit.core.state.validatehierarchy=true</systemProperty>
</systemProperties>
<extraArguments>
<extraArgument>-XX:MaxPermSize=128m</extraArgument>
</extraArguments>
<initialMemorySize>512</initialMemorySize>
<maxMemorySize>512</maxMemorySize>
</jvmSettings>
@ -253,6 +250,8 @@
<finalName>apache-archiva-${project.version}</finalName>
</configuration>
</plugin>
</plugins>
<pluginManagement>
<plugins>

View File

@ -131,10 +131,7 @@
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<reuseForks>false</reuseForks>
<!--
<argLine>-Xms1024m -Xmx2048m -server -XX:MaxPermSize=256m @{jacocoproperty}</argLine>
-->
<argLine>-Xms512m -Xmx1024m -server -XX:MaxPermSize=256m</argLine>
<argLine>-Xms512m -Xmx1024m -server</argLine>
<systemPropertyVariables>
<appserver.base>${project.build.directory}/appserver-base</appserver.base>
<plexus.home>${project.build.directory}/appserver-base</plexus.home>

View File

@ -564,10 +564,7 @@
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<reuseForks>false</reuseForks>
<!--
<argLine>-Xms1024m -Xmx2048m -server -XX:MaxPermSize=256m @{jacocoproperty}</argLine>
-->
<argLine>-Xms1024m -Xmx2048m -server -XX:MaxPermSize=256m</argLine>
<argLine>-Xms1024m -Xmx2048m -server</argLine>
<systemPropertyVariables>
<appserver.base>${project.build.directory}/appserver-base</appserver.base>
<plexus.home>${project.build.directory}/appserver-base</plexus.home>

View File

@ -554,6 +554,7 @@
<exclude>src/test/repositories/test-repo/**</exclude>
<exclude>src/main/resources/META-INF/services/*</exclude>
<exclude>src/main/resources/META-INF/cxf/*</exclude>
<exclude>src/main/resources/META-INF/owasp/cve-suppressions.xml</exclude>
</excludes>
</configuration>
</plugin>
@ -828,6 +829,24 @@
</configuration>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>5.3.2</version>
<configuration>
<skipProvidedScope>true</skipProvidedScope>
<failBuildOnCVSS>8</failBuildOnCVSS>
<suppressionFile>${project.basedir}/src/main/resources/META-INF/owasp/cve-suppressions.xml</suppressionFile>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>

View File

@ -0,0 +1,67 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress until="2020-09-01Z">
<notes><![CDATA[
file name: jackson-mapper-asl-1.9.2.jar is a dependency of cassandra - Waiting for update of cassandra
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$</packageUrl>
<cpe>cpe:/a:fasterxml:jackson-mapper-asl</cpe>
<cpe>cpe:/a:fasterxml:jackson</cpe>
<vulnerabilityName>CVE-2017-15095</vulnerabilityName>
<vulnerabilityName>CVE-2017-7525</vulnerabilityName>
<vulnerabilityName>CVE-2017-17485</vulnerabilityName>
<vulnerabilityName>CVE-2018-5968</vulnerabilityName>
<vulnerabilityName>CVE-2018-14718</vulnerabilityName>
<vulnerabilityName>CVE-2018-7489</vulnerabilityName>
<vulnerabilityName>CVE-2018-1000873</vulnerabilityName>
<vulnerabilityName>CVE-2019-14540</vulnerabilityName>
<vulnerabilityName>CVE-2019-14893</vulnerabilityName>
<vulnerabilityName>CVE-2019-16335</vulnerabilityName>
<vulnerabilityName>CVE-2019-17267</vulnerabilityName>
<vulnerabilityName>CVE-2020-10672</vulnerabilityName>
<vulnerabilityName>CVE-2020-10673</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
False positive for oak-jcr packages
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.jackrabbit/oak\-.*@.*$</packageUrl>
<cpe>cpe:/a:apache:jackrabbit</cpe>
</suppress>
<suppress>
<notes><![CDATA[
False positive for oak-segment-tar-1.30.0.jar: netty-transport-4.1.14.Final.jar
Updated netty to higher version
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty\-transport@.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
<vulnerabilityName>CVE-2020-11612</vulnerabilityName>
<vulnerabilityName>CVE-2019-20445</vulnerabilityName>
<vulnerabilityName>CVE-2019-20444</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
False positive for oak-segment-tar-1.30.0.jar: netty-transport-4.1.14.Final.jar
Updated netty to higher version
]]></notes>
<packageUrl regex="true">^.*oak-segment-tar.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
<vulnerabilityName>CVE-2020-11612</vulnerabilityName>
<vulnerabilityName>CVE-2019-20445</vulnerabilityName>
<vulnerabilityName>CVE-2019-20444</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: oak-segment-tar-1.30.0.jar: netty-codec-4.1.14.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
<vulnerabilityName>CVE-2020-11612</vulnerabilityName>
<vulnerabilityName>CVE-2019-20445</vulnerabilityName>
<vulnerabilityName>CVE-2019-20444</vulnerabilityName>
</suppress>
</suppressions>

