You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@bookkeeper.apache.org by eo...@apache.org on 2022/01/27 13:24:51 UTC
[bookkeeper] branch master updated: Added OWASP dependency-check (#3002)
This is an automated email from the ASF dual-hosted git repository.
eolivelli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git
The following commit(s) were added to refs/heads/master by this push:
new 036fc1f Added OWASP dependency-check (#3002)
036fc1f is described below
commit 036fc1f22228a14c7f91d4f119378fc6cf719ed5
Author: Andrey Yegorov <86...@users.noreply.github.com>
AuthorDate: Thu Jan 27 05:24:44 2022 -0800
Added OWASP dependency-check (#3002)
* Added OWASP dependency-check
* Suppress ETCD-related misdetections
---
build.gradle | 43 +++++++++++++++++
gradle.properties | 1 +
settings.gradle | 1 +
src/owasp-dependency-check-suppressions.xml | 71 +++++++++++++++++++++++++++++
4 files changed, 116 insertions(+)
diff --git a/build.gradle b/build.gradle
index b92a70c..a3f4416 100644
--- a/build.gradle
+++ b/build.gradle
@@ -29,6 +29,7 @@ plugins {
id 'checkstyle'
id 'org.nosphere.apache.rat'
id 'com.github.spotbugs'
+ id 'org.owasp.dependencycheck'
}
subprojects {
@@ -58,6 +59,13 @@ releaseParams { // ReleaseExtension
}
}
+def skipDepCheck = []
+allprojects {
+ if (it.path.startsWith(':tests')) {
+ skipDepCheck << it.path
+ }
+}
+
allprojects {
apply from: "$rootDir/dependencies.gradle"
if (it.path != ':circe-checksum:src:main:circe'
@@ -70,6 +78,41 @@ allprojects {
apply plugin: 'org.nosphere.apache.rat'
apply plugin: "checkstyle"
apply plugin: 'com.github.spotbugs'
+
+ if (!it.path.startsWith(':tests')) {
+ apply plugin: 'org.owasp.dependencycheck'
+
+ dependencyCheck {
+ // see https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration.html
+ // for configuration properties
+ suppressionFile = "$rootDir/src/owasp-dependency-check-suppressions.xml"
+ skipProjects = skipDepCheck
+ skipConfigurations = ["checkstyle", "spotbugs"]
+ analyzers {
+ msbuildEnabled = false
+ rubygemsEnabled = false
+ pyDistributionEnabled = false
+ pyPackageEnabled = false
+ nuspecEnabled = false
+ nugetconfEnabled = false
+ assemblyEnabled = false
+ cmakeEnabled = false
+ composerEnabled = false
+ cpanEnabled = false
+ nodeEnabled = false
+ cocoapodsEnabled = false
+ swiftEnabled = false
+ swiftPackageResolvedEnabled = false
+ bundleAuditEnabled = false
+ golangDepEnabled = false
+ golangModEnabled = false
+
+ nodeAudit.enabled = false
+ retirejs.enabled = false
+ }
+ }
+ }
+
checkstyle {
toolVersion "${checkStyleVersion}"
configFile file("$rootDir/buildtools/src/main/resources/bookkeeper/checkstyle.xml")
diff --git a/gradle.properties b/gradle.properties
index b8be583..bba0e1d 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -27,3 +27,4 @@ checkStyleVersion=6.19
spotbugsPlugin=4.7.0
testLogger=2.0.0
testRetry=1.0.0
+owaspPlugin=6.5.3
diff --git a/settings.gradle b/settings.gradle
index 3d192cf..036b104 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -25,6 +25,7 @@ pluginManagement {
id "com.github.spotbugs" version "${spotbugsPlugin}"
id "com.adarshr.test-logger" version "${testLogger}"
id "org.gradle.test-retry" version "${testRetry}"
+ id "org.owasp.dependencycheck" version "${owaspPlugin}"
}
}
diff --git a/src/owasp-dependency-check-suppressions.xml b/src/owasp-dependency-check-suppressions.xml
new file mode 100644
index 0000000..c65b18b
--- /dev/null
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+ <!-- add supressions for known vulnerabilities detected by OWASP Dependency Check -->
+
+ <!-- jetcd matched against ETCD server CVEs-->
+ <suppress>
+ <notes><![CDATA[
+ file name: jetcd-core-0.5.11.jar
+ ]]></notes>
+ <sha1>c85851ca3ea8128d480d3f75c568a37e64e8a77b</sha1>
+ <cve>CVE-2020-15106</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: jetcd-core-0.5.11.jar
+ ]]></notes>
+ <sha1>c85851ca3ea8128d480d3f75c568a37e64e8a77b</sha1>
+ <cve>CVE-2020-15112</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: jetcd-core-0.5.11.jar
+ ]]></notes>
+ <sha1>c85851ca3ea8128d480d3f75c568a37e64e8a77b</sha1>
+ <cve>CVE-2020-15113</cve>
+ </suppress>
+
+ <suppress>
+ <notes><![CDATA[
+ file name: jetcd-common-0.5.11.jar
+ ]]></notes>
+ <sha1>6dac6efe035a2be9ba299fbf31be5f903401869f</sha1>
+ <cve>CVE-2020-15106</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: jetcd-common-0.5.11.jar
+ ]]></notes>
+ <sha1>6dac6efe035a2be9ba299fbf31be5f903401869f</sha1>
+ <cve>CVE-2020-15112</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: jetcd-common-0.5.11.jar
+ ]]></notes>
+ <sha1>6dac6efe035a2be9ba299fbf31be5f903401869f</sha1>
+ <cve>CVE-2020-15113</cve>
+ </suppress>
+
+</suppressions>
+