You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by kw...@apache.org on 2022/12/16 15:56:38 UTC
[jackrabbit-filevault] 01/01: JCRVLT-674 ignore dependency-check false positives
This is an automated email from the ASF dual-hosted git repository.
kwin pushed a commit to branch feature/fix-dependency-check-false-positives
in repository https://gitbox.apache.org/repos/asf/jackrabbit-filevault.git
commit b74b1d27fb04edb27acd8e23fafc9d8151da5a51
Author: Konrad Windszus <kw...@apache.org>
AuthorDate: Fri Dec 16 16:56:30 2022 +0100
JCRVLT-674 ignore dependency-check false positives
Update embedded Woodstox however to newest 6.4.0
Update dependency-check to newest 7.4.1
---
parent/pom.xml | 17 ++++++++++++++++-
suppressions.xml | 8 +++++++-
vault-core/pom.xml | 2 +-
3 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/parent/pom.xml b/parent/pom.xml
index 22681c7d..9db78c7b 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -281,7 +281,7 @@ Bundle-Category: jackrabbit
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
- <version>7.2.0</version>
+ <version>7.4.1</version>
<executions>
<execution>
<goals>
@@ -346,6 +346,21 @@ Bundle-Category: jackrabbit
</execution>
</executions>
</plugin>
+<!-- <plugin> -->
+<!-- <groupId>org.apache.maven.plugins</groupId> -->
+<!-- <artifactId>maven-dependency-plugin</artifactId> -->
+<!-- <executions> -->
+<!-- <execution> -->
+<!-- <id>check-dependencies</id> -->
+<!-- <goals> -->
+<!-- <goal>analyze-only</goal> -->
+<!-- </goals> -->
+<!-- <configuration> -->
+<!-- <verbose>true</verbose> -->
+<!-- </configuration> -->
+<!-- </execution> -->
+<!-- </executions> -->
+<!-- </plugin> -->
</plugins>
</build>
diff --git a/suppressions.xml b/suppressions.xml
index 79325050..2fdd126b 100644
--- a/suppressions.xml
+++ b/suppressions.xml
@@ -50,5 +50,11 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.sling/org\.apache\.sling\.jcr\.api@.*$</packageUrl>
<cve>CVE-2022-32549</cve>
</suppress>
-
+ <suppress>
+ <notes><![CDATA[
+ file name: h2-2.1.212.jar, usage in FileVault not affected, see https://github.com/h2database/h2database/issues/3686
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
+ <cve>CVE-2022-45868</cve>
+ </suppress>
</suppressions>
\ No newline at end of file
diff --git a/vault-core/pom.xml b/vault-core/pom.xml
index d71a3323..74da2357 100644
--- a/vault-core/pom.xml
+++ b/vault-core/pom.xml
@@ -194,7 +194,7 @@
<dependency>
<groupId>com.fasterxml.woodstox</groupId>
<artifactId>woodstox-core</artifactId>
- <version>6.1.1</version>
+ <version>6.4.0</version>
<!-- embedded, therefore not transitively relevant -->
<scope>provided</scope>
</dependency>