View File

@ -31,7 +31,7 @@
<properties>
<site.staging.base>${project.parent.parent.basedir}</site.staging.base>
<cassandraVersion>3.11.2</cassandraVersion>
<cassandraVersion>3.11.6</cassandraVersion>
</properties>
<dependencies>
@ -143,6 +143,7 @@
<groupId>org.jboss.logging</groupId>
<artifactId>jboss-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
@ -169,24 +170,57 @@
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.cassandra</groupId>
<artifactId>cassandra-thrift</artifactId>
<version>3.11.2</version>
<version>${cassandraVersion}</version>
<exclusions>
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.thrift</groupId>
<artifactId>libthrift</artifactId>
<version>0.13.0</version>
</dependency>
<!--
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-core-asl</artifactId>
<version>1.9.13</version>
</dependency>
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-asl</artifactId>
<version>1.9.13</version>
</dependency>
-->
<!-- Transitive dependency. Declared here to increase the version. -->
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-all</artifactId>
<version>${netty.version}</version>
</dependency>
<!-- Is a dependency of cassandra -> hibernate-validator and replaced by new version -->
<dependency>
<groupId>org.jboss.logging</groupId>
<artifactId>jboss-logging</artifactId>
</dependency>
<!-- Dependency of cassandra -> replacing by new version -->
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-validator</artifactId>
<version>4.3.2.Final</version>
</dependency>
<!-- TEST Scope -->
@ -236,6 +270,7 @@
</dependencies>
<build>
<testResources>
<testResource>

View File

@ -84,6 +84,32 @@
<dependency>
<groupId>org.apache.jackrabbit</groupId>
<artifactId>oak-segment-tar</artifactId>
<exclusions>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-transport</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-resolver</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-common</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-codec</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-buffer</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.jackrabbit</groupId>
@ -113,6 +139,34 @@
<groupId>org.apache.jackrabbit</groupId>
<artifactId>oak-core</artifactId>
</dependency>
<!-- netty is a transitive dependencies of oak-segment-tar
increasing version -->
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-transport</artifactId>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-resolver</artifactId>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-common</artifactId>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-codec</artifactId>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-buffer</artifactId>
</dependency>
<dependency>
<groupId>javax.inject</groupId>

View File

@ -44,8 +44,6 @@ import org.apache.jackrabbit.oak.plugins.index.lucene.hybrid.LocalIndexObserver;
import org.apache.jackrabbit.oak.plugins.index.lucene.hybrid.NRTIndexFactory;
import org.apache.jackrabbit.oak.plugins.index.lucene.property.PropertyIndexCleaner;
import org.apache.jackrabbit.oak.plugins.index.lucene.reader.DefaultIndexReaderFactory;
import org.apache.jackrabbit.oak.plugins.index.lucene.score.ScorerProviderFactory;
import org.apache.jackrabbit.oak.plugins.index.lucene.score.impl.ScorerProviderFactoryImpl;
import org.apache.jackrabbit.oak.plugins.index.lucene.util.IndexDefinitionBuilder;
import org.apache.jackrabbit.oak.plugins.index.search.ExtractedTextCache;
import org.apache.jackrabbit.oak.plugins.index.search.FulltextIndexConstants;
@ -142,7 +140,6 @@ public class OakRepositoryFactory
private LuceneIndexProvider indexProvider;
private ScorerProviderFactory scorerFactory = new ScorerProviderFactoryImpl( );
private IndexAugmentorFactory augmentorFactory = new IndexAugmentorFactory( );
private ActiveDeletedBlobCollectorFactory.ActiveDeletedBlobCollector activeDeletedBlobCollector = ActiveDeletedBlobCollectorFactory.NOOP;
@ -396,7 +393,7 @@ public class OakRepositoryFactory
tracker = createTracker();
indexProvider = new LuceneIndexProvider(tracker, scorerFactory, augmentorFactory);
indexProvider = new LuceneIndexProvider(tracker, augmentorFactory);
initialize();
registerObserver();

View File

@ -217,8 +217,6 @@
</reportSets>
</plugin>
</plugins>
</reporting>

73
pom.xml
View File

@ -74,7 +74,8 @@
<javax.jcr.version>2.0</javax.jcr.version>
<!-- If you change the JCR OAK version, you may have to update the pom.xml in the module oak-jcr-lucene
to adapt to dependency changes -->
<jcr-oak.version>1.22.3</jcr-oak.version>
<jcr-oak.version>1.30.0</jcr-oak.version>
<netty.version>4.1.50.Final</netty.version>
<!-- Jackrabbit classes are still used for webdav -->
@ -502,6 +503,64 @@
<groupId>org.apache.jackrabbit</groupId>
<artifactId>oak-segment-tar</artifactId>
<version>${jcr-oak.version}</version>
<exclusions>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-transport</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-resolver</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-common</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-codec</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-buffer</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- netty is a transitive dependencies of oak-segment-tar
increasing version -->
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-transport</artifactId>
<version>${netty.version}</version>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-resolver</artifactId>
<version>${netty.version}</version>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
<version>${netty.version}</version>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-common</artifactId>
<version>${netty.version}</version>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-codec</artifactId>
<version>${netty.version}</version>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-buffer</artifactId>
<version>${netty.version}</version>
</dependency>
<dependency>
<groupId>org.apache.jackrabbit</groupId>
@ -1351,6 +1410,14 @@
</dependency>
<!-- Transitive dependency - fixing version -->
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>29.0-jre</version>
</dependency>
<dependency>
<groupId>org.xmlunit</groupId>
<artifactId>xmlunit-core</artifactId>
@ -1818,6 +1885,10 @@
</execution>
</executions>
</plugin>
</plugins>
<pluginManagement>
<plugins>