You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by kw...@apache.org on 2022/06/02 10:31:29 UTC
[jackrabbit-filevault] branch feature/enable-dependency-check updated (1ffe9308 -> 2e545535)
This is an automated email from the ASF dual-hosted git repository.
kwin pushed a change to branch feature/enable-dependency-check
in repository https://gitbox.apache.org/repos/asf/jackrabbit-filevault.git
discard 1ffe9308 JCRVLT-579 prevent embedding vulnerable libraries
new 2e545535 JCRVLT-579 prevent embedding vulnerable libraries
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (1ffe9308)
\
N -- N -- N refs/heads/feature/enable-dependency-check (2e545535)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omit" are not gone; other references still
refer to them. Any revisions marked "discard" are gone forever.
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
Jenkinsfile | 6 +++++-
parent/pom.xml | 6 ++----
vault-cli/pom.xml | 30 ++----------------------------
vault-core/pom.xml | 2 +-
vault-davex/pom.xml | 2 +-
vault-rcp/pom.xml | 3 +--
vault-sync/pom.xml | 2 +-
vault-validation/pom.xml | 2 +-
vault-vlt/pom.xml | 2 +-
9 files changed, 15 insertions(+), 40 deletions(-)
[jackrabbit-filevault] 01/01: JCRVLT-579 prevent embedding vulnerable libraries
Posted by kw...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
kwin pushed a commit to branch feature/enable-dependency-check
in repository https://gitbox.apache.org/repos/asf/jackrabbit-filevault.git
commit 2e545535c99181ce157d435c78bb4912c697377d
Author: Konrad Windszus <kw...@apache.org>
AuthorDate: Thu Jun 2 12:20:55 2022 +0200
JCRVLT-579 prevent embedding vulnerable libraries
Add OWASP dependency checker to all modules
Exclude external (e.g. OSGi) dependencies from being checked
Clean up some dependencies
---
Jenkinsfile | 6 +++-
parent/pom.xml | 27 ++++++++++++++++++
suppressions.xml | 53 +++++++++++++++++++++++++++++++++++
target-osgi-environment/pom.xml | 8 ++++++
vault-cli/pom.xml | 32 +++++++++++++++++++++
vault-core/pom.xml | 14 ++++++++-
vault-davex/pom.xml | 19 +++++++++++++
vault-hook-example/pom.xml | 13 +++------
vault-hook-externalclass-test/pom.xml | 16 ++++-------
vault-rcp/pom.xml | 20 ++++++++++++-
vault-sync/pom.xml | 16 +++++++++++
vault-validation/pom.xml | 51 ++++++++++++++++++++++++++++++++-
vault-vlt/pom.xml | 19 +++++++++++++
13 files changed, 270 insertions(+), 24 deletions(-)
diff --git a/Jenkinsfile b/Jenkinsfile
index 2afe1cbc..5511dc1f 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -21,7 +21,11 @@
library "filevault@master"
vaultPipeline('ubuntu', 11, '3', {
- vaultStageBuild(['ubuntu', 'Windows'], [11, 17], ['3', '3.6.3'], 'apache_jackrabbit-filevault')
+ vaultStageBuild(['ubuntu', 'Windows'], [11, 17], ['3', '3.6.3'], 'apache_jackrabbit-filevault',
+ [
+ mainBuildArguments: '-U clean site deploy -Pjacoco-report,dependency-check -Dlogback.configurationFile=vault-core/src/test/resources/logback-only-errors.xml'
+ ]
+ )
vaultStageDeploy()
}
)
\ No newline at end of file
diff --git a/parent/pom.xml b/parent/pom.xml
index 4e550b2d..fbe340a3 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -277,6 +277,21 @@ Bundle-Category: jackrabbit
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.8.8</version>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>7.1.0</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ <configuration>
+ <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</pluginManagement>
<plugins>
@@ -477,6 +492,7 @@ Bundle-Category: jackrabbit
<scope>provided</scope>
</dependency>
+ <!-- these are minimum version referenced in OSGi bundles, for embedding a newer version should be used -->
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
@@ -604,6 +620,17 @@ Bundle-Category: jackrabbit
</plugins>
</build>
</profile>
+ <profile>
+ <id>dependency-check</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
</profiles>
</project>
diff --git a/suppressions.xml b/suppressions.xml
new file mode 100644
index 00000000..ac2b5813
--- /dev/null
+++ b/suppressions.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0"?><!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+ <suppress>
+ <notes><![CDATA[
+ Oak GAV must not apply to JR2 CPE (like for
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.jackrabbit/oak\-.*@.*$</packageUrl>
