You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2022/12/02 09:46:48 UTC
[struts-examples] branch master updated: Cleans up dependencies and suppresses false positives
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts-examples.git
The following commit(s) were added to refs/heads/master by this push:
new f81b451 Cleans up dependencies and suppresses false positives
f81b451 is described below
commit f81b45118a57015b86345c8afae3292e2b3a0d60
Author: Lukasz Lenart <lu...@apache.org>
AuthorDate: Fri Dec 2 10:46:39 2022 +0100
Cleans up dependencies and suppresses false positives
---
jasperreports/pom.xml | 15 ++-
pom.xml | 14 +++
rest-angular/pom.xml | 3 -
src/etc/project-suppression.xml | 209 ++++++++++++++--------------------------
4 files changed, 98 insertions(+), 143 deletions(-)
diff --git a/jasperreports/pom.xml b/jasperreports/pom.xml
index 9e782fe..2effbc6 100644
--- a/jasperreports/pom.xml
+++ b/jasperreports/pom.xml
@@ -36,6 +36,17 @@
<groupId>net.sf.jasperreports</groupId>
<artifactId>jasperreports</artifactId>
<version>${jasperreports.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>com.fasterxml.jackson.core</groupId>
+ <artifactId>jackson-databind</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+
+ <dependency>
+ <groupId>com.fasterxml.jackson.core</groupId>
+ <artifactId>jackson-databind</artifactId>
</dependency>
<dependency>
@@ -55,7 +66,7 @@
</dependencies>
<build>
- <plugins>
+ <plugins>
<plugin>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-maven-plugin</artifactId>
@@ -71,4 +82,4 @@
</plugin>
</plugins>
</build>
-</project>
\ No newline at end of file
+</project>
diff --git a/pom.xml b/pom.xml
index 33b60d4..3e838b8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -47,6 +47,8 @@
<log4j2.version>2.19.0</log4j2.version>
<jetty-plugin.version>9.4.46.v20220331</jetty-plugin.version>
<maven.javadoc.skip>true</maven.javadoc.skip>
+ <jackson.version>2.14.1</jackson.version>
+ <jackson-data-bind.version>2.14.1</jackson-data-bind.version>
</properties>
<profiles>
@@ -152,6 +154,18 @@
<artifactId>log4j-api</artifactId>
<version>${log4j2.version}</version>
</dependency>
+
+ <dependency>
+ <groupId>com.fasterxml.jackson.core</groupId>
+ <artifactId>jackson-databind</artifactId>
+ <version>${jackson-data-bind.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.fasterxml.jackson.dataformat</groupId>
+ <artifactId>jackson-dataformat-xml</artifactId>
+ <version>${jackson.version}</version>
+ </dependency>
+
</dependencies>
</dependencyManagement>
diff --git a/rest-angular/pom.xml b/rest-angular/pom.xml
index 060b67f..0fba482 100644
--- a/rest-angular/pom.xml
+++ b/rest-angular/pom.xml
@@ -16,7 +16,6 @@
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
- <jackson.version>2.13.4</jackson.version>
</properties>
<dependencies>
@@ -85,12 +84,10 @@
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
- <version>${jackson.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-xml</artifactId>
- <version>${jackson.version}</version>
</dependency>
<dependency>
diff --git a/src/etc/project-suppression.xml b/src/etc/project-suppression.xml
index 413495e..8f421d8 100644
--- a/src/etc/project-suppression.xml
+++ b/src/etc/project-suppression.xml
@@ -22,91 +22,27 @@
<notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
<cpe>cpe:/a:apache:struts</cpe>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2011-5057</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2012-0391</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2012-0392</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2012-0393</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2012-0394</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2012-0838</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2013-1965</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2013-1966</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2013-2115</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2013-2134</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2013-2135</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2014-0094</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2014-0113</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2015-5169</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2016-0785</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2016-4003</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-annotations-1.0.6.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-annotations@.*$</packageUrl>
- <cpe>cpe:/a:apache:struts</cpe>
+ <cve>CVE-2016-1182</cve>
+ <cve>CVE-2016-1181</cve>
+ <cve>CVE-2014-0114</cve>
+ <cve>CVE-2015-0899</cve>
+ <cve>CVE-2011-5057</cve>
+ <cve>CVE-2012-0391</cve>
+ <cve>CVE-2012-0392</cve>
+ <cve>CVE-2012-0393</cve>
+ <cve>CVE-2012-0394</cve>
+ <cve>CVE-2012-0838</cve>
+ <cve>CVE-2013-1965</cve>
+ <cve>CVE-2013-1966</cve>
+ <cve>CVE-2013-2115</cve>
+ <cve>CVE-2013-2134</cve>
+ <cve>CVE-2013-2135</cve>
+ <cve>CVE-2014-0094</cve>
+ <cve>CVE-2014-0113</cve>
+ <cve>CVE-2015-5169</cve>
+ <cve>CVE-2016-0785</cve>
+ <cve>CVE-2016-4003</cve>
+ <cve>CVE-2015-2992</cve>
</suppress>
<suppress>
<notes><![CDATA[file name: struts-tiles-1.3.8.jar]]></notes>
@@ -118,11 +54,6 @@
<gav regex="true">^org\.apache\.struts:struts\-taglib\:1\.3\.8.*$</gav>
<cpe>cpe:/a:apache:struts</cpe>
</suppress>
- <suppress>
- <notes><![CDATA[file name: dom4j-1.1.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/dom4j/dom4j@.*$</packageUrl>
- <vulnerabilityName>CVE-2018-1000632</vulnerabilityName>
- </suppress>
<suppress>
<notes><![CDATA[file name: bsh-2.0b4.jar]]></notes>
