You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by kw...@apache.org on 2022/06/02 10:21:00 UTC
[jackrabbit-filevault] branch feature/enable-dependency-check created (now 1ffe9308)
This is an automated email from the ASF dual-hosted git repository.
kwin pushed a change to branch feature/enable-dependency-check
in repository https://gitbox.apache.org/repos/asf/jackrabbit-filevault.git
at 1ffe9308 JCRVLT-579 prevent embedding vulnerable libraries
This branch includes the following new commits:
new 1ffe9308 JCRVLT-579 prevent embedding vulnerable libraries
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[jackrabbit-filevault] 01/01: JCRVLT-579 prevent embedding vulnerable libraries
Posted by kw...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
kwin pushed a commit to branch feature/enable-dependency-check
in repository https://gitbox.apache.org/repos/asf/jackrabbit-filevault.git
commit 1ffe9308ba563e0f64b9e5fe1061647f3cf918a0
Author: Konrad Windszus <kw...@apache.org>
AuthorDate: Thu Jun 2 12:20:55 2022 +0200
JCRVLT-579 prevent embedding vulnerable libraries
Add OWASP dependency checker to all modules
Exclude external (e.g. OSGi) dependencies from being checked
Clean up some dependencies
---
parent/pom.xml | 29 ++++++++++++++++++
suppressions.xml | 53 ++++++++++++++++++++++++++++++++
target-osgi-environment/pom.xml | 8 +++++
vault-cli/pom.xml | 58 +++++++++++++++++++++++++++++++++++
vault-core/pom.xml | 14 ++++++++-
vault-davex/pom.xml | 19 ++++++++++++
vault-hook-example/pom.xml | 13 +++-----
vault-hook-externalclass-test/pom.xml | 16 +++-------
vault-rcp/pom.xml | 21 ++++++++++++-
vault-sync/pom.xml | 16 ++++++++++
vault-validation/pom.xml | 51 +++++++++++++++++++++++++++++-
vault-vlt/pom.xml | 19 ++++++++++++
12 files changed, 294 insertions(+), 23 deletions(-)
diff --git a/parent/pom.xml b/parent/pom.xml
index 4e550b2d..bc21acd7 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -277,6 +277,23 @@ Bundle-Category: jackrabbit
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.8.8</version>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>7.1.0</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ <configuration>
+ <!-- provided is used in OSGi bundles for non-embedded dependencies -->
+ <skipProvidedScope>false</skipProvidedScope>
+ <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</pluginManagement>
<plugins>
@@ -477,6 +494,7 @@ Bundle-Category: jackrabbit
<scope>provided</scope>
</dependency>
+ <!-- these are minimum version referenced in OSGi bundles, JARs should use a different version -->
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
@@ -604,6 +622,17 @@ Bundle-Category: jackrabbit
</plugins>
</build>
</profile>
+ <profile>
+ <id>additional-checks</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
</profiles>
</project>
diff --git a/suppressions.xml b/suppressions.xml
new file mode 100644
index 00000000..ac2b5813
--- /dev/null
+++ b/suppressions.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0"?><!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+ <suppress>
+ <notes><![CDATA[
+ Oak GAV must not apply to JR2 CPE (like for
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.jackrabbit/oak\-.*@.*$</packageUrl>
+ <cpe>cpe:/a:apache:jackrabbit</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: org.apache.sling.jcr.api-2.0.4.jar does not suffer from CVE-2015-2944
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.sling/org\.apache\.sling\.jcr\.api@.*$</packageUrl>
+ <cve>CVE-2015-2944</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: h2-2.1.212.jar, only 1.4.197 is affected, see https://github.com/jeremylong/DependencyCheck/issues/4555
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
+ <vulnerabilityName>CVE-2018-14335</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: org.apache.sling.commons.classloader-1.2.2.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.sling/org\.apache\.sling\.commons\.classloader@.*$</packageUrl>
+ <cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ false positive for Oak classes e.g. for CVE-2021-40690
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.jackrabbit/oak-.*@.*$</packageUrl>
+ <cpe>cpe:/a:apache:xml_security_for_java</cpe>
+ </suppress>
+</suppressions>
\ No newline at end of file
diff --git a/target-osgi-environment/pom.xml b/target-osgi-environment/pom.xml
