tomee-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jlmonte...@apache.org
Subject [1/2] tomee git commit: TOMEE-2363 Introduces OWASP dependency check via two profiles "owasp-check" (will fail the build for CVE score > 8.0" and "owasp-report"
Date Thu, 20 Dec 2018 13:54:37 GMT
Repository: tomee
Updated Branches:
  refs/heads/master cbb4ec412 -> 5f9fe9d0f


TOMEE-2363 Introduces OWASP dependency check via two profiles "owasp-check" (will fail the
build for CVE score > 8.0" and "owasp-report"


Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/3f5f6d39
Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/3f5f6d39
Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/3f5f6d39

Branch: refs/heads/master
Commit: 3f5f6d399903424c0c4036f1075884565c977add
Parents: e26828c
Author: rzo1 <richard@zowalla.com>
Authored: Tue Dec 18 11:20:23 2018 +0100
Committer: rzo1 <richard@zowalla.com>
Committed: Tue Dec 18 11:20:23 2018 +0100

----------------------------------------------------------------------
 owasp-dc-suppression.xml | 80 +++++++++++++++++++++++++++++++++++++++++++
 pom.xml                  | 61 ++++++++++++++++++++++++++++++---
 2 files changed, 136 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/tomee/blob/3f5f6d39/owasp-dc-suppression.xml
----------------------------------------------------------------------
diff --git a/owasp-dc-suppression.xml b/owasp-dc-suppression.xml
new file mode 100644
index 0000000..04b5050
--- /dev/null
+++ b/owasp-dc-suppression.xml
@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
+    <suppress>
+        <notes><![CDATA[
+   file name: self dependencies...
+   ]]></notes>
+        <gav regex="true">^org\.apache\.tomee:.*$</gav>
+        <cve>CVE-2018-8031</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: self dependencies...
+   ]]></notes>
+        <gav regex="true">^org\.apache\.tomee:.*$</gav>
+        <cve>CVE-2010-1151</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: false positive apache http server
+   ]]></notes>
+        <gav regex="true">^org\.apache\.tomee:.*$</gav>
+        <cpe>cpe:/a:apache:apache_http_server</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: false positive apache http server
+   ]]></notes>
+        <gav regex="true">^org\.apache\.tomee:.*$</gav>
+        <cpe>cpe:/a:apache:http_server</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: ziplock-*.jar
+   ]]></notes>
+        <gav regex="true">^org\.apache\.tomee:ziplock:.*$</gav>
+        <cpe>cpe:/a:zip_project:zip</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: eclipselink-*jar
+   ]]></notes>
+        <gav regex="true">^org\.eclipse\.persistence:eclipselink:.*$</gav>
+        <cpe>cpe:/a:git:git</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: eclipselink-*.jar
+   ]]></notes>
+        <gav regex="true">^org\.eclipse\.persistence:eclipselink:.*$</gav>
+        <cpe>cpe:/a:git_project:git</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: javax.persistence-*.jar
+   ]]></notes>
+        <gav regex="true">^org\.eclipse\.persistence:javax\.persistence:.*$</gav>
+        <cpe>cpe:/a:git_project:git</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: javax.persistence-*.jar
+   ]]></notes>
+        <gav regex="true">^org\.eclipse\.persistence:javax\.persistence:.*$</gav>
+        <cpe>cpe:/a:git:git</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: commonj.sdo-*.jar
+   ]]></notes>
+        <gav regex="true">^org\.eclipse\.persistence:commonj\.sdo:.*$</gav>
+        <cpe>cpe:/a:git:git</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: commonj.sdo-*.jar
+   ]]></notes>
+        <gav regex="true">^org\.eclipse\.persistence:commonj\.sdo:.*$</gav>
+        <cpe>cpe:/a:git_project:git</cpe>
+    </suppress>
+</suppressions>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/tomee/blob/3f5f6d39/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 770f3af..59ee1db 100644
--- a/pom.xml
+++ b/pom.xml
@@ -369,6 +369,11 @@
           <artifactId>maven-compiler-plugin</artifactId>
           <version>3.6.2</version>
         </plugin>
+        <plugin>
+          <groupId>org.owasp</groupId>
+          <artifactId>dependency-check-maven</artifactId>
+          <version>4.0.0</version>
+        </plugin>
       </plugins>
     </pluginManagement>
 
@@ -656,6 +661,53 @@
     </profile>
 
     <profile>
+      <id>owasp-report</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <configuration>
+              <skipProvidedScope>true</skipProvidedScope>
+              <skipRuntimeScope>true</skipRuntimeScope>
+              <suppressionFiles>${maven.multiModuleProjectDirectory}/owasp-dc-suppression.xml</suppressionFiles>
+            </configuration>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>aggregate</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+    <profile>
+      <id>owasp-check</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <configuration>
+              <skipProvidedScope>true</skipProvidedScope>
+              <skipRuntimeScope>true</skipRuntimeScope>
+              <failBuildOnCVSS>8.0</failBuildOnCVSS>
+              <suppressionFiles>${maven.multiModuleProjectDirectory}/owasp-dc-suppression.xml</suppressionFiles>
+            </configuration>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>check</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+    <profile>
       <id>rat</id>
       <modules>
         <module>itests</module>
@@ -686,7 +738,7 @@
               <reportFile>${project.build.directory}/${project.build.finalName}.rat</reportFile>
               <excludes>
                 <exclude>**/target/**/*</exclude>
-		            <exclude>**/js/livereload.js</exclude>
+                <exclude>**/js/livereload.js</exclude>
 
                 <!-- left around after creating the site -->
                 <exclude>**/cobertura.ser</exclude>
@@ -1727,8 +1779,8 @@
         <version>1.2.5</version>
         <exclusions>
           <exclusion>
-              <groupId>xalan</groupId>
-              <artifactId>xalan</artifactId>
+            <groupId>xalan</groupId>
+            <artifactId>xalan</artifactId>
           </exclusion>
         </exclusions>
       </dependency>
@@ -1741,5 +1793,4 @@
       <url>scp://people.apache.org/www/tomee.apache.org/openejb/maven</url>
     </site>
   </distributionManagement>
-</project>
-
+</project>
\ No newline at end of file


Mime
View raw message