You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by jl...@apache.org on 2018/12/20 19:21:47 UTC

tomee git commit: TOMEE-2363 Introduces OWASP dependency check via two profiles "owasp-check" (will fail the build for CVE score > 8.0" and "owasp-report"

Repository: tomee
Updated Branches:
  refs/heads/tomee-7.1.x 4adec2f85 -> 52b6e61f1


TOMEE-2363 Introduces OWASP dependency check via two profiles "owasp-check" (will fail the build for CVE score > 8.0" and "owasp-report"


Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/52b6e61f
Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/52b6e61f
Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/52b6e61f

Branch: refs/heads/tomee-7.1.x
Commit: 52b6e61f100b8bbae1e9717e0884d5d52e440c4c
Parents: 4adec2f
Author: rzo1 <ri...@zowalla.com>
Authored: Tue Dec 18 11:20:23 2018 +0100
Committer: rzo1 <ri...@zowalla.com>
Committed: Thu Dec 20 15:53:53 2018 +0100

----------------------------------------------------------------------
 owasp-dc-suppression.xml | 80 +++++++++++++++++++++++++++++++++++++++++++
 pom.xml                  | 61 ++++++++++++++++++++++++++++++---
 2 files changed, 136 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/tomee/blob/52b6e61f/owasp-dc-suppression.xml
----------------------------------------------------------------------
diff --git a/owasp-dc-suppression.xml b/owasp-dc-suppression.xml
new file mode 100644
index 0000000..04b5050
--- /dev/null
+++ b/owasp-dc-suppression.xml
@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
+    <suppress>
+        <notes><![CDATA[
+   file name: self dependencies...
+   ]]></notes>
+        <gav regex="true">^org\.apache\.tomee:.*$</gav>
+        <cve>CVE-2018-8031</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: self dependencies...
+   ]]></notes>
+        <gav regex="true">^org\.apache\.tomee:.*$</gav>
+        <cve>CVE-2010-1151</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: false positive apache http server
+   ]]></notes>
+        <gav regex="true">^org\.apache\.tomee:.*$</gav>
+        <cpe>cpe:/a:apache:apache_http_server</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: false positive apache http server
+   ]]></notes>
+        <gav regex="true">^org\.apache\.tomee:.*$</gav>
+        <cpe>cpe:/a:apache:http_server</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: ziplock-*.jar
+   ]]></notes>
+        <gav regex="true">^org\.apache\.tomee:ziplock:.*$</gav>
+        <cpe>cpe:/a:zip_project:zip</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: eclipselink-*jar
+   ]]></notes>
+        <gav regex="true">^org\.eclipse\.persistence:eclipselink:.*$</gav>
+        <cpe>cpe:/a:git:git</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: eclipselink-*.jar
+   ]]></notes>
+        <gav regex="true">^org\.eclipse\.persistence:eclipselink:.*$</gav>
+        <cpe>cpe:/a:git_project:git</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: javax.persistence-*.jar
+   ]]></notes>
+        <gav regex="true">^org\.eclipse\.persistence:javax\.persistence:.*$</gav>
+        <cpe>cpe:/a:git_project:git</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: javax.persistence-*.jar
+   ]]></notes>
+        <gav regex="true">^org\.eclipse\.persistence:javax\.persistence:.*$</gav>
+        <cpe>cpe:/a:git:git</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: commonj.sdo-*.jar
+   ]]></notes>
+        <gav regex="true">^org\.eclipse\.persistence:commonj\.sdo:.*$</gav>
+        <cpe>cpe:/a:git:git</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: commonj.sdo-*.jar
+   ]]></notes>
+        <gav regex="true">^org\.eclipse\.persistence:commonj\.sdo:.*$</gav>
+        <cpe>cpe:/a:git_project:git</cpe>
+    </suppress>
+</suppressions>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/tomee/blob/52b6e61f/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 308e103..db6953e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -359,6 +359,11 @@
           <artifactId>maven-compiler-plugin</artifactId>
           <version>3.6.2</version>
         </plugin>
+        <plugin>
+          <groupId>org.owasp</groupId>
+          <artifactId>dependency-check-maven</artifactId>
+          <version>4.0.0</version>
+        </plugin>
       </plugins>
     </pluginManagement>
 
@@ -642,6 +647,53 @@
     </profile>
 
     <profile>
+      <id>owasp-report</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <configuration>
+              <skipProvidedScope>true</skipProvidedScope>
+              <skipRuntimeScope>true</skipRuntimeScope>
+              <suppressionFiles>${maven.multiModuleProjectDirectory}/owasp-dc-suppression.xml</suppressionFiles>
+            </configuration>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>aggregate</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+    <profile>
+      <id>owasp-check</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <configuration>
+              <skipProvidedScope>true</skipProvidedScope>
+              <skipRuntimeScope>true</skipRuntimeScope>
+              <failBuildOnCVSS>8.0</failBuildOnCVSS>
+              <suppressionFiles>${maven.multiModuleProjectDirectory}/owasp-dc-suppression.xml</suppressionFiles>
+            </configuration>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>check</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+    <profile>
       <id>rat</id>
       <modules>
         <module>itests</module>
@@ -672,7 +724,7 @@
               <reportFile>${project.build.directory}/${project.build.finalName}.rat</reportFile>
               <excludes>
                 <exclude>**/target/**/*</exclude>
-		            <exclude>**/js/livereload.js</exclude>
+                <exclude>**/js/livereload.js</exclude>
 
                 <!-- left around after creating the site -->
                 <exclude>**/cobertura.ser</exclude>
@@ -1718,8 +1770,8 @@
         <version>1.2.5</version>
         <exclusions>
           <exclusion>
-              <groupId>xalan</groupId>
-              <artifactId>xalan</artifactId>
+            <groupId>xalan</groupId>
+            <artifactId>xalan</artifactId>
           </exclusion>
         </exclusions>
       </dependency>
@@ -1754,5 +1806,4 @@
       -->
     </plugins>
   </reporting>
-</project>
-
+</project>
\ No newline at end of file