<packageUrl regex="true">^pkg:maven/org\.beanshell/bsh@.*$</packageUrl>
@@ -132,20 +63,8 @@
<notes><![CDATA[ file name: plexus-utils-1.2.jar]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-utils@.*$</packageUrl>
<cpe>cpe:/a:plexus-utils_project:plexus-utils</cpe>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: plexus-utils-1.2.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-utils@.*$</packageUrl>
- <vulnerabilityName>CVE-2017-1000487</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: plexus-utils-1.2.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-utils@.*$</packageUrl>
+ <cve>CVE-2017-1000487</cve>
<vulnerabilityName>Directory traversal in org.codehaus.plexus.util.Expand</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: plexus-utils-1.2.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-utils@.*$</packageUrl>
<vulnerabilityName>Possible XML Injection</vulnerabilityName>
</suppress>
<suppress>
@@ -157,57 +76,29 @@
<notes><![CDATA[file name: commons-collections-3.2.1.jar]]></notes>
<packageUrl regex="true">^pkg:maven/commons\-collections/commons\-collections@.*$</packageUrl>
<cpe>cpe:/a:apache:commons_collections</cpe>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: commons-collections-3.2.1.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/commons\-collections/commons\-collections@.*$</packageUrl>
- <vulnerabilityName>CVE-2015-6420</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: commons-collections-3.2.1.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/commons\-collections/commons\-collections@.*$</packageUrl>
- <vulnerabilityName>CVE-2017-15708</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: commons-collections-3.2.1.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/commons\-collections/commons\-collections@.*$</packageUrl>
+ <cve>CVE-2015-6420</cve>
+ <cve>CVE-2017-15708</cve>
<vulnerabilityName>Remote code execution</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[file name: commons-beanutils-1.7.0.jar]]></notes>
<packageUrl regex="true">^pkg:maven/commons\-beanutils/commons\-beanutils@.*$</packageUrl>
<cpe>cpe:/a:apache:commons_beanutils</cpe>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: commons-beanutils-1.7.0.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/commons\-beanutils/commons\-beanutils@.*$</packageUrl>
- <vulnerabilityName>CVE-2014-0114</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: commons-beanutils-1.7.0.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/commons\-beanutils/commons\-beanutils@.*$</packageUrl>
- <vulnerabilityName>CVE-2019-10086</vulnerabilityName>
+ <cve>CVE-2014-0114</cve>
+ <cve>CVE-2019-10086</cve>
</suppress>
<suppress>
<notes><![CDATA[file name: dom4j-1.1.jar]]></notes>
<packageUrl regex="true">^pkg:maven/dom4j/dom4j@.*$</packageUrl>
<cpe>cpe:/a:dom4j_project:dom4j</cpe>
+ <cve>CVE-2020-10683</cve>
+ <cve>CVE-2018-1000632</cve>
</suppress>
<suppress>
<notes><![CDATA[file name: tiles-ognl-3.0.8.jar]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tiles/tiles\-ognl@.*$</packageUrl>
<cve>CVE-2016-3093</cve>
</suppress>
- <suppress>
- <notes><![CDATA[file name: dom4j-1.1.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/dom4j/dom4j@.*$</packageUrl>
- <vulnerabilityName>CVE-2020-10683</vulnerabilityName>
- </suppress>
- <suppress>
- <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
- <vulnerabilityName>CVE-2015-2992</vulnerabilityName>
- </suppress>
<!-- quarkus, see: https://github.com/quarkusio/quarkus/issues/2611#issuecomment-553409186 -->
<suppress>
<notes>
@@ -235,6 +126,7 @@
</notes>
<gav regex="true">^io\.quarkus:quarkus-undertow.*:.*$</gav>
<cpe>cpe:/a:redhat:undertow</cpe>
+ <cve>CVE-2022-4147</cve>
</suppress>
<suppress>
<notes>
@@ -254,5 +146,46 @@
<gav regex="true">^io\.quarkus:quarkus-netty.*:.*$</gav>
<cpe>cpe:/a:netty:netty</cpe>
</suppress>
+ <suppress>
+ <notes><![CDATA[microprofile-config-api-2.0.1.jar]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.config/microprofile-config-api@.*</packageUrl>
+ <cve>CVE-2022-37422</cve>
+ <cve>CVE-2022-45129</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[quarkus-vertx-http-2.13.1.Final.jar]]></notes>
+ <packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus-vertx-http@.*</packageUrl>
+ <cve>CVE-2022-4147</cve>
+ </suppress>
<!-- quarkus -->
-</suppressions>
\ No newline at end of file
+ <suppress>
+ <notes><![CDATA[file name: spring-core-4.3.30.RELEASE.jar, spring-aop-4.3.30.RELEASE.jar]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-.*@.*$</packageUrl>
+ <cve>CVE-2022-22965</cve>
+ <cve>CVE-2022-22950</cve>
+ <cve>CVE-2022-22968</cve>
+ <cve>CVE-2022-22970</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[file name: spring-web-5.3.23.jar]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-web@.*$</packageUrl>
+ <cve>CVE-2016-1000027</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[file name: velocity-1.7.jar]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.velocity/velocity@.*</packageUrl>
+ <cve>CVE-2020-13936</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[file name: velocity-tools-2.0.jar]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.velocity/velocity-tools@.*</packageUrl>
+ <cve>CVE-2020-13959</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[file name: xstream-1.4.19.jar]]></notes>
+ <packageUrl regex="true">^pkg:maven/com\.thoughtworks\.xstream/xstream@1\.4\.19</packageUrl>
+ <cve>CVE-2022-40151</cve>
+ <cve>CVE-2022-40152</cve>
+ <cve>CVE-2022-40156</cve>
+ </suppress>
+</suppressions>