You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@calcite.apache.org by jh...@apache.org on 2018/08/15 19:23:17 UTC
calcite-avatica git commit: [CALCITE-2467] Upgrade
owasp-dependency-check maven plugin to 3.3.1
Repository: calcite-avatica
Updated Branches:
refs/heads/master 933d3dca8 -> f0bce9859
[CALCITE-2467] Upgrade owasp-dependency-check maven plugin to 3.3.1
Upgrade protobuf-java to 3.5.1, jackson to 2.9.6, jetty to 9.4.11.v20180605.
Close apache/calcite-avatica#66
Project: http://git-wip-us.apache.org/repos/asf/calcite-avatica/repo
Commit: http://git-wip-us.apache.org/repos/asf/calcite-avatica/commit/f0bce985
Tree: http://git-wip-us.apache.org/repos/asf/calcite-avatica/tree/f0bce985
Diff: http://git-wip-us.apache.org/repos/asf/calcite-avatica/diff/f0bce985
Branch: refs/heads/master
Commit: f0bce98597868d7176ed4d8ead47372367f88900
Parents: 933d3dc
Author: Julian Hyde <jh...@apache.org>
Authored: Tue Aug 14 20:59:37 2018 -0700
Committer: Julian Hyde <jh...@apache.org>
Committed: Wed Aug 15 12:22:22 2018 -0700
----------------------------------------------------------------------
pom.xml | 38 ++++++++++++++++++--
.../server/PropertyBasedSpnegoLoginService.java | 4 ++-
site/_docs/howto.md | 2 ++
.../config/dependency-check/suppressions.xml | 32 +++++++++++++++++
4 files changed, 72 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/calcite-avatica/blob/f0bce985/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index bf0b3a6..4794435 100644
--- a/pom.xml
+++ b/pom.xml
@@ -55,6 +55,7 @@ limitations under the License.
<avatica.release.version>${project.version}</avatica.release.version>
<version.major>1</version.major>
<version.minor>12</version.minor>
+
<!-- This list is in alphabetical order. -->
<bouncycastle.version>1.59</bouncycastle.version>
<build-helper-maven-plugin.version>3.0.0</build-helper-maven-plugin.version>
@@ -72,13 +73,13 @@ limitations under the License.
<httpclient.version>4.5.2</httpclient.version>
<httpcore.version>4.4.4</httpcore.version>
<hydromatic-toolbox.version>0.3</hydromatic-toolbox.version>
- <jackson.version>2.9.4</jackson.version>
+ <jackson.version>2.9.6</jackson.version>
<!-- Default to html4 for JDK 8 but html5 on jdk9+ -->
<javadoc-additionalOptions />
<javadoc-link>https://docs.oracle.com/javase/8/docs/api/</javadoc-link>
<jcip-annotations.version>1.0-1</jcip-annotations.version>
<jcommander.version>1.48</jcommander.version>
- <jetty.version>9.2.19.v20160908</jetty.version>
+ <jetty.version>9.4.11.v20180605</jetty.version>
<junit.version>4.12</junit.version>
<kerby.version>1.0.0-RC2</kerby.version>
<maven-assembly-plugin.version>3.0.0</maven-assembly-plugin.version>
@@ -92,7 +93,8 @@ limitations under the License.
<!-- Apache 19 has 2.20.1, but need 2.21.0+ for [MPOM-184] -->
<maven-surefire-plugin.version>2.21.0</maven-surefire-plugin.version>
<mockito.version>2.5.5</mockito.version>
- <protobuf.version>3.3.0</protobuf.version>
+ <owasp-dependency-check.version>3.3.1</owasp-dependency-check.version>
+ <protobuf.version>3.5.1</protobuf.version>
<scott-data-hsqldb.version>0.1</scott-data-hsqldb.version>
<servlet.version>3.0.1</servlet.version>
<slf4j.version>1.7.13</slf4j.version>
@@ -639,6 +641,11 @@ limitations under the License.