index c4326340..3c44ddd2 100644
--- a/target-osgi-environment/pom.xml
+++ b/target-osgi-environment/pom.xml
@@ -73,6 +73,14 @@
</execution>
</executions>
</plugin>
+ <!-- never do vulnerabilities check for any surrounding OSGi bundles provided by a distribution -->
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <skip>true</skip>
+ </configuration>
+ </plugin>
</plugins>
</build>
diff --git a/vault-cli/pom.xml b/vault-cli/pom.xml
index d9cdeea5..bb02c80a 100644
--- a/vault-cli/pom.xml
+++ b/vault-cli/pom.xml
@@ -41,6 +41,17 @@
<!-- B U I L D D E F I N I T I O N -->
<!-- ====================================================================== -->
<build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
@@ -62,6 +73,7 @@
<repositoryName>lib</repositoryName>
<includeConfigurationDirectoryInClasspath>true</includeConfigurationDirectoryInClasspath>
<copyConfigurationDirectory>true</copyConfigurationDirectory>
+ <useAllProjectDependencies>true</useAllProjectDependencies><!-- this is not including transitive ones -->
<extraJvmArguments>-Xms500m -Xmx500m</extraJvmArguments>
<programs>
<program>
@@ -111,6 +123,52 @@
</plugins>
</build>
+ <dependencyManagement>
+ <dependencies>
+ <!-- override minimum versions from parent with most recent backwards compatible versions -->
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <version>2.11.0</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-lang3</artifactId>
+ <version>3.6</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-collections4</artifactId>
+ <version>4.1</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-codec</groupId>
+ <artifactId>commons-codec</artifactId>
+ <version>1.10</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.httpcomponents</groupId>
+ <artifactId>httpmime</artifactId>
+ <version>4.5.13</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.httpcomponents</groupId>
+ <artifactId>httpclient</artifactId>
+ <version>4.5.13</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ <version>1.0.3</version>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>4.13.2</version>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
<!-- ====================================================================== -->
<!-- D E P E N D E N C I E S -->
<!-- ====================================================================== -->
diff --git a/vault-core/pom.xml b/vault-core/pom.xml
index 5c630cf3..d1a4e8a2 100644
--- a/vault-core/pom.xml
+++ b/vault-core/pom.xml
@@ -60,6 +60,18 @@
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external dependencies with vulnerabilities (provided by the distribution) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:httpclient</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
</plugins>
</pluginManagement>
<plugins>
@@ -241,7 +253,7 @@
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
- <version>2.0.206</version>
+ <version>2.1.212</version>
<scope>provided</scope>
</dependency>
<!-- test deps -->
diff --git a/vault-davex/pom.xml b/vault-davex/pom.xml
index a2d4fa9f..7a0f8544 100644
--- a/vault-davex/pom.xml
+++ b/vault-davex/pom.xml
@@ -87,4 +87,23 @@
<artifactId>slf4j-api</artifactId>
</dependency>
</dependencies>
+
+ <build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external dependencies with vulnerabilities (provided by the distribution) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:httpclient</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
+ </build>
</project>
diff --git a/vault-hook-example/pom.xml b/vault-hook-example/pom.xml
index 36920f61..10e409e6 100644
--- a/vault-hook-example/pom.xml
+++ b/vault-hook-example/pom.xml
@@ -92,19 +92,14 @@
<dependency>
<groupId>javax.jcr</groupId>
<artifactId>jcr</artifactId>
- <optional>true</optional>
+ <scope>provided</scope>
</dependency>
- <!-- SLF4j / Log4j -->
+ <!-- SLF4j -->
<dependency>
<groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- <optional>true</optional>
- </dependency>
- <dependency>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- <optional>true</optional>
+ <artifactId>slf4j-api</artifactId>
+ <scope>provided</scope>
</dependency>
</dependencies>
</project>
diff --git a/vault-hook-externalclass-test/pom.xml b/vault-hook-externalclass-test/pom.xml
index a35ea6fa..9144ab9e 100644
--- a/vault-hook-externalclass-test/pom.xml
