|
|
|
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
|
|
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
|
|
|
|
|
|
|
|
<modelVersion>4.0.0</modelVersion>
|
|
|
|
<artifactId>airsonic-main</artifactId>
|
|
|
|
<packaging>war</packaging>
|
|
|
|
<name>Airsonic Main</name>
|
|
|
|
|
|
|
|
<parent>
|
|
|
|
<groupId>org.airsonic.player</groupId>
|
|
|
|
<artifactId>airsonic</artifactId>
|
|
|
|
<version>10.4.0-SNAPSHOT</version>
|
|
|
|
</parent>
|
|
|
|
|
|
|
|
<properties>
|
Dep Check Plugin and update vuln dependencies
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
|
|
|
<chameleon.version>1.2.1-RELEASE</chameleon.version>
|
|
|
|
<tomcat.server.scope>provided</tomcat.server.scope>
|
|
|
|
</properties>
|
|
|
|
|
|
|
|
<dependencies>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.airsonic.player</groupId>
|
|
|
|
<artifactId>subsonic-rest-api</artifactId>
|
|
|
|
<version>${project.version}</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.airsonic.player</groupId>
|
|
|
|
<artifactId>airsonic-sonos-api</artifactId>
|
|
|
|
<version>${project.version}</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<!-- Java Audio Player and needed dependencies
|
|
|
|
-->
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.github.biconou</groupId>
|
|
|
|
<artifactId>AudioPlayer</artifactId>
|
|
|
|
<version>0.2.5</version>
|
|
|
|
<exclusions>
|
|
|
|
<exclusion>
|
|
|
|
<groupId>org.slf4j</groupId>
|
|
|
|
<artifactId>slf4j-simple</artifactId>
|
|
|
|
</exclusion>
|
|
|
|
<exclusion>
|
|
|
|
<groupId>commons-io</groupId>
|
|
|
|
<artifactId>commons-io</artifactId>
|
|
|
|
</exclusion>
|
|
|
|
</exclusions>
|
|
|
|
</dependency>
|
|
|
|
<!-- -->
|
|
|
|
|
|
|
|
<!-- Metrics
|
|
|
|
Metrics is a cool framework used here
|
|
|
|
to compute musures and statistics during automated testing
|
|
|
|
-->
|
|
|
|
<dependency>
|
|
|
|
<groupId>io.dropwizard.metrics</groupId>
|
|
|
|
<artifactId>metrics-core</artifactId>
|
|
|
|
</dependency>
|
|
|
|
<!-- END Metrics -->
|
|
|
|
|
|
|
|
<!-- Spring -->
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.springframework.boot</groupId>
|
|
|
|
<artifactId>spring-boot-starter-web</artifactId>
|
|
|
|
<exclusions>
|
|
|
|
<exclusion>
|
|
|
|
<groupId>org.springframework.boot</groupId>
|
|
|
|
<artifactId>spring-boot-starter-tomcat</artifactId>
|
|
|
|
</exclusion>
|
|
|
|
</exclusions>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>javax.servlet.jsp</groupId>
|
|
|
|
<artifactId>javax.servlet.jsp-api</artifactId>
|
|
|
|
<version>2.3.3</version>
|
|
|
|
<scope>provided</scope>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.springframework.boot</groupId>
|
|
|
|
<artifactId>spring-boot-starter-jdbc</artifactId>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.springframework.boot</groupId>
|
|
|
|
<artifactId>spring-boot-starter-security</artifactId>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.springframework.boot</groupId>
|
|
|
|
<artifactId>spring-boot-starter-test</artifactId>
|
|
|
|
<scope>test</scope>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.springframework.security</groupId>
|
|
|
|
<artifactId>spring-security-test</artifactId>
|
|
|
|
<scope>test</scope>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.springframework.security</groupId>
|
|
|
|
<artifactId>spring-security-ldap</artifactId>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.auth0</groupId>
|
|
|
|
<artifactId>java-jwt</artifactId>
|
|
|
|
