You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@flex.apache.org by jo...@apache.org on 2023/01/09 23:37:37 UTC
[flex-blazeds] 01/03: owasp dependency check should be opt-in
This is an automated email from the ASF dual-hosted git repository.
joshtynjala pushed a commit to branch security-updates
in repository https://gitbox.apache.org/repos/asf/flex-blazeds.git
commit c7b937e41dc580d780c38f32f4d67bbe28b1edaa
Author: Josh Tynjala <jo...@bowlerhat.dev>
AuthorDate: Mon Jan 9 15:25:32 2023 -0800
owasp dependency check should be opt-in
This allows the CI server or release manager to enable it as needed, but regular users should be allowed to build
---
pom.xml | 70 +++++++++++++++++++++++++++++++++++------------------------------
1 file changed, 38 insertions(+), 32 deletions(-)
diff --git a/pom.xml b/pom.xml
index 7d141bd..268b49a 100755
--- a/pom.xml
+++ b/pom.xml
@@ -80,38 +80,6 @@
<build>
<plugins>
- <!--
- Check the referenced dependencies for known vulnerabilities
- and fail the build if there are critical ones in our classpath
- -->
- <plugin>
- <groupId>org.owasp</groupId>
- <artifactId>dependency-check-maven</artifactId>
- <version>7.4.4</version>
- <executions>
- <execution>
- <goals>
- <goal>check</goal>
- </goals>
- </execution>
- </executions>
- <configuration>
- <!-- Fail the build on any CVE, which is not considered minor -->
- <failBuildOnCVSS>4</failBuildOnCVSS>
- <excludes>
- <!-- CVE-2015-1773 Affects Apache Flex < 4.10, but BlazeDS has nothing to do with the libraries of the Flex SDK -->
- <exclude>org.apache.flex.blazeds:flex-messaging-common</exclude>
- <exclude>org.apache.flex.blazeds:flex-messaging-core</exclude>
- <exclude>org.apache.flex.blazeds:flex-messaging-proxy</exclude>
- <exclude>org.apache.flex.blazeds:flex-messaging-remoting</exclude>
- <exclude>org.apache.flex.blazeds:blazeds-spring-boot-starter</exclude>
- <exclude>org.apache.flex.blazeds:flex-messaging-opt-tomcat-base</exclude>
- <!-- TODO: Excluding this dependency, for which there's CVEs reported as it requires refactoring quite a bit. However this should be addressed before the next release -->
- <exclude>commons-httpclient:commons-httpclient</exclude>
- </excludes>
- </configuration>
- </plugin>
-
<plugin>
<groupId>org.apache.rat</groupId>
<artifactId>apache-rat-plugin</artifactId>
@@ -379,6 +347,44 @@
<module>distribution</module>
</modules>
</profile>
+ <profile>
+ <id>with-owasp</id>
+ <build>
+ <plugins>
+ <!--
+ Check the referenced dependencies for known vulnerabilities
+ and fail the build if there are critical ones in our classpath
+ -->
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>7.4.4</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ <configuration>
+ <!-- Fail the build on any CVE, which is not considered minor -->
+ <failBuildOnCVSS>4</failBuildOnCVSS>
+ <excludes>
+ <!-- CVE-2015-1773 Affects Apache Flex < 4.10, but BlazeDS has nothing to do with the libraries of the Flex SDK -->
+ <exclude>org.apache.flex.blazeds:flex-messaging-common</exclude>
+ <exclude>org.apache.flex.blazeds:flex-messaging-core</exclude>
+ <exclude>org.apache.flex.blazeds:flex-messaging-proxy</exclude>
+ <exclude>org.apache.flex.blazeds:flex-messaging-remoting</exclude>
+ <exclude>org.apache.flex.blazeds:blazeds-spring-boot-starter</exclude>
+ <exclude>org.apache.flex.blazeds:flex-messaging-opt-tomcat-base</exclude>
+ <!-- TODO: Excluding this dependency, for which there's CVEs reported as it requires refactoring quite a bit. However this should be addressed before the next release -->
+ <exclude>commons-httpclient:commons-httpclient</exclude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
</profiles>
</project>