You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by kw...@apache.org on 2022/06/02 10:21:01 UTC
[jackrabbit-filevault] 01/01: JCRVLT-579 prevent embedding vulnerable libraries
This is an automated email from the ASF dual-hosted git repository.
kwin pushed a commit to branch feature/enable-dependency-check
in repository https://gitbox.apache.org/repos/asf/jackrabbit-filevault.git
commit 1ffe9308ba563e0f64b9e5fe1061647f3cf918a0
Author: Konrad Windszus <kw...@apache.org>
AuthorDate: Thu Jun 2 12:20:55 2022 +0200
JCRVLT-579 prevent embedding vulnerable libraries
Add OWASP dependency checker to all modules
Exclude external (e.g. OSGi) dependencies from being checked
Clean up some dependencies
---
parent/pom.xml | 29 ++++++++++++++++++
suppressions.xml | 53 ++++++++++++++++++++++++++++++++
target-osgi-environment/pom.xml | 8 +++++
vault-cli/pom.xml | 58 +++++++++++++++++++++++++++++++++++
vault-core/pom.xml | 14 ++++++++-
vault-davex/pom.xml | 19 ++++++++++++
vault-hook-example/pom.xml | 13 +++-----
vault-hook-externalclass-test/pom.xml | 16 +++-------
vault-rcp/pom.xml | 21 ++++++++++++-
vault-sync/pom.xml | 16 ++++++++++
vault-validation/pom.xml | 51 +++++++++++++++++++++++++++++-
vault-vlt/pom.xml | 19 ++++++++++++
12 files changed, 294 insertions(+), 23 deletions(-)
diff --git a/parent/pom.xml b/parent/pom.xml
index 4e550b2d..bc21acd7 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -277,6 +277,23 @@ Bundle-Category: jackrabbit
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.8.8</version>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>7.1.0</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ <configuration>
+ <!-- provided is used in OSGi bundles for non-embedded dependencies -->
+ <skipProvidedScope>false</skipProvidedScope>
+ <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</pluginManagement>
<plugins>
@@ -477,6 +494,7 @@ Bundle-Category: jackrabbit
<scope>provided</scope>
</dependency>
+ <!-- these are minimum version referenced in OSGi bundles, JARs should use a different version -->
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
@@ -604,6 +622,17 @@ Bundle-Category: jackrabbit
</plugins>
</build>
</profile>
+ <profile>
+ <id>additional-checks</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
</profiles>
</project>
diff --git a/suppressions.xml b/suppressions.xml
new file mode 100644
index 00000000..ac2b5813
--- /dev/null
+++ b/suppressions.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0"?><!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+ <suppress>
+ <notes><![CDATA[
+ Oak GAV must not apply to JR2 CPE (like for
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.jackrabbit/oak\-.*@.*$</packageUrl>
+ <cpe>cpe:/a:apache:jackrabbit</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: org.apache.sling.jcr.api-2.0.4.jar does not suffer from CVE-2015-2944
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.sling/org\.apache\.sling\.jcr\.api@.*$</packageUrl>
+ <cve>CVE-2015-2944</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: h2-2.1.212.jar, only 1.4.197 is affected, see https://github.com/jeremylong/DependencyCheck/issues/4555
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
+ <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: org.apache.sling.commons.classloader-1.2.2.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.sling/org\.apache\.sling\.commons\.classloader@.*$</packageUrl>
+ <cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ false positive for Oak classes e.g. for CVE-2021-40690
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.jackrabbit/oak-.*@.*$</packageUrl>
+ <cpe>cpe:/a:apache:xml_security_for_java</cpe>
+ </suppress>
+</suppressions>
\ No newline at end of file
diff --git a/target-osgi-environment/pom.xml b/target-osgi-environment/pom.xml
index c4326340..3c44ddd2 100644
--- a/target-osgi-environment/pom.xml
+++ b/target-osgi-environment/pom.xml
@@ -73,6 +73,14 @@
</execution>
</executions>
</plugin>
+ <!-- never do vulnerabilities check for any surrounding OSGi bundles provided by a distribution -->
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <skip>true</skip>
+ </configuration>
+ </plugin>
</plugins>
</build>
diff --git a/vault-cli/pom.xml b/vault-cli/pom.xml
index d9cdeea5..bb02c80a 100644
--- a/vault-cli/pom.xml
+++ b/vault-cli/pom.xml
@@ -41,6 +41,17 @@
<!-- B U I L D D E F I N I T I O N -->
<!-- ====================================================================== -->
<build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
@@ -62,6 +73,7 @@
<repositoryName>lib</repositoryName>
<includeConfigurationDirectoryInClasspath>true</includeConfigurationDirectoryInClasspath>
<copyConfigurationDirectory>true</copyConfigurationDirectory>
+ <useAllProjectDependencies>true</useAllProjectDependencies><!-- this is not including transitive ones -->
<extraJvmArguments>-Xms500m -Xmx500m</extraJvmArguments>
<programs>
<program>
@@ -111,6 +123,52 @@
</plugins>
</build>
+ <dependencyManagement>
+ <dependencies>
+ <!-- override minimum versions from parent with most recent backwards compatible versions -->
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <version>2.11.0</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-lang3</artifactId>
+ <version>3.6</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-collections4</artifactId>
+ <version>4.1</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-codec</groupId>
+ <artifactId>commons-codec</artifactId>
+ <version>1.10</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.httpcomponents</groupId>
+ <artifactId>httpmime</artifactId>
+ <version>4.5.13</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.httpcomponents</groupId>
+ <artifactId>httpclient</artifactId>
+ <version>4.5.13</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ <version>1.0.3</version>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>4.13.2</version>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
<!-- ====================================================================== -->
<!-- D E P E N D E N C I E S -->
<!-- ====================================================================== -->