+ <cpe>cpe:/a:apache:jackrabbit</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: org.apache.sling.jcr.api-2.0.4.jar does not suffer from CVE-2015-2944
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.sling/org\.apache\.sling\.jcr\.api@.*$</packageUrl>
+ <cve>CVE-2015-2944</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: h2-2.1.212.jar, only 1.4.197 is affected, see https://github.com/jeremylong/DependencyCheck/issues/4555
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
+ <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: org.apache.sling.commons.classloader-1.2.2.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.sling/org\.apache\.sling\.commons\.classloader@.*$</packageUrl>
+ <cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ false positive for Oak classes e.g. for CVE-2021-40690
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.jackrabbit/oak-.*@.*$</packageUrl>
+ <cpe>cpe:/a:apache:xml_security_for_java</cpe>
+ </suppress>
+</suppressions>
\ No newline at end of file
diff --git a/target-osgi-environment/pom.xml b/target-osgi-environment/pom.xml
index c4326340..3c44ddd2 100644
--- a/target-osgi-environment/pom.xml
+++ b/target-osgi-environment/pom.xml
@@ -73,6 +73,14 @@
</execution>
</executions>
</plugin>
+ <!-- never do vulnerabilities check for any surrounding OSGi bundles provided by a distribution -->
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <skip>true</skip>
+ </configuration>
+ </plugin>
</plugins>
</build>
diff --git a/vault-cli/pom.xml b/vault-cli/pom.xml
index d9cdeea5..e501bbe6 100644
--- a/vault-cli/pom.xml
+++ b/vault-cli/pom.xml
@@ -41,6 +41,17 @@
<!-- B U I L D D E F I N I T I O N -->
<!-- ====================================================================== -->
<build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
@@ -111,6 +122,27 @@
</plugins>
</build>
+ <dependencyManagement>
+ <dependencies>
+ <!-- override minimum versions from parent with most recent backwards compatible versions -->
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <version>2.11.0</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.httpcomponents</groupId>
+ <artifactId>httpmime</artifactId>
+ <version>4.5.13</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.httpcomponents</groupId>
+ <artifactId>httpclient</artifactId>
+ <version>4.5.13</version>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
+
<!-- ====================================================================== -->
<!-- D E P E N D E N C I E S -->
<!-- ====================================================================== -->
diff --git a/vault-core/pom.xml b/vault-core/pom.xml
index 5c630cf3..0a9f9193 100644
--- a/vault-core/pom.xml
+++ b/vault-core/pom.xml
@@ -60,6 +60,18 @@
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external dependencies with vulnerabilities (provided by the container) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:httpclient</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
</plugins>
</pluginManagement>
<plugins>
@@ -241,7 +253,7 @@
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
- <version>2.0.206</version>
+ <version>2.1.212</version>
<scope>provided</scope>
</dependency>
<!-- test deps -->
diff --git a/vault-davex/pom.xml b/vault-davex/pom.xml
index a2d4fa9f..267f05fe 100644
--- a/vault-davex/pom.xml
+++ b/vault-davex/pom.xml
@@ -87,4 +87,23 @@
<artifactId>slf4j-api</artifactId>
</dependency>
</dependencies>
+
+ <build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external dependencies with vulnerabilities (provided by the container) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:httpclient</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
+ </build>
</project>
diff --git a/vault-hook-example/pom.xml b/vault-hook-example/pom.xml
index 36920f61..10e409e6 100644
--- a/vault-hook-example/pom.xml
+++ b/vault-hook-example/pom.xml
@@ -92,19 +92,14 @@
<dependency>
<groupId>javax.jcr</groupId>
<artifactId>jcr</artifactId>
- <optional>true</optional>
+ <scope>provided</scope>
</dependency>
- <!-- SLF4j / Log4j -->
+ <!-- SLF4j -->
<dependency>
<groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- <optional>true</optional>
- </dependency>
- <dependency>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- <optional>true</optional>
