You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@plc4x.apache.org by cd...@apache.org on 2022/08/29 13:03:34 UTC
[plc4x] branch develop updated: fix(plc4j/opc-ua): Added some exclusions to the depedency-check, as it was reporting two invalid CVEs (They were referring to an OPC-UA rust library)
This is an automated email from the ASF dual-hosted git repository.
cdutz pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/plc4x.git
The following commit(s) were added to refs/heads/develop by this push:
new 07378bd1f fix(plc4j/opc-ua): Added some exclusions to the depedency-check, as it was reporting two invalid CVEs (They were referring to an OPC-UA rust library)
07378bd1f is described below
commit 07378bd1f4b213782229e28abab3b57e2c9c17d7
Author: Christofer Dutz <ch...@c-ware.de>
AuthorDate: Mon Aug 29 15:03:26 2022 +0200
fix(plc4j/opc-ua): Added some exclusions to the depedency-check, as it was reporting two invalid CVEs (They were referring to an OPC-UA rust library)
---
plc4j/drivers/opcua/false-positives.xml | 28 ++++++++++++++++++++++++++++
plc4j/drivers/opcua/pom.xml | 7 +++++++
pom.xml | 2 +-
3 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/plc4j/drivers/opcua/false-positives.xml b/plc4j/drivers/opcua/false-positives.xml
new file mode 100644
index 000000000..87bf8ffae
--- /dev/null
+++ b/plc4j/drivers/opcua/false-positives.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ https://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+ -->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
+ <suppress>
+ <notes><![CDATA[
+ The related CVEs refer to an OPC-UA rust library.
+ ]]></notes>
+ <cve>CVE-2022-25888</cve>
+ <cve>CVE-2022-25903</cve>
+ </suppress>
+</suppressions>
diff --git a/plc4j/drivers/opcua/pom.xml b/plc4j/drivers/opcua/pom.xml
index cc76e25f2..587409df1 100644
--- a/plc4j/drivers/opcua/pom.xml
+++ b/plc4j/drivers/opcua/pom.xml
@@ -122,6 +122,13 @@
</usedDependencies>
</configuration>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFiles>${project.basedir}/false-positives.xml</suppressionFiles>
+ </configuration>
+ </plugin>
</plugins>
</build>
diff --git a/pom.xml b/pom.xml
index 218ecb707..8b5ab3f94 100644
--- a/pom.xml
+++ b/pom.xml
@@ -151,7 +151,7 @@
<milo.version>0.6.6</milo.version>
<mockito.version>4.7.0</mockito.version>
<netty.version>4.1.79.Final</netty.version>
- <owasp-dependency-check.version>7.1.1</owasp-dependency-check.version>
+ <owasp-dependency-check.version>7.1.2</owasp-dependency-check.version>
<pcap4j.version>1.8.2</pcap4j.version>
<slf4j.version>2.0.0</slf4j.version>
<vavr.version>0.10.4</vavr.version>