<version>3.8.0</version>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.springframework.ldap</groupId>
|
|
|
|
<artifactId>spring-ldap-core</artifactId>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.springframework.security</groupId>
|
|
|
|
<artifactId>spring-security-taglibs</artifactId>
|
|
|
|
</dependency>
|
|
|
|
<!-- END Spring -->
|
|
|
|
|
|
|
|
<!-- taglibs -->
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.apache.taglibs</groupId>
|
|
|
|
<artifactId>taglibs-standard-impl</artifactId>
|
|
|
|
<version>1.2.5</version>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>taglibs</groupId>
|
|
|
|
<artifactId>string</artifactId>
|
|
|
|
<version>1.1.0</version>
|
|
|
|
<scope>runtime</scope>
|
|
|
|
</dependency>
|
|
|
|
<!-- END taglibs -->
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.apache.lucene</groupId>
|
|
|
|
<artifactId>lucene-core</artifactId>
|
|
|
|
<version>3.0.3</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.apache.ant</groupId>
|
|
|
|
<artifactId>ant</artifactId>
|
|
|
|
<scope>runtime</scope>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<!-- connection pool manager, fixes #860 (external database performance) -->
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.apache.commons</groupId>
|
|
|
|
<artifactId>commons-dbcp2</artifactId>
|
|
|
|
<version>2.5.0</version>
|
|
|
|
<scope>runtime</scope>
|
|
|
|
<!-- this wants to pull in commons-logging v1.2 which conflicts with other dependencies -->
|
|
|
|
<exclusions>
|
|
|
|
<exclusion>
|
|
|
|
<groupId>commons-logging</groupId>
|
|
|
|
<artifactId>commons-logging</artifactId>
|
|
|
|
</exclusion>
|
|
|
|
</exclusions>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>commons-collections</groupId>
|
|
|
|
<artifactId>commons-collections</artifactId>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>commons-fileupload</groupId>
|
|
|
|
<artifactId>commons-fileupload</artifactId>
|
Dep Check Plugin and update vuln dependencies
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
|
|
|
<version>1.3.3</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>commons-codec</groupId>
|
|
|
|
<artifactId>commons-codec</artifactId>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>commons-io</groupId>
|
|
|
|
<artifactId>commons-io</artifactId>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>commons-lang</groupId>
|
|
|
|
<artifactId>commons-lang</artifactId>
|
Dep Check Plugin and update vuln dependencies
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
|
|
|
<version>2.6</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.apache.commons</groupId>
|
|
|
|
<artifactId>commons-lang3</artifactId>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.google.code.findbugs</groupId>
|
|
|
|
<artifactId>jsr305</artifactId>
|
|
|
|
<version>3.0.2</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.google.guava</groupId>
|
|
|
|
<artifactId>guava</artifactId>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.apache.httpcomponents</groupId>
|
|
|
|
<artifactId>httpcore</artifactId>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.apache.httpcomponents</groupId>
|
|
|
|
<artifactId>httpclient</artifactId>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>hsqldb</groupId>
|
|
|
|
<artifactId>hsqldb</artifactId>
|
|
|
|
<version>1.8.0.7</version>
|
|
|
|
<scope>runtime</scope>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>radeox</groupId>
|
|
|
|
<artifactId>radeox</artifactId>
|
|
|
|