</configuration>
</plugin>
<plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${owasp-dependency-check.version}</version>
+ </plugin>
+ <plugin>
<groupId>org.xolstice.maven.plugins</groupId>
<artifactId>protobuf-maven-plugin</artifactId>
<version>0.5.0</version>
@@ -776,5 +783,30 @@ limitations under the License.
<javadoc-link>https://docs.oracle.com/javase/9/docs/api/</javadoc-link>
</properties>
</profile>
+ <profile>
+ <!-- Extra checks that are disabled in the regular build, enabled for
+ releases and on demand. -->
+ <id>pedantic</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFiles>
+ <suppressionFile>${top.dir}/src/main/config/dependency-check/suppressions.xml</suppressionFile>
+ </suppressionFiles>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
</profiles>
</project>
http://git-wip-us.apache.org/repos/asf/calcite-avatica/blob/f0bce985/server/src/main/java/org/apache/calcite/avatica/server/PropertyBasedSpnegoLoginService.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/calcite/avatica/server/PropertyBasedSpnegoLoginService.java b/server/src/main/java/org/apache/calcite/avatica/server/PropertyBasedSpnegoLoginService.java
index c5126c3..027b369 100644
--- a/server/src/main/java/org/apache/calcite/avatica/server/PropertyBasedSpnegoLoginService.java
+++ b/server/src/main/java/org/apache/calcite/avatica/server/PropertyBasedSpnegoLoginService.java
@@ -33,6 +33,7 @@ import java.lang.reflect.Field;
import java.util.Objects;
import javax.security.auth.Subject;
+import javax.servlet.ServletRequest;
/**
* A customization of {@link SpnegoLoginService} which directly specifies the server's
@@ -60,7 +61,8 @@ public class PropertyBasedSpnegoLoginService extends SpnegoLoginService {
targetNameField.set(this, serverPrincipal);
}
- @Override public UserIdentity login(String username, Object credentials) {
+ @Override public UserIdentity login(String username, Object credentials,
+ ServletRequest request) {
String encodedAuthToken = (String) credentials;
byte[] authToken = B64Code.decode(encodedAuthToken);
http://git-wip-us.apache.org/repos/asf/calcite-avatica/blob/f0bce985/site/_docs/howto.md
----------------------------------------------------------------------
diff --git a/site/_docs/howto.md b/site/_docs/howto.md
index 20789a1..f985fbe 100644
--- a/site/_docs/howto.md
+++ b/site/_docs/howto.md
@@ -202,6 +202,8 @@ Before you start:
* Add release notes to `site/_docs/history.md`. Include the commit history,
and say which versions of Java, Guava and operating systems the release is
tested against.
+* Generate a report of vulnerabilities that occur among dependencies,
+ using `mvn verify -Ppedantic`.
* Make sure that
<a href="https://issues.apache.org/jira/issues/?jql=project%20%3D%20CALCITE%20AND%20status%20%3D%20Resolved%20and%20fixVersion%20is%20null">
every "resolved" JIRA case</a> (including duplicates) has
http://git-wip-us.apache.org/repos/asf/calcite-avatica/blob/f0bce985/src/main/config/dependency-check/suppressions.xml
----------------------------------------------------------------------
diff --git a/src/main/config/dependency-check/suppressions.xml b/src/main/config/dependency-check/suppressions.xml
new file mode 100644
index 0000000..01f0b29
--- /dev/null
+++ b/src/main/config/dependency-check/suppressions.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to you under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+ <suppress>
+ <notes><![CDATA[Suppress all CVE entries that have a score below CVSS 7.]]></notes>
+ <cvssBelow>7</cvssBelow>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[Suppress some false positives identified on
+ avatica-server-1.13, which the CVE database thinks looks similar to
+ Apache HTTPD version 1.13.]]></notes>
+ <cve>CVE-1999-1412</cve>
+ <cve>CVE-2003-0789</cve>
+ <cve>CVE-1999-1237</cve>
+ <cve>CVE-1999-0236</cve>
+ </suppress>
+</suppressions>