You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by jl...@apache.org on 2018/12/20 19:21:47 UTC
tomee git commit: TOMEE-2363 Introduces OWASP dependency check via
two profiles "owasp-check" (will fail the build for CVE score > 8.0" and
"owasp-report"
Repository: tomee
Updated Branches:
refs/heads/tomee-7.1.x 4adec2f85 -> 52b6e61f1
TOMEE-2363 Introduces OWASP dependency check via two profiles "owasp-check" (will fail the build for CVE score > 8.0" and "owasp-report"
Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/52b6e61f
Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/52b6e61f
Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/52b6e61f
Branch: refs/heads/tomee-7.1.x
Commit: 52b6e61f100b8bbae1e9717e0884d5d52e440c4c
Parents: 4adec2f
Author: rzo1 <ri...@zowalla.com>
Authored: Tue Dec 18 11:20:23 2018 +0100
Committer: rzo1 <ri...@zowalla.com>
Committed: Thu Dec 20 15:53:53 2018 +0100
----------------------------------------------------------------------
owasp-dc-suppression.xml | 80 +++++++++++++++++++++++++++++++++++++++++++
pom.xml | 61 ++++++++++++++++++++++++++++++---
2 files changed, 136 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tomee/blob/52b6e61f/owasp-dc-suppression.xml
----------------------------------------------------------------------
diff --git a/owasp-dc-suppression.xml b/owasp-dc-suppression.xml
new file mode 100644
index 0000000..04b5050
--- /dev/null
+++ b/owasp-dc-suppression.xml
@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
+ <suppress>
+ <notes><![CDATA[
+ file name: self dependencies...
+ ]]></notes>
+ <gav regex="true">^org\.apache\.tomee:.*$</gav>
+ <cve>CVE-2018-8031</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: self dependencies...
+ ]]></notes>
+ <gav regex="true">^org\.apache\.tomee:.*$</gav>
+ <cve>CVE-2010-1151</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: false positive apache http server
+ ]]></notes>
+ <gav regex="true">^org\.apache\.tomee:.*$</gav>
+ <cpe>cpe:/a:apache:apache_http_server</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: false positive apache http server
+ ]]></notes>
+ <gav regex="true">^org\.apache\.tomee:.*$</gav>
+ <cpe>cpe:/a:apache:http_server</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: ziplock-*.jar
+ ]]></notes>
+ <gav regex="true">^org\.apache\.tomee:ziplock:.*$</gav>
+ <cpe>cpe:/a:zip_project:zip</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: eclipselink-*jar
+ ]]></notes>
+ <gav regex="true">^org\.eclipse\.persistence:eclipselink:.*$</gav>
+ <cpe>cpe:/a:git:git</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: eclipselink-*.jar
+ ]]></notes>
+ <gav regex="true">^org\.eclipse\.persistence:eclipselink:.*$</gav>
+ <cpe>cpe:/a:git_project:git</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: javax.persistence-*.jar
+ ]]></notes>
+ <gav regex="true">^org\.eclipse\.persistence:javax\.persistence:.*$</gav>
+ <cpe>cpe:/a:git_project:git</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: javax.persistence-*.jar
+ ]]></notes>
+ <gav regex="true">^org\.eclipse\.persistence:javax\.persistence:.*$</gav>
+ <cpe>cpe:/a:git:git</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: commonj.sdo-*.jar
+ ]]></notes>
+ <gav regex="true">^org\.eclipse\.persistence:commonj\.sdo:.*$</gav>
+ <cpe>cpe:/a:git:git</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: commonj.sdo-*.jar
+ ]]></notes>
+ <gav regex="true">^org\.eclipse\.persistence:commonj\.sdo:.*$</gav>
+ <cpe>cpe:/a:git_project:git</cpe>
+ </suppress>
+</suppressions>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/tomee/blob/52b6e61f/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 308e103..db6953e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -359,6 +359,11 @@
<artifactId>maven-compiler-plugin</artifactId>
<version>3.6.2</version>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>4.0.0</version>
+ </plugin>
</plugins>
</pluginManagement>
@@ -642,6 +647,53 @@
</profile>
<profile>
+ <id>owasp-report</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <skipProvidedScope>true</skipProvidedScope>
+ <skipRuntimeScope>true</skipRuntimeScope>
+ <suppressionFiles>${maven.multiModuleProjectDirectory}/owasp-dc-suppression.xml</suppressionFiles>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>aggregate</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ <profile>
+ <id>owasp-check</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <skipProvidedScope>true</skipProvidedScope>
+ <skipRuntimeScope>true</skipRuntimeScope>
+ <failBuildOnCVSS>8.0</failBuildOnCVSS>
+ <suppressionFiles>${maven.multiModuleProjectDirectory}/owasp-dc-suppression.xml</suppressionFiles>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ <profile>
<id>rat</id>
<modules>
<module>itests</module>
@@ -672,7 +724,7 @@
<reportFile>${project.build.directory}/${project.build.finalName}.rat</reportFile>
<excludes>
<exclude>**/target/**/*</exclude>
- <exclude>**/js/livereload.js</exclude>
+ <exclude>**/js/livereload.js</exclude>
<!-- left around after creating the site -->
<exclude>**/cobertura.ser</exclude>
@@ -1718,8 +1770,8 @@
<version>1.2.5</version>
<exclusions>
<exclusion>
- <groupId>xalan</groupId>
- <artifactId>xalan</artifactId>
+ <groupId>xalan</groupId>
+ <artifactId>xalan</artifactId>
</exclusion>
</exclusions>
</dependency>
@@ -1754,5 +1806,4 @@
-->
</plugins>
</reporting>
-</project>
-
+</project>
\ No newline at end of file