You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@turbine.apache.org by gk...@apache.org on 2020/12/23 09:56:19 UTC

svn commit: r1884742 - in /turbine/fulcrum/trunk/security: hibernate/pom.xml pom.xml suppression-owasp.xml

Author: gk
Date: Wed Dec 23 09:56:19 2020
New Revision: 1884742

URL: http://svn.apache.org/viewvc?rev=1884742&view=rev
Log:
- add owasp aggregate check in parent
module hibernate:
- use log4j-slf4j-impl bridge instead of slf4j 
- todo: fix some security check, but: update hibernate to at least 5.4.24.FINAL - which needs major changes, e.g. replacing persistencehelper configuration and more.. 

Added:
    turbine/fulcrum/trunk/security/suppression-owasp.xml
Modified:
    turbine/fulcrum/trunk/security/hibernate/pom.xml
    turbine/fulcrum/trunk/security/pom.xml

Modified: turbine/fulcrum/trunk/security/hibernate/pom.xml
URL: http://svn.apache.org/viewvc/turbine/fulcrum/trunk/security/hibernate/pom.xml?rev=1884742&r1=1884741&r2=1884742&view=diff
==============================================================================
--- turbine/fulcrum/trunk/security/hibernate/pom.xml (original)
+++ turbine/fulcrum/trunk/security/hibernate/pom.xml Wed Dec 23 09:56:19 2020
@@ -62,13 +62,18 @@
         <dependency>
             <groupId>org.apache.fulcrum</groupId>
             <artifactId>fulcrum-security-api</artifactId>
-            </dependency>
-    
-        <!-- Needed for the Hibernate SPI -->
+            </dependency>  
+        <!-- Needed for the Hibernate SPI, TODO, CVE-2020-25638, resolution requires at least version 5.4.24.Final, better least 5.4.26.Final  -->
         <dependency>
             <groupId>org.hibernate</groupId>
             <artifactId>hibernate-core</artifactId>
-            <version>3.6.7.Final</version>
+            <version>3.6.10.Final</version>
+        </dependency>
+        <!-- security issue with collections 3.1: CVE-2015-6420, CVE-2017-15708 -->
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.2.2</version>
         </dependency>
         <dependency>
             <groupId>javassist</groupId>
@@ -117,9 +122,10 @@
             <version>${turbine.log4j2.version}</version>
         </dependency>
         <dependency>
-            <groupId>org.slf4j</groupId>
-            <artifactId>slf4j-log4j12</artifactId>
-            <version>1.7.28</version>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-slf4j-impl</artifactId>
+            <version>2.14.0</version>
         </dependency>
+
     </dependencies>
 </project>

Modified: turbine/fulcrum/trunk/security/pom.xml
URL: http://svn.apache.org/viewvc/turbine/fulcrum/trunk/security/pom.xml?rev=1884742&r1=1884741&r2=1884742&view=diff
==============================================================================
--- turbine/fulcrum/trunk/security/pom.xml (original)
+++ turbine/fulcrum/trunk/security/pom.xml Wed Dec 23 09:56:19 2020
@@ -164,6 +164,23 @@
                     <excludePackageNames>org.apache.fulcrum.security.torque.om.*</excludePackageNames>
               </configuration>
             </plugin>
+             <plugin>
+              <groupId>org.owasp</groupId>
+              <artifactId>dependency-check-maven</artifactId>
+              <executions>
+                  <execution>
+                      <goals>
+                          <goal>aggregate</goal>
+                      </goals>
+                  </execution>
+              </executions>
+              <configuration>
+                   <!-- suppress false positive -->
+                   <suppressionFiles>
+                    <suppressionFile>${project.basedir}/suppression-owasp.xml</suppressionFile>
+                    </suppressionFiles>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 

Added: turbine/fulcrum/trunk/security/suppression-owasp.xml
URL: http://svn.apache.org/viewvc/turbine/fulcrum/trunk/security/suppression-owasp.xml?rev=1884742&view=auto
==============================================================================
--- turbine/fulcrum/trunk/security/suppression-owasp.xml (added)
+++ turbine/fulcrum/trunk/security/suppression-owasp.xml Wed Dec 23 09:56:19 2020
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+   <suppress>
+      <notes><![CDATA[
+      file name: hibernate-core-3.6.10.Final.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.hibernate/hibernate\-core@.*$</packageUrl>
+      <vulnerabilityName>CVE-2020-25638</vulnerabilityName>
+   </suppress>
+</suppressions>
\ No newline at end of file