You are viewing a plain text version of this content. The canonical link for it is here.
Posted to torque-dev@db.apache.org by gk...@apache.org on 2018/08/15 12:32:04 UTC
svn commit: r1838084 - in /db/torque/torque4/trunk: pom.xml
suppression-owasp-fp.xml torque-ant-tasks/pom.xml torque-generator/pom.xml
torque-maven-plugin/pom.xml torque-templates/pom.xml
Author: gk
Date: Wed Aug 15 12:32:03 2018
New Revision: 1838084
URL: http://svn.apache.org/viewvc?rev=1838084&view=rev
Log:
TORQUE-352 and fixed current OWASP issues (upgrading or ignoring as false positive)
Added:
db/torque/torque4/trunk/suppression-owasp-fp.xml (with props)
Modified:
db/torque/torque4/trunk/pom.xml
db/torque/torque4/trunk/torque-ant-tasks/pom.xml
db/torque/torque4/trunk/torque-generator/pom.xml
db/torque/torque4/trunk/torque-maven-plugin/pom.xml
db/torque/torque4/trunk/torque-templates/pom.xml
Modified: db/torque/torque4/trunk/pom.xml
URL: http://svn.apache.org/viewvc/db/torque/torque4/trunk/pom.xml?rev=1838084&r1=1838083&r2=1838084&view=diff
==============================================================================
--- db/torque/torque4/trunk/pom.xml (original)
+++ db/torque/torque4/trunk/pom.xml Wed Aug 15 12:32:03 2018
@@ -519,6 +519,24 @@
</systemProperties>
</configuration>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ <configuration>
+ <skip>${dependency.check.skip}</skip>
+ <!-- include in sub modules if needed -->
+ <!-- suppressionFiles>
+ <suppressionFile>${project.basedir}/suppression-owasp-fp.xml</suppressionFile>
+ </suppressionFiles-->
+ </configuration>
+ </plugin>
</plugins>
<pluginManagement>
<plugins>
@@ -559,6 +577,11 @@
<artifactId>xml-maven-plugin</artifactId>
<version>1.0</version>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>3.1.2</version>
+ </plugin>
</plugins>
</pluginManagement>
</build>
@@ -591,6 +614,7 @@
<project.build.sourceEncoding>ISO-8859-1</project.build.sourceEncoding>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
+ <dependency.check.skip>true</dependency.check.skip>
</properties>
<profiles>
@@ -623,7 +647,7 @@
<module>torque-test</module>
</modules>
</profile>
- <profile>
+ <profile>
<id>java8</id>
<activation>
<jdk>[1.8,)</jdk>
@@ -632,6 +656,12 @@
<additionalparam>-Xdoclint:none</additionalparam>
</properties>
</profile>
+ <profile>
+ <id>owasp</id>
+ <properties>
+ <dependency.check.skip>false</dependency.check.skip>
+ </properties>
+ </profile>
</profiles>
</project>
Added: db/torque/torque4/trunk/suppression-owasp-fp.xml
URL: http://svn.apache.org/viewvc/db/torque/torque4/trunk/suppression-owasp-fp.xml?rev=1838084&view=auto
==============================================================================
--- db/torque/torque4/trunk/suppression-owasp-fp.xml (added)
+++ db/torque/torque4/trunk/suppression-owasp-fp.xml Wed Aug 15 12:32:03 2018
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<!-- general cft. https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+ <!-- https://issues.apache.org/jira/browse/LOG4J2-1863 i.e. log4j 2.8.2 fixes, but affected versions match only log4j2 2.x, not log4j 1.x -->
+ <suppress>
+ <notes><![CDATA[
+ file name: log4j-1.2.17.jar
+ ]]></notes>
+ <sha1>5af35056b4d257e4b64b9e8069c0746e8b08629f</sha1>
+ <cve>CVE-2017-5645</cve>
+ </suppress>
+</suppressions>
\ No newline at end of file
Propchange: db/torque/torque4/trunk/suppression-owasp-fp.xml
------------------------------------------------------------------------------
svn:eol-style = native
Modified: db/torque/torque4/trunk/torque-ant-tasks/pom.xml
URL: http://svn.apache.org/viewvc/db/torque/torque4/trunk/torque-ant-tasks/pom.xml?rev=1838084&r1=1838083&r2=1838084&view=diff
==============================================================================
--- db/torque/torque4/trunk/torque-ant-tasks/pom.xml (original)
