You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@flex.apache.org by jo...@apache.org on 2023/01/09 23:37:36 UTC
[flex-blazeds] branch security-updates updated (d7bfa14 -> 319d598)
This is an automated email from the ASF dual-hosted git repository.
joshtynjala pushed a change to branch security-updates
in repository https://gitbox.apache.org/repos/asf/flex-blazeds.git
from d7bfa14 remove old source-release assembly stuff now that it's moved into distribution
new c7b937e owasp dependency check should be opt-in
new 7416b97 skip target for modules that are not in the current profile
new 319d598 README: Java 8
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
README | 2 +-
pom.xml | 76 ++++++++++++++++++++++++++++++++++++++---------------------------
2 files changed, 45 insertions(+), 33 deletions(-)
[flex-blazeds] 03/03: README: Java 8
Posted by jo...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
joshtynjala pushed a commit to branch security-updates
in repository https://gitbox.apache.org/repos/asf/flex-blazeds.git
commit 319d5987d09dfe21c63892ef5ded14c45b4beec7
Author: Josh Tynjala <jo...@bowlerhat.dev>
AuthorDate: Mon Jan 9 15:33:56 2023 -0800
README: Java 8
---
README | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README b/README
index 1809f55..29dc057 100644
--- a/README
+++ b/README
@@ -61,7 +61,7 @@ Install Prerequisites
SOFTWARE ENVIRONMENT VARIABLE (absolute paths)
==================================================================================
- Java SDK 1.7 or greater (*1) JAVA_HOME
+ Java SDK 1.8 or greater (*1) JAVA_HOME
Maven 2.2.0 or greater (*1) MAVEN_HOME
[flex-blazeds] 01/03: owasp dependency check should be opt-in
Posted by jo...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
joshtynjala pushed a commit to branch security-updates
in repository https://gitbox.apache.org/repos/asf/flex-blazeds.git
commit c7b937e41dc580d780c38f32f4d67bbe28b1edaa
Author: Josh Tynjala <jo...@bowlerhat.dev>
AuthorDate: Mon Jan 9 15:25:32 2023 -0800
owasp dependency check should be opt-in
This allows the CI server or release manager to enable it as needed, but regular users should be allowed to build
---
pom.xml | 70 +++++++++++++++++++++++++++++++++++------------------------------
1 file changed, 38 insertions(+), 32 deletions(-)
diff --git a/pom.xml b/pom.xml
index 7d141bd..268b49a 100755
--- a/pom.xml
+++ b/pom.xml
@@ -80,38 +80,6 @@
<build>
<plugins>
- <!--
- Check the referenced dependencies for known vulnerabilities
- and fail the build if there are critical ones in our classpath
- -->
- <plugin>
- <groupId>org.owasp</groupId>
- <artifactId>dependency-check-maven</artifactId>
- <version>7.4.4</version>
- <executions>
- <execution>
- <goals>
- <goal>check</goal>
- </goals>
- </execution>
- </executions>
- <configuration>
- <!-- Fail the build on any CVE, which is not considered minor -->
- <failBuildOnCVSS>4</failBuildOnCVSS>
- <excludes>
- <!-- CVE-2015-1773 Affects Apache Flex < 4.10, but BlazeDS has nothing to do with the libraries of the Flex SDK -->
- <exclude>org.apache.flex.blazeds:flex-messaging-common</exclude>
- <exclude>org.apache.flex.blazeds:flex-messaging-core</exclude>
- <exclude>org.apache.flex.blazeds:flex-messaging-proxy</exclude>
- <exclude>org.apache.flex.blazeds:flex-messaging-remoting</exclude>
- <exclude>org.apache.flex.blazeds:blazeds-spring-boot-starter</exclude>
- <exclude>org.apache.flex.blazeds:flex-messaging-opt-tomcat-base</exclude>
- <!-- TODO: Excluding this dependency, for which there's CVEs reported as it requires refactoring quite a bit. However this should be addressed before the next release -->
- <exclude>commons-httpclient:commons-httpclient</exclude>
- </excludes>
- </configuration>
- </plugin>
-
<plugin>
<groupId>org.apache.rat</groupId>
<artifactId>apache-rat-plugin</artifactId>
@@ -379,6 +347,44 @@
<module>distribution</module>
</modules>
</profile>
+ <profile>
+ <id>with-owasp</id>
+ <build>
+ <plugins>
+ <!--
+ Check the referenced dependencies for known vulnerabilities
+ and fail the build if there are critical ones in our classpath
+ -->
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>7.4.4</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ <configuration>
+ <!-- Fail the build on any CVE, which is not considered minor -->
+ <failBuildOnCVSS>4</failBuildOnCVSS>
+ <excludes>
+ <!-- CVE-2015-1773 Affects Apache Flex < 4.10, but BlazeDS has nothing to do with the libraries of the Flex SDK -->
+ <exclude>org.apache.flex.blazeds:flex-messaging-common</exclude>
+ <exclude>org.apache.flex.blazeds:flex-messaging-core</exclude>
+ <exclude>org.apache.flex.blazeds:flex-messaging-proxy</exclude>
+ <exclude>org.apache.flex.blazeds:flex-messaging-remoting</exclude>
+ <exclude>org.apache.flex.blazeds:blazeds-spring-boot-starter</exclude>
+ <exclude>org.apache.flex.blazeds:flex-messaging-opt-tomcat-base</exclude>
+ <!-- TODO: Excluding this dependency, for which there's CVEs reported as it requires refactoring quite a bit. However this should be addressed before the next release -->
+ <exclude>commons-httpclient:commons-httpclient</exclude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
</profiles>
</project>
[flex-blazeds] 02/03: skip target for modules that are not in the current profile
Posted by jo...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
joshtynjala pushed a commit to branch security-updates
in repository https://gitbox.apache.org/repos/asf/flex-blazeds.git
commit 7416b970463dbf5840ae90de054c36cdef967fae
Author: Josh Tynjala <jo...@bowlerhat.dev>
AuthorDate: Mon Jan 9 15:25:52 2023 -0800
skip target for modules that are not in the current profile
---
pom.xml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/pom.xml b/pom.xml
index 268b49a..60da534 100755
--- a/pom.xml
+++ b/pom.xml
@@ -96,6 +96,12 @@
<configuration>
<useMavenDefaultExcludes>true</useMavenDefaultExcludes>
<excludes>
+ <!--
+ some modules aren't included in every build.
+ this ensures that their "target" dir is skipped
+ when not included.
+ -->
+ <exclude>**/target/**</exclude>
<!-- Ignore IDE project files -->
<exclude>**/*.iml</exclude>
<exclude>**/.vscode/**</exclude>