You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@turbine.apache.org by gk...@apache.org on 2020/12/23 09:56:19 UTC
svn commit: r1884742 - in /turbine/fulcrum/trunk/security: hibernate/pom.xml
pom.xml suppression-owasp.xml
Author: gk
Date: Wed Dec 23 09:56:19 2020
New Revision: 1884742
URL: http://svn.apache.org/viewvc?rev=1884742&view=rev
Log:
- add owasp aggregate check in parent
module hibernate:
- use log4j-slf4j-impl bridge instead of slf4j
- todo: fix some security check, but: update hibernate to at least 5.4.24.FINAL - which needs major changes, e.g. replacing persistencehelper configuration and more..
Added:
turbine/fulcrum/trunk/security/suppression-owasp.xml
Modified:
turbine/fulcrum/trunk/security/hibernate/pom.xml
turbine/fulcrum/trunk/security/pom.xml
Modified: turbine/fulcrum/trunk/security/hibernate/pom.xml
URL: http://svn.apache.org/viewvc/turbine/fulcrum/trunk/security/hibernate/pom.xml?rev=1884742&r1=1884741&r2=1884742&view=diff
==============================================================================
--- turbine/fulcrum/trunk/security/hibernate/pom.xml (original)
+++ turbine/fulcrum/trunk/security/hibernate/pom.xml Wed Dec 23 09:56:19 2020
@@ -62,13 +62,18 @@
<dependency>
<groupId>org.apache.fulcrum</groupId>
<artifactId>fulcrum-security-api</artifactId>
- </dependency>
-
- <!-- Needed for the Hibernate SPI -->
+ </dependency>
+ <!-- Needed for the Hibernate SPI, TODO, CVE-2020-25638, resolution requires at least version 5.4.24.Final, better least 5.4.26.Final -->
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-core</artifactId>
- <version>3.6.7.Final</version>
+ <version>3.6.10.Final</version>
+ </dependency>
+ <!-- security issue with collections 3.1: CVE-2015-6420, CVE-2017-15708 -->
+ <dependency>
+ <groupId>commons-collections</groupId>
+ <artifactId>commons-collections</artifactId>
+ <version>3.2.2</version>
</dependency>
<dependency>
<groupId>javassist</groupId>
@@ -117,9 +122,10 @@
<version>${turbine.log4j2.version}</version>
</dependency>
<dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- <version>1.7.28</version>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-slf4j-impl</artifactId>
+ <version>2.14.0</version>
</dependency>
+
</dependencies>
</project>
Modified: turbine/fulcrum/trunk/security/pom.xml
URL: http://svn.apache.org/viewvc/turbine/fulcrum/trunk/security/pom.xml?rev=1884742&r1=1884741&r2=1884742&view=diff
==============================================================================
--- turbine/fulcrum/trunk/security/pom.xml (original)
+++ turbine/fulcrum/trunk/security/pom.xml Wed Dec 23 09:56:19 2020
@@ -164,6 +164,23 @@
<excludePackageNames>org.apache.fulcrum.security.torque.om.*</excludePackageNames>
</configuration>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <executions>
+ <execution>
+ <goals>
+ <goal>aggregate</goal>
+ </goals>
+ </execution>
+ </executions>
+ <configuration>
+ <!-- suppress false positive -->
+ <suppressionFiles>
+ <suppressionFile>${project.basedir}/suppression-owasp.xml</suppressionFile>
+ </suppressionFiles>
+ </configuration>
+ </plugin>
</plugins>
</build>
Added: turbine/fulcrum/trunk/security/suppression-owasp.xml
URL: http://svn.apache.org/viewvc/turbine/fulcrum/trunk/security/suppression-owasp.xml?rev=1884742&view=auto
==============================================================================
--- turbine/fulcrum/trunk/security/suppression-owasp.xml (added)
+++ turbine/fulcrum/trunk/security/suppression-owasp.xml Wed Dec 23 09:56:19 2020
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+ <suppress>
+ <notes><![CDATA[
+ file name: hibernate-core-3.6.10.Final.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.hibernate/hibernate\-core@.*$</packageUrl>
+ <vulnerabilityName>CVE-2020-25638</vulnerabilityName>
+ </suppress>
+</suppressions>
\ No newline at end of file