|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
|
|
|
|
|
|
|
|
<modelVersion>4.0.0</modelVersion>
|
|
|
|
<groupId>org.airsonic.player</groupId>
|
|
|
|
<artifactId>airsonic</artifactId>
|
|
|
|
<version>10.2.0-SNAPSHOT</version>
|
|
|
|
<name>Airsonic</name>
|
|
|
|
<packaging>pom</packaging>
|
|
|
|
<organization>
|
|
|
|
<name>Airsonic</name>
|
|
|
|
<url>https://airsonic.org/</url>
|
|
|
|
</organization>
|
|
|
|
<inceptionYear>2016</inceptionYear>
|
|
|
|
|
|
|
|
<properties>
|
|
|
|
<failOnDependencyWarning>true</failOnDependencyWarning>
|
|
|
|
<project.build.sourceEncoding>iso-8859-1</project.build.sourceEncoding>
|
|
|
|
<cxf.version>3.2.6</cxf.version>
|
|
|
|
</properties>
|
|
|
|
|
|
|
|
<repositories>
|
|
|
|
<repository>
|
|
|
|
<id>local1</id>
|
|
|
|
<name>Local Repository</name>
|
|
|
|
<url>file://${project.basedir}/../repo</url>
|
|
|
|
</repository>
|
|
|
|
<repository>
|
|
|
|
<id>java_net</id>
|
|
|
|
<name>download.java.net</name>
|
|
|
|
<url>http://download.java.net/maven/2/</url>
|
|
|
|
</repository>
|
|
|
|
<repository>
|
|
|
|
<id>teleal</id>
|
|
|
|
<name>teleal</name>
|
|
|
|
<url>http://teleal.org/m2</url>
|
|
|
|
</repository>
|
|
|
|
<repository>
|
|
|
|
<id>jaudiotagger-repository</id>
|
|
|
|
<url>https://dl.bintray.com/ijabz/maven</url>
|
|
|
|
</repository>
|
|
|
|
</repositories>
|
|
|
|
|
|
|
|
<pluginRepositories>
|
|
|
|
<pluginRepository>
|
|
|
|
<id>local1</id>
|
|
|
|
<name>Local Repository</name>
|
|
|
|
<url>file://${project.basedir}/../repo</url>
|
|
|
|
</pluginRepository>
|
|
|
|
</pluginRepositories>
|
|
|
|
|
|
|
|
<scm>
|
|
|
|
<connection>scm:git:git://github.com/airsonic/airsonic.git</connection>
|
|
|
|
<developerConnection>scm:git:git@github.com:airsonic/airsonic.git</developerConnection>
|
|
|
|
<url>https://github.com/airsonic/airsonic.git</url>
|
|
|
|
</scm>
|
|
|
|
|
|
|
|
<!-- <ciManagement>
|
|
|
|
<system>continuum</system>
|
|
|
|
<notifiers>
|
|
|
|
<notifier>
|
|
|
|
<type>mail</type>
|
|
|
|
<configuration>
|
|
|
|
<address>sindre@activeobjects.no</address>
|
|
|
|
</configuration>
|
|
|
|
</notifier>
|
|
|
|
</notifiers>
|
|
|
|
</ciManagement> -->
|
|
|
|
|
|
|
|
<developers>
|
|
|
|
<developer>
|
|
|
|
<name>Eugene E. Kashpureff Jr</name>
|
|
|
|
<email>eugene@kashpureff.org</email>
|
|
|
|
</developer>
|
|
|
|
</developers>
|
|
|
|
|
|
|
|
<modules>
|
|
|
|
<module>subsonic-rest-api</module>
|
|
|
|
<module>airsonic-sonos-api</module>
|
|
|
|
<module>airsonic-main</module>
|
|
|
|
</modules>
|
|
|
|
|
|
|
|
<dependencyManagement>
|
|
|
|
<dependencies>
|
|
|
|
<dependency>
|
|
|
|
<!-- Import dependency management from Spring Boot -->
|
|
|
|
<groupId>org.springframework.boot</groupId>
|
|
|
|
<artifactId>spring-boot-dependencies</artifactId>
|
|
|
|
<version>1.5.16.RELEASE</version>
|
|
|
|
<type>pom</type>
|
|
|
|
<scope>import</scope>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.liquibase</groupId>
|
|
|
|