<version>1.0-b2</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.directwebremoting</groupId>
|
|
|
|
<artifactId>dwr</artifactId>
|
|
|
|
<version>3.0.rc1</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<!--Needed by dwr-->
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.yahoo.platform.yui</groupId>
|
|
|
|
<artifactId>yuicompressor</artifactId>
|
|
|
|
<version>2.4.8</version>
|
|
|
|
<scope>runtime</scope>
|
|
|
|
<!-- Necessary to avoid StringIndexOutOfBoundsException when running as a JAR -->
|
|
|
|
<!-- See: https://github.com/yui/yuicompressor/issues/161 -->
|
|
|
|
<!-- See also: https://stackoverflow.com/questions/8429095 -->
|
|
|
|
<exclusions>
|
|
|
|
<exclusion>
|
|
|
|
<artifactId>js</artifactId>
|
|
|
|
<groupId>rhino</groupId>
|
|
|
|
</exclusion>
|
|
|
|
</exclusions>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>net.jthink</groupId>
|
|
|
|
<artifactId>jaudiotagger</artifactId>
|
|
|
|
<version>2.2.5</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.jfree</groupId>
|
|
|
|
<artifactId>jfreechart</artifactId>
|
|
|
|
<version>1.5.0</version>
|
|
|
|
<exclusions>
|
|
|
|
<exclusion>
|
|
|
|
<groupId>junit</groupId>
|
|
|
|
<artifactId>junit</artifactId>
|
|
|
|
</exclusion>
|
|
|
|
<exclusion>
|
|
|
|
<groupId>gnujaxp</groupId>
|
|
|
|
<artifactId>gnujaxp</artifactId>
|
|
|
|
</exclusion>
|
|
|
|
</exclusions>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.jdom</groupId>
|
|
|
|
<artifactId>jdom</artifactId>
|
|
|
|
<version>2.0.2</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>net.sf.ehcache</groupId>
|
|
|
|
<artifactId>ehcache-core</artifactId>
|
|
|
|
<version>2.5.0</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.eclipse.persistence</groupId>
|
|
|
|
<artifactId>org.eclipse.persistence.moxy</artifactId>
|
|
|
|
<version>2.7.3</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>javax.servlet</groupId>
|
|
|
|
<artifactId>javax.servlet-api</artifactId>
|
|
|
|
<scope>provided</scope>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>javax.servlet</groupId>
|
|
|
|
<artifactId>jstl</artifactId>
|
|
|
|
<scope>runtime</scope>
|
|
|
|
</dependency>
|
|
|
|
|
Dep Check Plugin and update vuln dependencies
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
|
|
|
<dependency>
|
|
|
|
<groupId>stax</groupId>
|
|
|
|
<artifactId>stax-api</artifactId>
|
|
|
|
<version>1.0.1</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>javax.mail</groupId>
|
|
|
|
<artifactId>javax.mail-api</artifactId>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.hoodcomputing</groupId>
|
|
|
|
<artifactId>natpmp</artifactId>
|
|
|
|
<version>0.1</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>junit</groupId>
|
|
|
|
<artifactId>junit</artifactId>
|
|
|
|
<scope>test</scope>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.springframework</groupId>
|
|
|
|
<artifactId>spring-test</artifactId>
|
|
|
|
<scope>test</scope>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.mockito</groupId>
|
|
|
|
<artifactId>mockito-core</artifactId>
|
|
|
|
<scope>test</scope>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.assertj</groupId>
|
|
|
|
<artifactId>assertj-core</artifactId>
|
|
|
|
<scope>test</scope>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<!-- UPNP / DLNA -->
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.fourthline.cling</groupId>
|
|
|
|
<artifactId>cling-core</artifactId>
|
|
|
|
<version>2.0.1</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.fourthline.cling</groupId>