diff --git a/vault-core/pom.xml b/vault-core/pom.xml
index 5c630cf3..d1a4e8a2 100644
--- a/vault-core/pom.xml
+++ b/vault-core/pom.xml
@@ -60,6 +60,18 @@
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external dependencies with vulnerabilities (provided by the distribution) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:httpclient</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
</plugins>
</pluginManagement>
<plugins>
@@ -241,7 +253,7 @@
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
- <version>2.0.206</version>
+ <version>2.1.212</version>
<scope>provided</scope>
</dependency>
<!-- test deps -->
diff --git a/vault-davex/pom.xml b/vault-davex/pom.xml
index a2d4fa9f..7a0f8544 100644
--- a/vault-davex/pom.xml
+++ b/vault-davex/pom.xml
@@ -87,4 +87,23 @@
<artifactId>slf4j-api</artifactId>
</dependency>
</dependencies>
+
+ <build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external dependencies with vulnerabilities (provided by the distribution) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:httpclient</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
+ </build>
</project>
diff --git a/vault-hook-example/pom.xml b/vault-hook-example/pom.xml
index 36920f61..10e409e6 100644
--- a/vault-hook-example/pom.xml
+++ b/vault-hook-example/pom.xml
@@ -92,19 +92,14 @@
<dependency>
<groupId>javax.jcr</groupId>
<artifactId>jcr</artifactId>
- <optional>true</optional>
+ <scope>provided</scope>
</dependency>
- <!-- SLF4j / Log4j -->
+ <!-- SLF4j -->
<dependency>
<groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- <optional>true</optional>
- </dependency>
- <dependency>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- <optional>true</optional>
+ <artifactId>slf4j-api</artifactId>
+ <scope>provided</scope>
</dependency>
</dependencies>
</project>
diff --git a/vault-hook-externalclass-test/pom.xml b/vault-hook-externalclass-test/pom.xml
index a35ea6fa..9144ab9e 100644
--- a/vault-hook-externalclass-test/pom.xml
+++ b/vault-hook-externalclass-test/pom.xml
@@ -91,26 +91,20 @@
<dependency>
<groupId>javax.jcr</groupId>
<artifactId>jcr</artifactId>
- <optional>true</optional>
+ <scope>provided</scope>
</dependency>
- <!-- SLF4j / Log4j -->
+ <!-- SLF4j -->
<dependency>
<groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- <optional>true</optional>
- </dependency>
- <dependency>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- <optional>true</optional>
+ <artifactId>slf4j-api</artifactId>
+ <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.api</artifactId>
- <version>2.3.0</version>
+ <version>2.16.4</version>
<scope>provided</scope>
- <optional>true</optional>
</dependency>
</dependencies>
</project>
diff --git a/vault-rcp/pom.xml b/vault-rcp/pom.xml
index b2349fa7..cdd48f5a 100644
--- a/vault-rcp/pom.xml
+++ b/vault-rcp/pom.xml
@@ -43,6 +43,25 @@
<!-- B U I L D -->
<!-- ====================================================================== -->
<build>
+ <pluginManagement>
+ <plugins>
+ <!-- only check embedded dependencies, therefore exclude all external OSGi dependencies with vulnerabilities (provided by the distribution) -->
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external OSGi dependencies with vulnerabilities (provided by the distribution) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:httpclient</exlude>
+ <exlude>*:jackson-core</exlude>
+ <exlude>*:jackson-databind</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.sling</groupId>
@@ -137,7 +156,7 @@
<dependency>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.api</artifactId>
- <version>2.2.0</version>
+ <version>2.16.4</version>
<scope>provided</scope>
</dependency>
<dependency>
diff --git a/vault-sync/pom.xml b/vault-sync/pom.xml
index 959762b7..05e728e0 100644
--- a/vault-sync/pom.xml
+++ b/vault-sync/pom.xml
@@ -45,6 +45,22 @@
<!-- B U I L D D E F I N I T I O N -->
<!-- ====================================================================== -->
<build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external OSGi dependencies with vulnerabilities (provided by the distribution) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:guava</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.sling</groupId>
diff --git a/vault-validation/pom.xml b/vault-validation/pom.xml
index e8f064eb..7cd4d3a7 100644
--- a/vault-validation/pom.xml
+++ b/vault-validation/pom.xml
@@ -40,6 +40,22 @@
</properties>
<build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external dependencies with vulnerabilities (provided by the distribution) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:httpclient</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
<plugins>
<!-- ====================================================================== -->
<!-- R A T P L U G I N -->
@@ -140,12 +156,45 @@
<scope>provided</scope>
</dependency>
- <!-- only used for the constants, not necessary at run time -->
+ <!-- Oak dependencies only used for the constants, not necessary at run time (due to inlining) -->
<dependency>
<groupId>org.apache.jackrabbit</groupId>
<artifactId>oak-core</artifactId>
<version>${oak.version}</version>
<optional>true</optional>
+ <scope>provided</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>*</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-security-spi</artifactId>
+ <version>${oak.version}</version>
+ <optional>true</optional>
+ <scope>provided</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>*</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-core-spi</artifactId>
+ <version>${oak.version}</version>
+ <optional>true</optional>
+ <scope>provided</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>*</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
diff --git a/vault-vlt/pom.xml b/vault-vlt/pom.xml
index 1f07bef9..e30f4fd6 100644
--- a/vault-vlt/pom.xml
+++ b/vault-vlt/pom.xml
@@ -89,4 +89,23 @@
</dependency>
</dependencies>
+ <build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external dependencies with vulnerabilities (provided by the distribution) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:httpclient</exlude>
+ <exlude>*:log4j</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
+ </build>
</project>