<artifactId>liquibase-core</artifactId>
|
|
|
|
<!-- Cannot use 3.5.3/2 due to https://liquibase.jira.com/browse/CORE-2944 -->
|
|
|
|
<version>3.5.1</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<!-- Fix convergence issues -->
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.ow2.asm</groupId>
|
|
|
|
<artifactId>asm</artifactId>
|
|
|
|
<version>5.1</version>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.apache.commons</groupId>
|
|
|
|
<artifactId>commons-lang3</artifactId>
|
|
|
|
<version>3.3.2</version>
|
|
|
|
</dependency>
|
Dep Check Plugin and update vuln dependencies
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
|
|
|
<dependency>
|
|
|
|
<groupId>commons-io</groupId>
|
|
|
|
<artifactId>commons-io</artifactId>
|
|
|
|
<version>2.5</version>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.fasterxml.jackson.core</groupId>
|
|
|
|
<artifactId>jackson-core</artifactId>
|
|
|
|
<version>2.9.6</version>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.fasterxml.jackson.core</groupId>
|
|
|
|
<artifactId>jackson-databind</artifactId>
|
|
|
|
<version>2.9.6</version>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.fasterxml.jackson.core</groupId>
|
|
|
|
<artifactId>jackson-annotations</artifactId>
|
|
|
|
<version>2.9.0</version>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.google.guava</groupId>
|
|
|
|
<artifactId>guava</artifactId>
|
|
|
|
<version>27.0-jre</version>
|
|
|
|
</dependency>
|
|
|
|
</dependencies>
|
|
|
|
</dependencyManagement>
|
|
|
|
|
|
|
|
<build>
|
|
|
|
<pluginManagement>
|
|
|
|
<plugins>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
|
|
<artifactId>maven-compiler-plugin</artifactId>
|
|
|
|
<version>3.8.0</version>
|
|
|
|
</plugin>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
|
|
<artifactId>maven-assembly-plugin</artifactId>
|
|
|
|
<version>3.1.0</version>
|
|
|
|
</plugin>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
|
|
<artifactId>maven-antrun-plugin</artifactId>
|
|
|
|
<version>1.8</version>
|
|
|
|
</plugin>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
|
|
<artifactId>maven-dependency-plugin</artifactId>
|
|
|
|
<version>3.1.1</version>
|
|
|
|
</plugin>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.codehaus.mojo</groupId>
|
|
|
|
<artifactId>buildnumber-maven-plugin</artifactId>
|
|
|
|
<version>1.4</version>
|
|
|
|
</plugin>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.apache.cxf</groupId>
|
|
|
|
<artifactId>cxf-codegen-plugin</artifactId>
|
|
|
|
<version>${cxf.version}</version>
|
|
|
|
</plugin>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.jvnet.jaxb2.maven2</groupId>
|
|
|
|
<artifactId>maven-jaxb2-plugin</artifactId>
|
|
|
|
<version>0.14.0</version>
|
|
|
|
</plugin>
|
|
|
|
<plugin>
|
|
|
|
<artifactId>maven-war-plugin</artifactId>
|
|
|
|
<version>3.2.2</version>
|
|
|
|
<configuration>
|
|
|
|
<failOnMissingWebXml>false</failOnMissingWebXml>
|
|
|
|
<archive>
|
|
|
|
<manifest>