|
|
|
|
<artifactId>cling-support</artifactId>
|
|
|
|
<version>2.0.1</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.seamless</groupId>
|
|
|
|
<artifactId>seamless-util</artifactId>
|
|
|
|
<version>1.1.0</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>de.u-mass</groupId>
|
|
|
|
<artifactId>lastfm-java</artifactId>
|
|
|
|
<version>0.1.2</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>de.triology.recaptchav2-java</groupId>
|
|
|
|
<artifactId>recaptchav2-java</artifactId>
|
|
|
|
<version>1.0.2</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<!-- SONOS API / WSDL SUPPORT -->
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.apache.cxf</groupId>
|
|
|
|
<artifactId>cxf-rt-transports-http</artifactId>
|
|
|
|
<version>${cxf.version}</version>
|
|
|
|
<exclusions>
|
|
|
|
<exclusion>
|
|
|
|
<groupId>org.springframework</groupId>
|
|
|
|
<artifactId>spring-web</artifactId>
|
|
|
|
</exclusion>
|
|
|
|
</exclusions>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.apache.cxf</groupId>
|
|
|
|
<artifactId>cxf-core</artifactId>
|
|
|
|
<version>${cxf.version}</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.apache.cxf</groupId>
|
|
|
|
<artifactId>cxf-rt-frontend-jaxws</artifactId>
|
|
|
|
<version>${cxf.version}</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.apache.cxf</groupId>
|
|
|
|
<artifactId>cxf-rt-bindings-soap</artifactId>
|
|
|
|
<version>${cxf.version}</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.apache.cxf</groupId>
|
|
|
|
<artifactId>cxf-rt-databinding-jaxb</artifactId>
|
|
|
|
<version>${cxf.version}</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.apache.commons</groupId>
|
|
|
|
<artifactId>commons-configuration2</artifactId>
|
|
|
|
<version>2.4</version>
|
|
|
|
<exclusions>
|
|
|
|
<exclusion>
|
|
|
|
<groupId>commons-logging</groupId>
|
|
|
|
<artifactId>commons-logging</artifactId>
|
|
|
|
</exclusion>
|
|
|
|
</exclusions>
|
|
|
|
</dependency>
|
|
|
|
<!-- Fixes liquibase not using slf4j -->
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.mattbertolini</groupId>
|
|
|
|
<artifactId>liquibase-slf4j</artifactId>
|
|
|
|
<version>2.0.0</version>
|
|
|
|
<scope>runtime</scope>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>commons-beanutils</groupId>
|
|
|
|
<artifactId>commons-beanutils</artifactId>
|
|
|
|
<!-- commons-configuration2 requires during runtime -->
|
|
|
|
<scope>runtime</scope>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.liquibase</groupId>
|
|
|
|
<artifactId>liquibase-core</artifactId>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.apache.maven</groupId>
|
|
|
|
<artifactId>maven-artifact</artifactId>
|
|
|
|
<version>3.6.0</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.github.muff1nman.chameleon</groupId>
|
|
|
|
<artifactId>core</artifactId>
|
|
|
|
<version>${chameleon.version}</version>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.github.muff1nman.chameleon</groupId>
|
|
|
|
<artifactId>playlist-xspf</artifactId>
|
|
|
|
<version>${chameleon.version}</version>
|
|
|
|
<scope>compile</scope>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.github.muff1nman.chameleon</groupId>
|
|
|
|
<artifactId>playlist-all</artifactId>
|
|
|
|
<version>${chameleon.version}</version>
|
|
|
|
<scope>runtime</scope>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>javax.validation</groupId>
|
|
|
|
<artifactId>validation-api</artifactId>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.slf4j</groupId>
