Dep Check Plugin and update vuln dependencies
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
|
|
|
|
|
|
|
|
<!-- Provisional >> -->
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[False Positive for stax]]></notes>
|
|
|
|
<gav regex="true">^.*$</gav>
|
|
|
|
<cve>CVE-2018-1000840</cve>
|
|
|
|
</suppress>
|
|
|
|
<!-- << Provisional -->
|
|
|
|
|
Dep Check Plugin and update vuln dependencies
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[RC4 vulnerability in ssl. We don't use ssl at the application container level]]></notes>
|
|
|
|
<gav regex="true">^.*$</gav>
|
|
|
|
<cve>CVE-2015-2808</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[RC4 vulnerability in ssl. We don't use ssl at the application container level]]></notes>
|
|
|
|
<gav regex="true">^.*$</gav>
|
|
|
|
<cve>CVE-2013-2566</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes>
|
|
|
|
<![CDATA[This is for ruby - not for java and besides we don't allow user supplied information in emails]]></notes>
|
|
|
|
<gav regex="true">^.*$</gav>
|
|
|
|
<cve>CVE-2015-9097</cve>
|
|
|
|
</suppress>
|
|
|
|
|
|
|
|
<!-- This is for the oracle/glassfish application server implementation, not the api. -->
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[file name: javax.servlet.jsp-api-2.3.1.jar]]></notes>
|
|
|
|
<gav regex="true">^javax\.servlet\.jsp:javax\.servlet\.jsp-api:.*$</gav>
|
|
|
|
<cve>CVE-2011-5035</cve>
|
|
|
|
</suppress>
|
|
|
|
|
|
|
|
<!-- For drupal, so doesn't apply to us -->
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[file name: validation-api-1.1.0.Final.jar]]></notes>
|
|
|
|
<gav regex="true">^javax\.validation:validation-api:.*$</gav>
|
|
|
|
<cve>CVE-2013-4499</cve>
|
|
|
|
</suppress>
|
|
|
|
|
|
|
|
<!-- This seems to pick up many false positives for the server component which we have no control over -->
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[file name: mysql-connector-java-5.1.43.jar]]></notes>
|
|
|
|
<gav regex="true">^mysql:mysql-connector-java:.*$</gav>
|
|
|
|
<cpe regex="true">.*</cpe>
|
|
|
|
</suppress>
|
|
|
|
|
|
|
|
<!-- Jetty is currently only used for developer experimentation -->
|
|
|
|
<suppress>
|
|
|
|
<notes>Jetty is currently only used for developer experimentations</notes>
|
|
|
|
<gav regex="true">^org\.eclipse\.jetty:.*$</gav>
|
|
|
|
<cpe>cpe:/a:org.eclipse.jetty:</cpe>
|
Dep Check Plugin and update vuln dependencies
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
|
|
|
</suppress>
|
|
|
|
|
|
|
|
<!-- No git functionality is used from the following dependencies -->
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
|
|
|
|
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
|
|
|
|
<cve>CVE-2017-14867</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
|
|
|
|
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
|
|
|
|
<cve>CVE-2015-7545</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
|
|
|
|
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
|
|
|
|
<cve>CVE-2015-7082</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
|
|
|
|
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
|
|
|
|
<cve>CVE-2010-2542</cve>
|
|
|
|
</suppress>
|
|
|
|
|
|
|
|
<!-- Ignore all false positives for the server component -->
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[file name: mariadb-java-client-2.1.0.jar]]></notes>
|
|
|
|
<gav regex="true">^org\.mariadb\.jdbc:mariadb-java-client:.*$</gav>
|
|
|
|
<cpe>cpe:/a:mariadb:mariadb</cpe>
|
|
|
|
</suppress>
|
|
|
|
|
|
|
|
<!-- This cve is not for spring ldap, but for typo3 -->
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[file name: spring-ldap-core-2.3.1.RELEASE.jar]]></notes>
|
|
|
|
<gav regex="true">^org\.springframework\.ldap:spring-ldap-core:.*$</gav>
|
|
|
|
<cve>CVE-2014-6232</cve>
|
|
|
|
</suppress>
|
|
|
|
|
|
|
|
<!-- We do not support https for the embedded tomcat setup -->
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[file name: tomcat-annotations-api-8.5.23.jar]]></notes>