|
|
|
|
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
|
|
|
|
</manifest>
|
|
|
|
</archive>
|
|
|
|
</configuration>
|
|
|
|
</plugin>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
|
|
<artifactId>maven-checkstyle-plugin</artifactId>
|
|
|
|
<version>3.0.0</version>
|
|
|
|
<executions>
|
|
|
|
<execution>
|
|
|
|
<id>validate</id>
|
|
|
|
<phase>validate</phase>
|
|
|
|
<configuration>
|
|
|
|
<configLocation>${project.basedir}/../checkstyle.xml</configLocation>
|
|
|
|
<encoding>UTF-8</encoding>
|
|
|
|
<consoleOutput>true</consoleOutput>
|
|
|
|
<failOnViolation>true</failOnViolation>
|
|
|
|
</configuration>
|
|
|
|
<goals>
|
|
|
|
<goal>check</goal>
|
|
|
|
</goals>
|
|
|
|
</execution>
|
|
|
|
</executions>
|
|
|
|
</plugin>
|
Dep Check Plugin and update vuln dependencies
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
|
|
|
<plugin>
|
|
|
|
<groupId>org.owasp</groupId>
|
|
|
|
<artifactId>dependency-check-maven</artifactId>
|
|
|
|
<version>4.0.0</version>
|
Dep Check Plugin and update vuln dependencies
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
|
|
|
<inherited>true</inherited>
|
|
|
|
<configuration>
|
|
|
|
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
|
|
|
|
<suppressionFiles>
|
|
|
|
<suppressionFile>${project.basedir}/cve-suppressed.xml</suppressionFile>
|
|
|
|
</suppressionFiles>
|
Dep Check Plugin and update vuln dependencies
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
|
|
|
</configuration>
|
|
|
|
<executions>
|
|
|
|
<execution>
|
|
|
|
<id>run-dependency-checker</id>
|
|
|
|
<phase>verify</phase>
|
|
|
|
<goals>
|
|
|
|
<goal>check</goal>
|
|
|
|
</goals>
|
|
|
|
</execution>
|
|
|
|
</executions>
|
|
|
|
</plugin>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
|
|
<artifactId>maven-surefire-plugin</artifactId>
|
|
|
|
<version>2.22.0</version>
|
|
|
|
</plugin>
|
|
|
|
</plugins>
|
|
|
|
</pluginManagement>
|
|
|
|
|
|
|
|
<plugins>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
|
|
<artifactId>maven-compiler-plugin</artifactId>
|
|
|
|
<configuration>
|
|
|
|
<source>1.8</source>
|
|
|
|
<target>1.8</target>
|
|
|
|
<encoding>ISO-8859-1</encoding>
|
|
|
|
<verbose>false</verbose>
|
|
|
|
<compilerVersion>1.8</compilerVersion>
|
|
|
|
<showWarnings>true</showWarnings>
|
|
|
|
</configuration>
|
|
|
|
</plugin>
|
|
|
|
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
|
|
<artifactId>maven-dependency-plugin</artifactId>
|
|
|
|
<executions>
|
|
|
|
<execution>
|
|
|
|
<id>analyze</id>
|
|
|
|
<goals>
|
|
|
|
<goal>analyze-only</goal>
|
|
|
|
</goals>
|
|
|
|
<configuration>
|
|
|
|
<failOnWarning>${failOnDependencyWarning}</failOnWarning>
|
|
|
|
<ignoreNonCompile>true</ignoreNonCompile>
|
|
|
|
<ignoredUsedUndeclaredDependencies>
|
|
|
|
<ignoredUsedUndeclaredDependency>org.springframework:*</ignoredUsedUndeclaredDependency>
|
|
|
|
<ignoredUsedUndeclaredDependency>org.springframework.security:*</ignoredUsedUndeclaredDependency>