|
|
|
|
<artifactId>slf4j-api</artifactId>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<!-- Embedded tomcat -->
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.springframework.boot</groupId>
|
|
|
|
<artifactId>spring-boot-starter-tomcat</artifactId>
|
|
|
|
<scope>${tomcat.server.scope}</scope>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.apache.tomcat.embed</groupId>
|
|
|
|
<artifactId>tomcat-embed-jasper</artifactId>
|
|
|
|
<scope>${tomcat.server.scope}</scope>
|
|
|
|
</dependency>
|
|
|
|
<!-- Embedded Jetty -->
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.springframework.boot</groupId>
|
|
|
|
<artifactId>spring-boot-starter-jetty</artifactId>
|
|
|
|
<scope>provided</scope>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.eclipse.jetty</groupId>
|
|
|
|
<artifactId>apache-jsp</artifactId>
|
|
|
|
<scope>provided</scope>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<!-- Provided by the servlet container, but found by dependency:analyze even if used via reflection -->
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.eclipse.jetty</groupId>
|
|
|
|
<artifactId>jetty-io</artifactId>
|
|
|
|
<scope>provided</scope>
|
|
|
|
</dependency>
|
|
|
|
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.fasterxml.jackson.core</groupId>
|
|
|
|
<artifactId>jackson-core</artifactId>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.fasterxml.jackson.core</groupId>
|
|
|
|
<artifactId>jackson-databind</artifactId>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.jayway.jsonpath</groupId>
|
|
|
|
<artifactId>json-path</artifactId>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>com.sun.mail</groupId>
|
|
|
|
<artifactId>javax.mail</artifactId>
|
|
|
|
<scope>runtime</scope>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>javax.annotation</groupId>
|
|
|
|
<artifactId>javax.annotation-api</artifactId>
|
|
|
|
<scope>runtime</scope>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>javax.xml.ws</groupId>
|
|
|
|
<artifactId>jaxws-api</artifactId>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>javax.xml.bind</groupId>
|
|
|
|
<artifactId>jaxb-api</artifactId>
|
|
|
|
<scope>compile</scope>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>jakarta.xml.bind</groupId>
|
|
|
|
<artifactId>jakarta.xml.bind-api</artifactId>
|
|
|
|
<version>2.3.2</version>
|
|
|
|
<scope>runtime</scope>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.postgresql</groupId>
|
|
|
|
<artifactId>postgresql</artifactId>
|
|
|
|
<version>42.2.5</version>
|
|
|
|
<scope>runtime</scope>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>mysql</groupId>
|
|
|
|
<artifactId>mysql-connector-java</artifactId>
|
|
|
|
<version>5.1.43</version>
|
|
|
|
<scope>runtime</scope>
|
|
|
|
</dependency>
|
|
|
|
<dependency>
|
|
|
|
<groupId>org.mariadb.jdbc</groupId>
|
|
|
|
<artifactId>mariadb-java-client</artifactId>
|
Dep Check Plugin and update vuln dependencies
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
|
|
|
<version>2.1.2</version>
|
|
|
|
<scope>runtime</scope>
|
|
|
|
</dependency>
|
|
|
|
</dependencies>
|
|
|
|
|
|
|
|
<build>
|
|
|
|
<finalName>airsonic</finalName>
|
|
|
|
<plugins>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
|
|
<artifactId>maven-checkstyle-plugin</artifactId>
|
|
|
|
</plugin>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.springframework.boot</groupId>
|
|
|
|
<artifactId>spring-boot-maven-plugin</artifactId>
|
|
|
|
<version>1.5.20.RELEASE</version>