+ <artifactId>slf4j-api</artifactId>
+ <scope>provided</scope>
</dependency>
</dependencies>
</project>
diff --git a/vault-hook-externalclass-test/pom.xml b/vault-hook-externalclass-test/pom.xml
index a35ea6fa..9144ab9e 100644
--- a/vault-hook-externalclass-test/pom.xml
+++ b/vault-hook-externalclass-test/pom.xml
@@ -91,26 +91,20 @@
<dependency>
<groupId>javax.jcr</groupId>
<artifactId>jcr</artifactId>
- <optional>true</optional>
+ <scope>provided</scope>
</dependency>
- <!-- SLF4j / Log4j -->
+ <!-- SLF4j -->
<dependency>
<groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- <optional>true</optional>
- </dependency>
- <dependency>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- <optional>true</optional>
+ <artifactId>slf4j-api</artifactId>
+ <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.api</artifactId>
- <version>2.3.0</version>
+ <version>2.16.4</version>
<scope>provided</scope>
- <optional>true</optional>
</dependency>
</dependencies>
</project>
diff --git a/vault-rcp/pom.xml b/vault-rcp/pom.xml
index b2349fa7..6eb3eb9a 100644
--- a/vault-rcp/pom.xml
+++ b/vault-rcp/pom.xml
@@ -43,6 +43,24 @@
<!-- B U I L D -->
<!-- ====================================================================== -->
<build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external dependencies with vulnerabilities (provided by the container) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:httpclient</exlude>
+ <exlude>*:jackson-core</exlude>
+ <exlude>*:jackson-databind</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.sling</groupId>
@@ -137,7 +155,7 @@
<dependency>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.api</artifactId>
- <version>2.2.0</version>
+ <version>2.16.4</version>
<scope>provided</scope>
</dependency>
<dependency>
diff --git a/vault-sync/pom.xml b/vault-sync/pom.xml
index 959762b7..6a646544 100644
--- a/vault-sync/pom.xml
+++ b/vault-sync/pom.xml
@@ -45,6 +45,22 @@
<!-- B U I L D D E F I N I T I O N -->
<!-- ====================================================================== -->
<build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external dependencies with vulnerabilities (provided by the container) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:guava</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.sling</groupId>
diff --git a/vault-validation/pom.xml b/vault-validation/pom.xml
index e8f064eb..f9f453ed 100644
--- a/vault-validation/pom.xml
+++ b/vault-validation/pom.xml
@@ -40,6 +40,22 @@
</properties>
<build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external dependencies with vulnerabilities (provided by the container) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:httpclient</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
<plugins>
<!-- ====================================================================== -->
<!-- R A T P L U G I N -->
@@ -140,12 +156,45 @@
<scope>provided</scope>
</dependency>
- <!-- only used for the constants, not necessary at run time -->
+ <!-- Oak dependencies only used for the constants, not necessary at run time (due to inlining) -->
<dependency>
<groupId>org.apache.jackrabbit</groupId>
<artifactId>oak-core</artifactId>
<version>${oak.version}</version>
<optional>true</optional>
+ <scope>provided</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>*</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-security-spi</artifactId>
+ <version>${oak.version}</version>
+ <optional>true</optional>
+ <scope>provided</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>*</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-core-spi</artifactId>
+ <version>${oak.version}</version>
+ <optional>true</optional>
+ <scope>provided</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>*</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
diff --git a/vault-vlt/pom.xml b/vault-vlt/pom.xml
index 1f07bef9..37483933 100644
--- a/vault-vlt/pom.xml
+++ b/vault-vlt/pom.xml
@@ -89,4 +89,23 @@
</dependency>
</dependencies>
+ <build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external dependencies with vulnerabilities (provided by the container) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:httpclient</exlude>
+ <exlude>*:log4j</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
+ </build>
</project>