+++ db/torque/torque4/trunk/torque-ant-tasks/pom.xml Wed Aug 15 12:32:03 2018
@@ -79,6 +79,15 @@
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFiles>
+ <suppressionFile>${project.parent.basedir}/suppression-owasp-fp.xml</suppressionFile>
+ </suppressionFiles>
+ </configuration>
+ </plugin>
</plugins>
</build>
Modified: db/torque/torque4/trunk/torque-generator/pom.xml
URL: http://svn.apache.org/viewvc/db/torque/torque4/trunk/torque-generator/pom.xml?rev=1838084&r1=1838083&r2=1838084&view=diff
==============================================================================
--- db/torque/torque4/trunk/torque-generator/pom.xml (original)
+++ db/torque/torque4/trunk/torque-generator/pom.xml Wed Aug 15 12:32:03 2018
@@ -83,10 +83,11 @@
<artifactId>velocity</artifactId>
<version>1.7</version>
</dependency>
+ <!-- upgrading to at least 2.4.8 due to CVE-2015-3253 and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6814 -->
<dependency>
<groupId>org.codehaus.groovy</groupId>
<artifactId>groovy-all</artifactId>
- <version>2.1.0</version>
+ <version>2.4.15</version>
</dependency>
<dependency>
<!--
@@ -94,15 +95,17 @@
xml parser packaged in java is sometimes buggy (e.g.1.6.0_20 on windows)
so better explicitly use a working parser
-->
+ <!-- upgrading to 2.12. due to https://nvd.nist.gov/vuln/detail/CVE-2012-0881 -->
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
- <version>2.9.1</version>
- <exclusions>
+ <version>2.12.0</version>
+ <!-- removed exclusion due to java.lang.NoClassDefFoundError: org/w3c/dom/Element -->
+ <!--exclusions>
<exclusion>
<groupId>xml-apis</groupId>
<artifactId>xml-apis</artifactId>
</exclusion>
- </exclusions>
+ </exclusions-->
</dependency>
<dependency>
@@ -177,6 +180,15 @@
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFiles>
+ <suppressionFile>${project.parent.basedir}/suppression-owasp-fp.xml</suppressionFile>
+ </suppressionFiles>
+ </configuration>
+ </plugin>
</plugins>
</build>
Modified: db/torque/torque4/trunk/torque-maven-plugin/pom.xml
URL: http://svn.apache.org/viewvc/db/torque/torque4/trunk/torque-maven-plugin/pom.xml?rev=1838084&r1=1838083&r2=1838084&view=diff
==============================================================================
--- db/torque/torque4/trunk/torque-maven-plugin/pom.xml (original)
+++ db/torque/torque4/trunk/torque-maven-plugin/pom.xml Wed Aug 15 12:32:03 2018
@@ -64,9 +64,10 @@
xml parser packaged in java is sometimes buggy (e.g.1.6.0_20 on windows)
so better explicitly use a working parser
-->
+ <!-- upgrading to 2.12. due to https://nvd.nist.gov/vuln/detail/CVE-2012-0881 -->
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
- <version>2.9.1</version>
+ <version>2.12.0</version>
</dependency>
<dependency>
@@ -98,6 +99,15 @@
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFiles>
+ <suppressionFile>${project.parent.basedir}/suppression-owasp-fp.xml</suppressionFile>
+ </suppressionFiles>
+ </configuration>
+ </plugin>
</plugins>
</build>
Modified: db/torque/torque4/trunk/torque-templates/pom.xml
URL: http://svn.apache.org/viewvc/db/torque/torque4/trunk/torque-templates/pom.xml?rev=1838084&r1=1838083&r2=1838084&view=diff
==============================================================================
--- db/torque/torque4/trunk/torque-templates/pom.xml (original)
+++ db/torque/torque4/trunk/torque-templates/pom.xml Wed Aug 15 12:32:03 2018
@@ -96,6 +96,15 @@
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFiles>
+ <suppressionFile>${project.parent.basedir}/suppression-owasp-fp.xml</suppressionFile>
+ </suppressionFiles>
+ </configuration>
+ </plugin>
</plugins>
</build>
---------------------------------------------------------------------
To unsubscribe, e-mail: torque-dev-unsubscribe@db.apache.org
For additional commands, e-mail: torque-dev-help@db.apache.org