|
|
|
|
<ignoredUsedUndeclaredDependency>org.springframework.boot:*</ignoredUsedUndeclaredDependency>
|
|
|
|
<ignoredUsedUndeclaredDependency>org.apache.tomcat.embed:tomcat-embed-core*</ignoredUsedUndeclaredDependency>
|
Dep Check Plugin and update vuln dependencies
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
|
|
|
<ignoredUsedUndeclaredDependency>org.apache.tomcat:tomcat-annotations-api:*</ignoredUsedUndeclaredDependency>
|
|
|
|
</ignoredUsedUndeclaredDependencies>
|
|
|
|
<ignoredUnusedDeclaredDependencies>
|
|
|
|
<ignoredUnusedDeclaredDependency>com.sun.mail:javax.mail*</ignoredUnusedDeclaredDependency>
|
|
|
|
<ignoredUnusedDeclaredDependency>org.seamless:seamless-http*</ignoredUnusedDeclaredDependency>
|
|
|
|
<ignoredUnusedDeclaredDependency>taglibs:string:jar*</ignoredUnusedDeclaredDependency>
|
|
|
|
<ignoredUnusedDeclaredDependency>org.seamless:seamless-http*</ignoredUnusedDeclaredDependency>
|
|
|
|
<!-- Needed for airsonic-booter to load Airsonic correctly -->
|
|
|
|
<ignoredUnusedDeclaredDependency>org.springframework.security:*</ignoredUnusedDeclaredDependency>
|
|
|
|
<ignoredUnusedDeclaredDependency>org.springframework.boot:spring-boot*</ignoredUnusedDeclaredDependency>
|
|
|
|
</ignoredUnusedDeclaredDependencies>
|
|
|
|
</configuration>
|
|
|
|
</execution>
|
|
|
|
</executions>
|
|
|
|
</plugin>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
|
|
<artifactId>maven-enforcer-plugin</artifactId>
|
|
|
|
<version>3.0.0-M2</version>
|
|
|
|
<inherited>true</inherited>
|
|
|
|
<executions>
|
|
|
|
<execution>
|
|
|
|
<id>enforce</id>
|
|
|
|
<configuration>
|
|
|
|
<rules>
|
|
|
|
<dependencyConvergence/>
|
|
|
|
</rules>
|
|
|
|
</configuration>
|
|
|
|
<goals>
|
|
|
|
<goal>enforce</goal>
|
|
|
|
</goals>
|
|
|
|
</execution>
|
|
|
|
</executions>
|
|
|
|
</plugin>
|
|
|
|
</plugins>
|
|
|
|
</build>
|
|
|
|
|
|
|
|
<profiles>
|
|
|
|
<profile>
|
|
|
|
<id>docker</id>
|
|
|
|
<modules>
|
|
|
|
<module>subsonic-rest-api</module>
|
|
|
|
<module>airsonic-sonos-api</module>
|
|
|
|
<module>airsonic-main</module>
|
|
|
|
<module>install/docker</module>
|
|
|
|
</modules>
|
|
|
|
</profile>
|
|
|
|
<profile>
|
|
|
|
<id>integration-test</id>
|
|
|
|
<modules>
|
|
|
|
<module>subsonic-rest-api</module>
|
|
|
|
<module>airsonic-sonos-api</module>
|
|
|
|
<module>airsonic-main</module>
|
|
|
|
<module>install/docker</module>
|
|
|
|
<module>integration-test</module>
|
|
|
|
</modules>
|
|
|
|
</profile>
|
|
|
|
<profile>
|
|
|
|
<id>sign</id>
|
|
|
|
<build>
|
|
|
|
<plugins>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
|
|
<artifactId>maven-gpg-plugin</artifactId>
|
|
|
|
<version>1.6</version>
|
|
|
|
<executions>
|
|
|
|
<execution>
|
|
|
|
<phase>package</phase>
|
|
|
|
<goals>
|
|
|
|
<goal>sign</goal>
|
|
|
|
</goals>
|
|
|
|
</execution>
|
|
|
|
</executions>
|
|
|
|
</plugin>
|
|
|
|
</plugins>
|
|
|
|
</build>
|
|
|
|
</profile>
|
|
|
|
</profiles>
|
|
|
|
</project>
|