You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by kw...@apache.org on 2022/12/16 15:56:37 UTC
[jackrabbit-filevault] branch feature/fix-dependency-check-false-positives created (now b74b1d27)
This is an automated email from the ASF dual-hosted git repository.
kwin pushed a change to branch feature/fix-dependency-check-false-positives
in repository https://gitbox.apache.org/repos/asf/jackrabbit-filevault.git
at b74b1d27 JCRVLT-674 ignore dependency-check false positives
This branch includes the following new commits:
new b74b1d27 JCRVLT-674 ignore dependency-check false positives
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[jackrabbit-filevault] 01/01: JCRVLT-674 ignore dependency-check false positives
Posted by kw...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
kwin pushed a commit to branch feature/fix-dependency-check-false-positives
in repository https://gitbox.apache.org/repos/asf/jackrabbit-filevault.git
commit b74b1d27fb04edb27acd8e23fafc9d8151da5a51
Author: Konrad Windszus <kw...@apache.org>
AuthorDate: Fri Dec 16 16:56:30 2022 +0100
JCRVLT-674 ignore dependency-check false positives
Update embedded Woodstox however to newest 6.4.0
Update dependency-check to newest 7.4.1
---
parent/pom.xml | 17 ++++++++++++++++-
suppressions.xml | 8 +++++++-
vault-core/pom.xml | 2 +-
3 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/parent/pom.xml b/parent/pom.xml
index 22681c7d..9db78c7b 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -281,7 +281,7 @@ Bundle-Category: jackrabbit
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
- <version>7.2.0</version>
+ <version>7.4.1</version>
<executions>
<execution>
<goals>
@@ -346,6 +346,21 @@ Bundle-Category: jackrabbit
</execution>
</executions>
</plugin>
+<!-- <plugin> -->
+<!-- <groupId>org.apache.maven.plugins</groupId> -->
+<!-- <artifactId>maven-dependency-plugin</artifactId> -->
+<!-- <executions> -->
+<!-- <execution> -->
+<!-- <id>check-dependencies</id> -->
+<!-- <goals> -->
+<!-- <goal>analyze-only</goal> -->
+<!-- </goals> -->
+<!-- <configuration> -->
+<!-- <verbose>true</verbose> -->
+<!-- </configuration> -->
+<!-- </execution> -->
+<!-- </executions> -->
+<!-- </plugin> -->
</plugins>
</build>
diff --git a/suppressions.xml b/suppressions.xml
index 79325050..2fdd126b 100644
--- a/suppressions.xml
+++ b/suppressions.xml
@@ -50,5 +50,11 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.sling/org\.apache\.sling\.jcr\.api@.*$</packageUrl>
<cve>CVE-2022-32549</cve>
</suppress>
-
+ <suppress>
+ <notes><![CDATA[
+ file name: h2-2.1.212.jar, usage in FileVault not affected, see https://github.com/h2database/h2database/issues/3686
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
+ <cve>CVE-2022-45868</cve>
+ </suppress>
</suppressions>
\ No newline at end of file
diff --git a/vault-core/pom.xml b/vault-core/pom.xml
index d71a3323..74da2357 100644
--- a/vault-core/pom.xml
+++ b/vault-core/pom.xml
@@ -194,7 +194,7 @@
<dependency>
<groupId>com.fasterxml.woodstox</groupId>
<artifactId>woodstox-core</artifactId>
- <version>6.1.1</version>
+ <version>6.4.0</version>
<!-- embedded, therefore not transitively relevant -->
<scope>provided</scope>
</dependency>