You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by kr...@apache.org on 2018/10/31 15:55:31 UTC
knox git commit: KNOX-1421 - Enable OWASP Dependency Check
Repository: knox
Updated Branches:
refs/heads/master 80dc25512 -> 8b128c2f1
KNOX-1421 - Enable OWASP Dependency Check
Signed-off-by: Kevin Risden <kr...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/8b128c2f
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/8b128c2f
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/8b128c2f
Branch: refs/heads/master
Commit: 8b128c2f1090507d863f0ffc1923ad30b2264cae
Parents: 80dc255
Author: Kevin Risden <kr...@apache.org>
Authored: Wed Oct 3 10:48:03 2018 -0400
Committer: Kevin Risden <kr...@apache.org>
Committed: Wed Oct 31 11:42:45 2018 -0400
----------------------------------------------------------------------
.../dependency-check/suppressions.xml | 58 ++++++++++++++++++++
gateway-test-release/pom.xml | 4 ++
pom.xml | 42 +++++++++++++-
3 files changed, 102 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/8b128c2f/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml
----------------------------------------------------------------------
diff --git a/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml b/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml
new file mode 100644
index 0000000..059a747
--- /dev/null
+++ b/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to you under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+ <suppress>
+ <notes><![CDATA[file name: curator-.*.jar]]></notes>
+ <gav regex="true">^org\.apache\.curator:curator-.*:.*$</gav>
+ <cpe>cpe:/a:apache:zookeeper</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[file name: gateway-.*.jar]]></notes>
+ <gav regex="true">^org\.apache\.knox:gateway-.*:.*$</gav>
+ <cpe>cpe:/a:apache:ambari</cpe>
+ <cpe>cpe:/a:apache:apache_http_server</cpe>
+ <cpe>cpe:/a:apache:apache_test</cpe>
+ <cpe>cpe:/a:apache:hadoop</cpe>
+ <cpe>cpe:/a:apache:hive</cpe>
+ <cpe>cpe:/a:apache:http_server</cpe>
+ <cpe>cpe:/a:apache:nifi</cpe>
+ <cpe>cpe:/a:apache:shiro</cpe>
+ <cpe>cpe:/a:apache:storm</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[file name: hadoop-examples-.*.jar]]></notes>
+ <gav regex="true">^org\.apache\.knox:hadoop-examples:.*$</gav>
+ <cpe>cpe:/a:apache:hadoop</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[file name: zookeeper.*.jar]]></notes>
+ <gav regex="true">^org\.apache\.zookeeper:zookeeper:.*$</gav>
+ <cve>CVE-2014-0085</cve>
+ <cve>CVE-2018-8012</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[file name: groovy-.*.jar]]></notes>
+ <gav regex="true">^org\.codehaus\.groovy:groovy-.*:.*$</gav>
+ <cve>CVE-2016-6497</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[file name: xz-.*.jar]]></notes>
+ <gav regex="true">^org\.tukaani:xz:.*$</gav>
+ <cve>CVE-2015-4035</cve>
+ </suppress>
+</suppressions>
http://git-wip-us.apache.org/repos/asf/knox/blob/8b128c2f/gateway-test-release/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-test-release/pom.xml b/gateway-test-release/pom.xml
index 087d45c..c115226 100644
--- a/gateway-test-release/pom.xml
+++ b/gateway-test-release/pom.xml
@@ -177,6 +177,10 @@
<groupId>com.google.code.findbugs</groupId>
<artifactId>jsr305</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>jdk.tools</groupId>
+ <artifactId>jdk.tools</artifactId>
+ </exclusion>
</exclusions>
<scope>test</scope>
</dependency>
http://git-wip-us.apache.org/repos/asf/knox/blob/8b128c2f/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index e7f9b08..7c90a61 100644
--- a/pom.xml
+++ b/pom.xml
@@ -24,7 +24,7 @@
<artifactId>apache</artifactId>
<version>21</version>
</parent>
-
+
<groupId>org.apache.knox</groupId>
<artifactId>gateway</artifactId>
<version>1.2.0-SNAPSHOT</version>
@@ -153,6 +153,7 @@
<cors-filter.version>2.6</cors-filter.version>
<curator.version>4.0.1</curator.version>
<curator-test.version>2.12.0</curator-test.version>
+ <dependency-check-maven.version>3.3.2</dependency-check-maven.version>
<easymock.version>4.0.1</easymock.version>
<eclipselink.version>2.7.3</eclipselink.version>
<ehcache.version>2.6.11</ehcache.version>
@@ -206,7 +207,7 @@
<zip4j.version>1.3.2</zip4j.version>
<zookeeper.version>3.4.10</zookeeper.version>
</properties>
-
+
<profiles>
<profile>
<id>package</id>
@@ -254,6 +255,37 @@
<failsafe.group>org.apache.knox.test.category.VerifyTest</failsafe.group>
</properties>
</profile>
+ <profile>
+ <id>owasp</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${dependency-check-maven.version}</version>
+ <configuration>
+ <suppressionFiles>
+ <suppressionFile>build-tools/dependency-check/suppressions.xml</suppressionFile>
+ </suppressionFiles>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>aggregate</goal>
+ </goals>
+ </execution>
+ </executions>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.knox</groupId>
+ <artifactId>build-tools</artifactId>
+ <version>1.0.0</version>
+ </dependency>
+ </dependencies>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
</profiles>
<build>
@@ -1033,6 +1065,12 @@
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-mapreduce-client-core</artifactId>
<version>${hadoop.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>jdk.tools</groupId>
+ <artifactId>jdk.tools</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>