You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@plc4x.apache.org by cd...@apache.org on 2022/10/10 23:31:30 UTC
[plc4x] branch develop updated: chore(release): Merged back the changes related to removing the owasp dependency plugin
This is an automated email from the ASF dual-hosted git repository.
cdutz pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/plc4x.git
The following commit(s) were added to refs/heads/develop by this push:
new 09ce36cbc chore(release): Merged back the changes related to removing the owasp dependency plugin
09ce36cbc is described below
commit 09ce36cbc79ff3d774f6e6f4c188a39f882acc3b
Author: Christofer Dutz <ch...@c-ware.de>
AuthorDate: Mon Oct 10 18:31:22 2022 -0500
chore(release): Merged back the changes related to removing the owasp dependency plugin
---
plc4j/drivers/mock/false-positives.xml | 27 ----------
plc4j/drivers/mock/pom.xml | 12 -----
plc4j/drivers/opcua/false-positives.xml | 28 ----------
plc4j/drivers/opcua/pom.xml | 8 ---
plc4j/examples/pom.xml | 8 ---
.../apache-nifi/nifi-plc4x-nar/false-positives.xml | 27 ----------
.../apache-nifi/nifi-plc4x-nar/pom.xml | 7 ---
plc4j/utils/test-utils/false-positives.xml | 27 ----------
plc4j/utils/test-utils/pom.xml | 12 -----
pom.xml | 59 ----------------------
10 files changed, 215 deletions(-)
diff --git a/plc4j/drivers/mock/false-positives.xml b/plc4j/drivers/mock/false-positives.xml
deleted file mode 100644
index a954ca81a..000000000
--- a/plc4j/drivers/mock/false-positives.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- https://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
- -->
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
- <suppress>
- <notes><![CDATA[
- The plugin is reporting this CVE which actually shouldn't be affecting any Java application.
- ]]></notes>
- <cve>CVE-2022-31514</cve>
- </suppress>
-</suppressions>
diff --git a/plc4j/drivers/mock/pom.xml b/plc4j/drivers/mock/pom.xml
index 36190a60d..2db6e64b2 100644
--- a/plc4j/drivers/mock/pom.xml
+++ b/plc4j/drivers/mock/pom.xml
@@ -31,18 +31,6 @@
<name>PLC4J: Driver: Mock</name>
<description>Implementation of a PLC4X driver Mock usable in Unit-Tests.</description>
- <build>
- <plugins>
- <plugin>
- <groupId>org.owasp</groupId>
- <artifactId>dependency-check-maven</artifactId>
- <configuration>
- <suppressionFiles>${project.basedir}/false-positives.xml</suppressionFiles>
- </configuration>
- </plugin>
- </plugins>
- </build>
-
<dependencies>
<dependency>
<groupId>org.apache.plc4x</groupId>
diff --git a/plc4j/drivers/opcua/false-positives.xml b/plc4j/drivers/opcua/false-positives.xml
deleted file mode 100644
index 87bf8ffae..000000000
--- a/plc4j/drivers/opcua/false-positives.xml
+++ /dev/null
@@ -1,28 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- https://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
- -->
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
- <suppress>
- <notes><![CDATA[
- The related CVEs refer to an OPC-UA rust library.
- ]]></notes>
- <cve>CVE-2022-25888</cve>
- <cve>CVE-2022-25903</cve>
- </suppress>
-</suppressions>
diff --git a/plc4j/drivers/opcua/pom.xml b/plc4j/drivers/opcua/pom.xml
index 697a908ab..a5a711473 100644
--- a/plc4j/drivers/opcua/pom.xml
+++ b/plc4j/drivers/opcua/pom.xml
@@ -122,14 +122,6 @@
</usedDependencies>
</configuration>
</plugin>
- <plugin>
- <groupId>org.owasp</groupId>
- <artifactId>dependency-check-maven</artifactId>
- <configuration>
- <skip>true</skip>
- <suppressionFiles>${project.basedir}/false-positives.xml</suppressionFiles>
- </configuration>
- </plugin>
</plugins>
</build>
diff --git a/plc4j/examples/pom.xml b/plc4j/examples/pom.xml
index 2f95b4b2f..2447ca392 100644
--- a/plc4j/examples/pom.xml
+++ b/plc4j/examples/pom.xml
@@ -68,14 +68,6 @@
<skip>true</skip>
</configuration>
</plugin>
- <plugin>
- <groupId>org.owasp</groupId>
- <artifactId>dependency-check-maven</artifactId>
- <configuration>
- <!-- Don't fail the examples on CVSS errors -->
- <failBuildOnCVSS>11</failBuildOnCVSS>
- </configuration>
- </plugin>
<!-- Build a fat jar containing all dependencies -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
diff --git a/plc4j/integrations/apache-nifi/nifi-plc4x-nar/false-positives.xml b/plc4j/integrations/apache-nifi/nifi-plc4x-nar/false-positives.xml
deleted file mode 100644
index bdbb02729..000000000
--- a/plc4j/integrations/apache-nifi/nifi-plc4x-nar/false-positives.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- https://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
- -->
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
- <suppress>
- <notes><![CDATA[
- The plugin is detecting our nifi-plc4x-processors module as really old NIFI artifact and reporting it as vulnerable.