+++ b/vault-hook-externalclass-test/pom.xml
@@ -91,26 +91,20 @@
<dependency>
<groupId>javax.jcr</groupId>
<artifactId>jcr</artifactId>
- <optional>true</optional>
+ <scope>provided</scope>
</dependency>
- <!-- SLF4j / Log4j -->
+ <!-- SLF4j -->
<dependency>
<groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- <optional>true</optional>
- </dependency>
- <dependency>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- <optional>true</optional>
+ <artifactId>slf4j-api</artifactId>
+ <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.api</artifactId>
- <version>2.3.0</version>
+ <version>2.16.4</version>
<scope>provided</scope>
- <optional>true</optional>
</dependency>
</dependencies>
</project>
diff --git a/vault-rcp/pom.xml b/vault-rcp/pom.xml
index b2349fa7..cdd48f5a 100644
--- a/vault-rcp/pom.xml
+++ b/vault-rcp/pom.xml
@@ -43,6 +43,25 @@
<!-- B U I L D -->
<!-- ====================================================================== -->
<build>
+ <pluginManagement>
+ <plugins>
+ <!-- only check embedded dependencies, therefore exclude all external OSGi dependencies with vulnerabilities (provided by the distribution) -->
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external OSGi dependencies with vulnerabilities (provided by the distribution) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:httpclient</exlude>
+ <exlude>*:jackson-core</exlude>
+ <exlude>*:jackson-databind</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.sling</groupId>
@@ -137,7 +156,7 @@
<dependency>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.api</artifactId>
- <version>2.2.0</version>
+ <version>2.16.4</version>
<scope>provided</scope>
</dependency>
<dependency>
diff --git a/vault-sync/pom.xml b/vault-sync/pom.xml
index 959762b7..05e728e0 100644
--- a/vault-sync/pom.xml
+++ b/vault-sync/pom.xml
@@ -45,6 +45,22 @@
<!-- B U I L D D E F I N I T I O N -->
<!-- ====================================================================== -->
<build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external OSGi dependencies with vulnerabilities (provided by the distribution) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:guava</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.sling</groupId>
diff --git a/vault-validation/pom.xml b/vault-validation/pom.xml
index e8f064eb..7cd4d3a7 100644
--- a/vault-validation/pom.xml
+++ b/vault-validation/pom.xml
@@ -40,6 +40,22 @@
</properties>
<build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external dependencies with vulnerabilities (provided by the distribution) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:httpclient</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
<plugins>
<!-- ====================================================================== -->
<!-- R A T P L U G I N -->
@@ -140,12 +156,45 @@
<scope>provided</scope>
</dependency>
- <!-- only used for the constants, not necessary at run time -->
+ <!-- Oak dependencies only used for the constants, not necessary at run time (due to inlining) -->
<dependency>
<groupId>org.apache.jackrabbit</groupId>
<artifactId>oak-core</artifactId>
<version>${oak.version}</version>
<optional>true</optional>
+ <scope>provided</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>*</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-security-spi</artifactId>
+ <version>${oak.version}</version>
+ <optional>true</optional>
+ <scope>provided</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>*</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-core-spi</artifactId>
+ <version>${oak.version}</version>
+ <optional>true</optional>
+ <scope>provided</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>*</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
diff --git a/vault-vlt/pom.xml b/vault-vlt/pom.xml
index 1f07bef9..e30f4fd6 100644
--- a/vault-vlt/pom.xml
+++ b/vault-vlt/pom.xml
@@ -89,4 +89,23 @@
</dependency>
</dependencies>
+ <build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <suppressionFile>${project.basedir}/../suppressions.xml</suppressionFile>
+ <!-- only check embedded dependencies, therefore exclude all external dependencies with vulnerabilities (provided by the distribution) -->
+ <excludes>
+ <exlude>*:commons-io</exlude>
+ <exlude>*:httpclient</exlude>
+ <exlude>*:log4j</exlude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
+ </build>
</project>