|
|
|
|
<configuration>
|
|
|
|
<mainClass>org.airsonic.player.Application</mainClass>
|
|
|
|
<layout>WAR</layout>
|
|
|
|
<excludeGroupIds>${boot.group.excludes}</excludeGroupIds>
|
|
|
|
<excludeArtifactIds>${boot.artifact.excludes}</excludeArtifactIds>
|
|
|
|
</configuration>
|
|
|
|
<executions>
|
|
|
|
<execution>
|
|
|
|
<goals>
|
|
|
|
<goal>repackage</goal>
|
|
|
|
</goals>
|
|
|
|
</execution>
|
|
|
|
</executions>
|
|
|
|
</plugin>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
|
|
<artifactId>maven-surefire-plugin</artifactId>
|
|
|
|
<configuration>
|
|
|
|
<reuseForks>false</reuseForks>
|
|
|
|
</configuration>
|
|
|
|
</plugin>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.codehaus.mojo</groupId>
|
|
|
|
<artifactId>buildnumber-maven-plugin</artifactId>
|
|
|
|
<executions>
|
|
|
|
<execution>
|
|
|
|
<phase>validate</phase>
|
|
|
|
<goals>
|
|
|
|
<goal>create</goal>
|
|
|
|
</goals>
|
|
|
|
</execution>
|
|
|
|
</executions>
|
|
|
|
<configuration>
|
|
|
|
<doCheck>false</doCheck>
|
|
|
|
<doUpdate>false</doUpdate>
|
|
|
|
<revisionOnScmFailure>Unversioned</revisionOnScmFailure>
|
|
|
|
</configuration>
|
|
|
|
</plugin>
|
|
|
|
<plugin>
|
|
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
|
|
<artifactId>maven-antrun-plugin</artifactId>
|
|
|
|
<executions>
|
|
|
|
<execution>
|
|
|
|
<phase>generate-resources</phase>
|
|
|
|
<configuration>
|
|
|
|
<target>
|
|
|
|
<tstamp/>
|
|
|
|
<copy file="${basedir}/src/main/resources/org/airsonic/player/i18n/ResourceBundle_en.properties"
|
|
|
|
tofile="${project.build.directory}/classes/org/airsonic/player/i18n/ResourceBundle.properties"/>
|
|
|
|
<echo file="${project.build.directory}/classes/build_number.txt">${buildNumber}</echo>
|
|
|
|
<!--suppress MavenModelInspection -->
|
|
|
|
<echo file="${project.build.directory}/classes/build_date.txt">${DSTAMP}</echo>
|
|
|
|
<echo file="${project.build.directory}/classes/version.txt">${project.version}</echo>
|
|
|
|
</target>
|
|
|
|
</configuration>
|
|
|
|
<goals>
|
|
|
|
<goal>run</goal>
|
|
|
|
</goals>
|
|
|
|
</execution>
|
|
|
|
</executions>
|
|
|
|
</plugin>
|
Dep Check Plugin and update vuln dependencies
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
|
|
|
<plugin>
|
|
|
|
<groupId>org.owasp</groupId>
|
|
|
|
<artifactId>dependency-check-maven</artifactId>
|
|
|
|
</plugin>
|
|
|
|
<plugin>
|
|
|
|
<groupId>net.nicoulaj.maven.plugins</groupId>
|
|
|
|
<artifactId>checksum-maven-plugin</artifactId>
|
|
|
|
</plugin>
|
|
|
|
</plugins>
|
|
|
|
</build>
|
|
|
|
<profiles>
|
|
|
|
<profile>
|
|
|
|
<id>tomcat-embed</id>
|
|
|
|
<activation>
|
|
|
|
<activeByDefault>true</activeByDefault>
|
|
|
|
</activation>
|
|
|
|
<properties>
|
|
|
|
<boot.group.excludes>org.eclipse.jetty,org.eclipse.jetty.websocket,org.mortbay.jasper,org.eclipse.jetty.toolchain,org.ow2.asm</boot.group.excludes>
|
|
|
|
<boot.artifact.excludes>spring-boot-starter-jetty</boot.artifact.excludes>
|
|
|
|
</properties>
|
|
|
|
</profile>
|
|
|
|
<profile>
|
|
|
|
<id>jetty-embed</id>
|
|
|
|
<properties>
|
|
|
|
<boot.group.excludes>org.apache.tomcat.embed</boot.group.excludes>
|
|
|
|
<boot.artifact.excludes>spring-boot-starter-tomcat</boot.artifact.excludes>
|
|
|
|
</properties>
|
|
|
|
</profile>
|
|
|
|
<profile>
|
|
|
|
<id>ide-tomcat-embed</id>
|
|
|
|
<properties>
|
|
|
|
<tomcat.server.scope>compile</tomcat.server.scope>
|
|
|
|
</properties>
|
|
|
|
</profile>
|
|
|
|
</profiles>
|
|
|
|
</project>
|