You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by jg...@apache.org on 2019/02/19 11:14:08 UTC
[tomee] branch tomee-1.7.x updated (29d603e -> 0bf303f)
This is an automated email from the ASF dual-hosted git repository.
jgallimore pushed a change to branch tomee-1.7.x
in repository https://gitbox.apache.org/repos/asf/tomee.git.
from 29d603e Attempt to make this more robust
new cc9f949 Update OpenSAML to 2.6.5
new 0bf303f TOMEE-2363 Introduces OWASP dependency check via two profiles "owasp-check" (will fail the build for CVE score > 8.0" and "owasp-report"
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
owasp-dc-suppression.xml | 80 ++++++++++++++++++++++++++++++++++++++++++++++
pom.xml | 64 +++++++++++++++++++++++++++++++++++++
server/openejb-cxf/pom.xml | 2 +-
3 files changed, 145 insertions(+), 1 deletion(-)
create mode 100644 owasp-dc-suppression.xml
[tomee] 02/02: TOMEE-2363 Introduces OWASP dependency check via two
profiles "owasp-check" (will fail the build for CVE score > 8.0" and
"owasp-report"
Posted by jg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jgallimore pushed a commit to branch tomee-1.7.x
in repository https://gitbox.apache.org/repos/asf/tomee.git
commit 0bf303f3fa7234d3bb241b6014060f96425a021b
Author: rzo1 <ri...@zowalla.com>
AuthorDate: Tue Dec 18 11:20:23 2018 +0100
TOMEE-2363 Introduces OWASP dependency check via two profiles "owasp-check" (will fail the build for CVE score > 8.0" and "owasp-report"
---
owasp-dc-suppression.xml | 80 ++++++++++++++++++++++++++++++++++++++++++++++++
pom.xml | 52 +++++++++++++++++++++++++++++++
2 files changed, 132 insertions(+)
diff --git a/owasp-dc-suppression.xml b/owasp-dc-suppression.xml
new file mode 100644
index 0000000..04b5050
--- /dev/null
+++ b/owasp-dc-suppression.xml
@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
+ <suppress>
+ <notes><![CDATA[
+ file name: self dependencies...
+ ]]></notes>
+ <gav regex="true">^org\.apache\.tomee:.*$</gav>
+ <cve>CVE-2018-8031</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: self dependencies...
+ ]]></notes>
+ <gav regex="true">^org\.apache\.tomee:.*$</gav>
+ <cve>CVE-2010-1151</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: false positive apache http server
+ ]]></notes>
+ <gav regex="true">^org\.apache\.tomee:.*$</gav>
+ <cpe>cpe:/a:apache:apache_http_server</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: false positive apache http server
+ ]]></notes>
+ <gav regex="true">^org\.apache\.tomee:.*$</gav>
+ <cpe>cpe:/a:apache:http_server</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: ziplock-*.jar
+ ]]></notes>
+ <gav regex="true">^org\.apache\.tomee:ziplock:.*$</gav>
+ <cpe>cpe:/a:zip_project:zip</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: eclipselink-*jar
+ ]]></notes>
+ <gav regex="true">^org\.eclipse\.persistence:eclipselink:.*$</gav>
+ <cpe>cpe:/a:git:git</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: eclipselink-*.jar
+ ]]></notes>
+ <gav regex="true">^org\.eclipse\.persistence:eclipselink:.*$</gav>
+ <cpe>cpe:/a:git_project:git</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: javax.persistence-*.jar
+ ]]></notes>
+ <gav regex="true">^org\.eclipse\.persistence:javax\.persistence:.*$</gav>
+ <cpe>cpe:/a:git_project:git</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: javax.persistence-*.jar
+ ]]></notes>
+ <gav regex="true">^org\.eclipse\.persistence:javax\.persistence:.*$</gav>
+ <cpe>cpe:/a:git:git</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: commonj.sdo-*.jar
+ ]]></notes>
+ <gav regex="true">^org\.eclipse\.persistence:commonj\.sdo:.*$</gav>
+ <cpe>cpe:/a:git:git</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: commonj.sdo-*.jar
+ ]]></notes>
+ <gav regex="true">^org\.eclipse\.persistence:commonj\.sdo:.*$</gav>
+ <cpe>cpe:/a:git_project:git</cpe>
+ </suppress>
+</suppressions>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 1eb5531..1714f61 100644
--- a/pom.xml
+++ b/pom.xml
@@ -342,6 +342,11 @@
<artifactId>maven-deploy-plugin</artifactId>
<version>2.8.2</version>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>4.0.0</version>
+ </plugin>
</plugins>
</pluginManagement>
@@ -701,6 +706,53 @@
</profile>
<profile>
+ <id>owasp-report</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <skipProvidedScope>true</skipProvidedScope>
+ <skipRuntimeScope>true</skipRuntimeScope>
+ <suppressionFiles>${maven.multiModuleProjectDirectory}/owasp-dc-suppression.xml</suppressionFiles>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>aggregate</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ <profile>
+ <id>owasp-check</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <skipProvidedScope>true</skipProvidedScope>
+ <skipRuntimeScope>true</skipRuntimeScope>
+ <failBuildOnCVSS>8.0</failBuildOnCVSS>
+ <suppressionFiles>${maven.multiModuleProjectDirectory}/owasp-dc-suppression.xml</suppressionFiles>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ <profile>
<id>rat</id>
<modules>
<module>itests</module>
[tomee] 01/02: Update OpenSAML to 2.6.5
Posted by jg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jgallimore pushed a commit to branch tomee-1.7.x
in repository https://gitbox.apache.org/repos/asf/tomee.git
commit cc9f94991a35d206430d64a1aa17a4bf741195e1
Author: Jonathan Gallimore <jo...@jrg.me.uk>
AuthorDate: Thu Feb 14 10:59:41 2019 +0000
Update OpenSAML to 2.6.5
---
pom.xml | 12 ++++++++++++
server/openejb-cxf/pom.xml | 2 +-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 8fa059b..1eb5531 100644
--- a/pom.xml
+++ b/pom.xml
@@ -845,6 +845,18 @@
<!--<url>http://download.java.net/maven/1</url>-->
<!--<layout>legacy</layout>-->
<!--</repository>-->
+
+ <!-- For OpenSAML 2.6.5, required by server/openejb-cxf -->
+ <repository>
+ <releases>
+ <enabled>true</enabled>
+ </releases>
+ <snapshots>
+ <enabled>false</enabled>
+ </snapshots>
+ <id>Shibboleth Releases</id>
+ <url>https://build.shibboleth.net/nexus/content/repositories/releases/</url>
+ </repository>
</repositories>
<pluginRepositories>
<pluginRepository>
diff --git a/server/openejb-cxf/pom.xml b/server/openejb-cxf/pom.xml
index 68d2c81..debfb34 100644
--- a/server/openejb-cxf/pom.xml
+++ b/server/openejb-cxf/pom.xml
@@ -73,7 +73,7 @@
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml</artifactId>
- <version>2.6.4</version>
+ <version>2.6.5</version>
<exclusions>
<exclusion>
<groupId>org.bouncycastle</groupId>