- ]]></notes>
- <cpe>cpe:/a:apache:nifi</cpe>
- </suppress>
-</suppressions>
diff --git a/plc4j/integrations/apache-nifi/nifi-plc4x-nar/pom.xml b/plc4j/integrations/apache-nifi/nifi-plc4x-nar/pom.xml
index 8cf97d14d..e3aa467a1 100644
--- a/plc4j/integrations/apache-nifi/nifi-plc4x-nar/pom.xml
+++ b/plc4j/integrations/apache-nifi/nifi-plc4x-nar/pom.xml
@@ -39,13 +39,6 @@
<build>
<pluginManagement>
<plugins>
- <plugin>
- <groupId>org.owasp</groupId>
- <artifactId>dependency-check-maven</artifactId>
- <configuration>
- <suppressionFiles>${project.basedir}/false-positives.xml</suppressionFiles>
- </configuration>
- </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
diff --git a/plc4j/utils/test-utils/false-positives.xml b/plc4j/utils/test-utils/false-positives.xml
deleted file mode 100644
index a954ca81a..000000000
--- a/plc4j/utils/test-utils/false-positives.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- https://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
- -->
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
- <suppress>
- <notes><![CDATA[
- The plugin is reporting this CVE which actually shouldn't be affecting any Java application.
- ]]></notes>
- <cve>CVE-2022-31514</cve>
- </suppress>
-</suppressions>
diff --git a/plc4j/utils/test-utils/pom.xml b/plc4j/utils/test-utils/pom.xml
index 879a4edd6..210594fea 100644
--- a/plc4j/utils/test-utils/pom.xml
+++ b/plc4j/utils/test-utils/pom.xml
@@ -32,18 +32,6 @@
<name>PLC4J: Utils: Test Utils</name>
<description>A set of test utils. Especially defining the test-categories used to categorize tests.</description>
- <build>
- <plugins>
- <plugin>
- <groupId>org.owasp</groupId>
- <artifactId>dependency-check-maven</artifactId>
- <configuration>
- <suppressionFiles>${project.basedir}/false-positives.xml</suppressionFiles>
- </configuration>
- </plugin>
- </plugins>
- </build>
-
<dependencies>
<dependency>
<groupId>org.apache.plc4x</groupId>
diff --git a/pom.xml b/pom.xml
index ebdaa6df3..554765623 100644
--- a/pom.xml
+++ b/pom.xml
@@ -152,7 +152,6 @@
<milo.version>0.6.8</milo.version>
<mockito.version>4.8.0</mockito.version>
<netty.version>4.1.82.Final</netty.version>
- <owasp-dependency-check.version>7.2.1</owasp-dependency-check.version>
<pcap4j.version>1.8.2</pcap4j.version>
<slf4j.version>2.0.3</slf4j.version>
<vavr.version>0.10.4</vavr.version>
@@ -867,45 +866,6 @@
</execution>
</executions>
</plugin>
-
- <!--
- Check the referenced dependencies for known vulnerabilities
- and fail the build if there are critical ones in our classpath
- -->
- <plugin>
- <groupId>org.owasp</groupId>
- <artifactId>dependency-check-maven</artifactId>
- <executions>
- <execution>
- <goals>
- <goal>check</goal>
- </goals>
- </execution>
- </executions>
- <configuration>
- <skip>${skip-dependency-cve-scan}</skip>
- <!-- Fail the build on any CVE, which is not considered minor -->
- <failBuildOnCVSS>4</failBuildOnCVSS>
- <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
- <!-- On some systems some analysis seems to randomly fail ... don't let this fail the build -->
- <failOnError>false</failOnError>
- <excludes>
- <!-- For some reason the plugin detects our ADS driver as TwinCAT for which CVEs exist. -->
- <exclude>org.apache.plc4x:plc4j-driver-ads</exclude>
- <!--
- CVE-2020-13955 affects Apache Calcite till version 1.26 (excluding)
- We're using at least 1.28, so this is a false positive.
- -->
- <exclude>org.apache.calcite.avatica:avatica-core</exclude>
- <exclude>javax.ws.rs:javax.ws.rs-api</exclude>
- <!--
- With 4.7.0 this gets falsely detected as junit 4.7.0 which the produces a unrelated CVE-2020-15250
- -->
- <exclude>org.mockito:mockito-junit-jupiter</exclude>
- </excludes>
- </configuration>
- </plugin>
-
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
@@ -1324,12 +1284,6 @@
<version>2.3</version>
</plugin>
- <plugin>
- <groupId>org.owasp</groupId>
- <artifactId>dependency-check-maven</artifactId>
- <version>${owasp-dependency-check.version}</version>
- </plugin>
-
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
@@ -1460,19 +1414,6 @@
<issueLinkUrl>https://issues.apache.org/jira/browse/%ISSUE%</issueLinkUrl>
</configuration>
</plugin-->
-
- <!-- Generates a dependency vulnerability -->
- <!--plugin>
- <groupId>org.owasp</groupId>
- <artifactId>dependency-check-maven</artifactId>
- <reportSets>
- <reportSet>
- <reports>
- <report>aggregate</report>
- </reports>
- </reportSet>
- </reportSets>
- </plugin-->
</plugins>
</reporting>