NIFI-10092 Updated OWASP dependency-check suppressions

- Changed Maven profile from owasp to dependency-check - Configured dependency check plugin to run in validate phase Signed-off-by: Pierre Villard <pierre.villard.fr@gmail.com> This closes #6100.
2022-06-04 11:24:53 -05:00 · 2022-06-04 11:24:53 -05:00 · 18ecb73441
parent 24adc73862
commit 18ecb73441
2 changed files with 33 additions and 5 deletions
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@ -29,4 +29,34 @@
        <packageUrl regex="true">^pkg:maven/org\.testcontainers/mysql@.*$</packageUrl>
        <cpe>cpe:/a:mysql:mysql</cpe>
    </suppress>
+    <suppress>
+        <notes>StumbleUpon Async is incorrectly identified as the JavaScript Async library</notes>
+        <packageUrl regex="true">^pkg:maven/com\.stumbleupon/async@.*$</packageUrl>
+        <cve>CVE-2021-43138</cve>
+    </suppress>
+    <suppress>
+        <notes>HBase Async is incorrectly identified as the JavaScript Async library</notes>
+        <packageUrl regex="true">^pkg:maven/org\.hbase/asynchbase@.*$</packageUrl>
+        <cve>CVE-2021-43138</cve>
+    </suppress>
+    <suppress>
+        <notes>Jetty SSLEngine is incorrectly identified with Jetty Server</notes>
+        <packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/jetty\-sslengine@.*$</packageUrl>
+        <cpe regex="true">^cpe:.*$</cpe>
+    </suppress>
+    <suppress>
+        <notes>MySQL Binary Log Connector is incorrectly identified as MySQL server</notes>
+        <packageUrl regex="true">^pkg:maven/com\.github\.shyiko/mysql\-binlog\-connector\-java@.*$</packageUrl>
+        <cpe>cpe:/a:mysql:mysql</cpe>
+    </suppress>
+    <suppress>
+        <notes>Testcontainers MariaDB is incorrectly identified with MariaDB server</notes>
+        <packageUrl regex="true">^pkg:maven/org\.testcontainers/mariadb@.*$</packageUrl>
+        <cpe>cpe:/a:mariadb:mariadb</cpe>
+    </suppress>
+    <suppress>
+        <notes>Twill ZooKeeper is incorrectly identified with ZooKeeper server</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.twill/twill\-zookeeper@.*$</packageUrl>
+        <cpe>cpe:/a:apache:zookeeper</cpe>
+    </suppress>
 </suppressions>
--- a/pom.xml
+++ b/pom.xml
@ -1237,12 +1237,9 @@
            </properties>
        </profile>
        <profile>
-            <!-- Run "mvn clean verify -P owasp" to generate dependency-check-report.html in the target directory -->
+            <!-- Run "mvn validate -P dependency-check" to generate dependency-check-report.html in the target directory -->
            <!-- Report results require detailed analysis to determine whether the vulnerability impacts the application -->
-            <id>owasp</id>
-            <properties>
-                <skipTests>true</skipTests>
-            </properties>
+            <id>dependency-check</id>
            <build>
                <plugins>
                    <plugin>
@ -1252,6 +1249,7 @@
                        <executions>
                            <execution>
                                <inherited>false</inherited>
+                                <phase>validate</phase>
                                <goals>
                                    <goal>aggregate</goal>
                                </goals>