You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by kw...@apache.org on 2022/12/16 15:56:38 UTC

[jackrabbit-filevault] 01/01: JCRVLT-674 ignore dependency-check false positives

This is an automated email from the ASF dual-hosted git repository.

kwin pushed a commit to branch feature/fix-dependency-check-false-positives
in repository https://gitbox.apache.org/repos/asf/jackrabbit-filevault.git

commit b74b1d27fb04edb27acd8e23fafc9d8151da5a51
Author: Konrad Windszus <kw...@apache.org>
AuthorDate: Fri Dec 16 16:56:30 2022 +0100

    JCRVLT-674 ignore dependency-check false positives
    
    Update embedded Woodstox however to newest 6.4.0
    Update dependency-check to newest 7.4.1
---
 parent/pom.xml     | 17 ++++++++++++++++-
 suppressions.xml   |  8 +++++++-
 vault-core/pom.xml |  2 +-
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/parent/pom.xml b/parent/pom.xml
index 22681c7d..9db78c7b 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -281,7 +281,7 @@ Bundle-Category: jackrabbit
                 <plugin>
                     <groupId>org.owasp</groupId>
                     <artifactId>dependency-check-maven</artifactId>
-                    <version>7.2.0</version>
+                    <version>7.4.1</version>
                     <executions>
                         <execution>
                             <goals>
@@ -346,6 +346,21 @@ Bundle-Category: jackrabbit
                     </execution>
                 </executions>
             </plugin>
+<!--             <plugin> -->
+<!--                 <groupId>org.apache.maven.plugins</groupId> -->
+<!--                 <artifactId>maven-dependency-plugin</artifactId> -->
+<!--                 <executions> -->
+<!--                     <execution> -->
+<!--                         <id>check-dependencies</id> -->
+<!--                         <goals> -->
+<!--                             <goal>analyze-only</goal> -->
+<!--                         </goals> -->
+<!--                         <configuration> -->
+<!--                             <verbose>true</verbose> -->
+<!--                         </configuration> -->
+<!--                     </execution> -->
+<!--                 </executions> -->
+<!--             </plugin> -->
         </plugins>
 
     </build>
diff --git a/suppressions.xml b/suppressions.xml
index 79325050..2fdd126b 100644
--- a/suppressions.xml
+++ b/suppressions.xml
@@ -50,5 +50,11 @@
        <packageUrl regex="true">^pkg:maven/org\.apache\.sling/org\.apache\.sling\.jcr\.api@.*$</packageUrl>
        <cve>CVE-2022-32549</cve>
     </suppress>
-    
+    <suppress>
+       <notes><![CDATA[
+       file name: h2-2.1.212.jar, usage in FileVault not affected, see https://github.com/h2database/h2database/issues/3686
+       ]]></notes>
+       <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
+       <cve>CVE-2022-45868</cve>
+    </suppress>
 </suppressions>
\ No newline at end of file
diff --git a/vault-core/pom.xml b/vault-core/pom.xml
index d71a3323..74da2357 100644
--- a/vault-core/pom.xml
+++ b/vault-core/pom.xml
@@ -194,7 +194,7 @@
         <dependency>
             <groupId>com.fasterxml.woodstox</groupId>
             <artifactId>woodstox-core</artifactId>
-            <version>6.1.1</version>
+            <version>6.4.0</version>
             <!-- embedded, therefore not transitively relevant -->
             <scope>provided</scope>
         </dependency>