You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by kr...@apache.org on 2019/01/07 15:46:08 UTC
[knox] branch master updated: KNOX-1721 - Upgrade
dependency-check-maven to 4.0.2
This is an automated email from the ASF dual-hosted git repository.
krisden pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 4dba014 KNOX-1721 - Upgrade dependency-check-maven to 4.0.2
4dba014 is described below
commit 4dba014d2fc59fc6b6f4e325a80f417ad09836ad
Author: Kevin Risden <kr...@apache.org>
AuthorDate: Wed Jan 2 15:56:51 2019 -0500
KNOX-1721 - Upgrade dependency-check-maven to 4.0.2
Signed-off-by: Kevin Risden <kr...@apache.org>
---
.../build-tools/dependency-check/suppressions.xml | 7 ++----
pom.xml | 29 +++++++++++++++++++++-
2 files changed, 30 insertions(+), 6 deletions(-)
diff --git a/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml b/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml
index 5074ddd..ee181fe 100644
--- a/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml
+++ b/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml
@@ -35,6 +35,7 @@ limitations under the License.
<notes><![CDATA[file name: apacheds-.*.jar]]></notes>
<gav regex="true">^org\.apache\.directory\.server:apacheds-.*$</gav>
<cpe>cpe:/a:apache:apache_http_server</cpe>
+ <cpe>cpe:/a:apache:http_server</cpe>
<cpe>cpe:/a:net-ldap_project:net-ldap</cpe>
</suppress>
<suppress>
@@ -50,6 +51,7 @@ limitations under the License.
<cpe>cpe:/a:apache:shiro</cpe>
<cpe>cpe:/a:apache:storm</cpe>
<cpe>cpe:/a:content_project:content</cpe>
+ <cpe>cpe:/a:jwt_project:jwt</cpe>
<cpe>cpe:/a:request_it:request_it</cpe>
</suppress>
<suppress>
@@ -95,11 +97,6 @@ limitations under the License.
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress>
- <notes><![CDATA[file name: pac4j-oidc-.*.jar]]></notes>
- <gav regex="true">^org\.pac4j:pac4j-oidc:.*$</gav>
- <cpe>cpe:/a:openid:openid</cpe>
- </suppress>
- <suppress>
<notes><![CDATA[slf4j-ext and EventData not used]]></notes>
<gav regex="true">^org\.slf4j:.*$</gav>
<cve>CVE-2018-8088</cve>
diff --git a/pom.xml b/pom.xml
index 0d5f44b..52f80c3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -162,7 +162,7 @@
<cors-filter.version>2.6</cors-filter.version>
<curator.version>4.1.0</curator.version>
<curator-test.version>2.13.0</curator-test.version>
- <dependency-check-maven.version>4.0.1</dependency-check-maven.version>
+ <dependency-check-maven.version>4.0.2</dependency-check-maven.version>
<easymock.version>4.0.2</easymock.version>
<eclipselink.version>2.7.3</eclipselink.version>
<ehcache.version>2.6.11</ehcache.version>
@@ -273,6 +273,33 @@
</profile>
<profile>
<id>owasp</id>
+ <!--
+ These repositories are defined by dependencies but the owasp dependency check
+ plugin doesn't pull in these repositories. This then causes failures when
+ trying to download commonj and saml dependencies.
+ -->
+ <repositories>
+ <repository>
+ <id>jboss-puplic</id>
+ <url>https://repository.jboss.org/nexus/content/repositories/public</url>
+ <snapshots>
+ <enabled>false</enabled>
+ </snapshots>
+ <releases>
+ <enabled>true</enabled>
+ </releases>
+ </repository>
+ <repository>
+ <id>shib-release</id>
+ <url>https://build.shibboleth.net/nexus/content/groups/public</url>
+ <snapshots>
+ <enabled>false</enabled>
+ </snapshots>
+ <releases>
+ <enabled>true</enabled>
+ </releases>
+ </repository>
+ </repositories>
<build>
<plugins>
<plugin>