|
|
|
|
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
|
|
|
|
<cve>CVE-2017-6056</cve>
|
|
|
|
</suppress>
|
|
|
|
|
|
|
|
<!-- This only impacts distro packages, not embedded -->
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[file name: tomcat-annotations-api-8.5.23.jar]]></notes>
|
|
|
|
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
|
|
|
|
<cve>CVE-2016-6325</cve>
|
|
|
|
</suppress>
|
|
|
|
|
|
|
|
<!-- This only impacts distro packages, not embedded -->
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[file name: tomcat-annotations-api-8.5.23.jar]]></notes>
|
|
|
|
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
|
|
|
|
<cve>CVE-2016-5425</cve>
|
|
|
|
</suppress>
|
|
|
|
|
|
|
|
<!-- Jetty is currently disabled and not added to the built war -->
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[file name: jetty-schemas-3.1.jar]]></notes>
|
|
|
|
<gav regex="true">^org\.eclipse\.jetty\..*$</gav>
|
|
|
|
<cpe>cpe:/a:mortbay_jetty:jetty</cpe>
|
|
|
|
</suppress>
|
|
|
|
<!--Vulnerabilty lies in Database Clusterscripts-->
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[file name: postgresql-42.1.4.jar]]></notes>
|
|
|
|
<gav regex="true">^org\.postgresql:postgresql:.*$</gav>
|
|
|
|
<cve>CVE-2017-8806</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[file name: postgresql-42.1.4.jar]]></notes>
|
|
|
|
<gav regex="true">^org\.postgresql:postgresql:.*$</gav>
|
|
|
|
<cve>CVE-2017-14798</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes>Does not affect the postgres client</notes>
|
|
|
|
<gav regex="true">^org\.postgresql:postgresql:.*$</gav>
|
|
|
|
<cve>CVE-2018-1115</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes>Does not affect the postgres client</notes>
|
|
|
|
<gav regex="true">^org\.postgresql:postgresql:.*$</gav>
|
|
|
|
<cve>CVE-2016-7048</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes>This is for nodejs</notes>
|
|
|
|
<gav regex="true">^org\.mariadb\.jdbc:mariadb-java-client:.*$</gav>
|
|
|
|
<cve>CVE-2017-16046</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[False Positive for stax]]></notes>
|
|
|
|
<gav regex="true">^stax.*$</gav>
|
|
|
|
<cve>CVE-2017-16224</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[False Positive for stax]]></notes>
|
|
|
|
<gav regex="true">^javax\.xml\.stream:stax.*$</gav>
|
|
|
|
<cve>CVE-2017-16224</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[We do not use slf4j ext]]></notes>
|
|
|
|
<gav regex="true">.*slf4j.*</gav>
|
|
|
|
<cve>CVE-2018-8088</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes><![CDATA[This only impacts spring 5.0.5 which we dont use]]></notes>
|
|
|
|
<gav regex="true">.*spring.*</gav>
|
|
|
|
<cve>CVE-2018-1258</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes>This is for an unrelated C library</notes>
|
|
|
|
<gav regex="true">^com\.sun\.xml\.bind\.external:relaxng-datatype:.*</gav>
|
|
|
|
<cve>CVE-2018-18749</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes>False positive for jflac-codec</notes>
|
|
|
|
<gav regex="true">.*jflac-codec.*</gav>
|
|
|
|
<cve>CVE-2018-14948</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes>We do not enable default typing for jackson</notes>
|
|
|
|
<gav regex="true">.*jackson-databind.*</gav>
|
|
|
|
<cve>CVE-2019-12814</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes>We do not use the liquibase sdk</notes>
|
|
|
|
<filePath regex="true">.*liquibase/sdk/.*</filePath>
|
|
|
|
<cvssBelow>9.0</cvssBelow>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
|
|
|
|
<gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
|
|
|
|
<cve>CVE-2016-5425</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
|
|
|
|
<gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
|
|
|
|
<cve>CVE-2017-6056</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
|
|
|
|
<gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
|
|
|
|
<cve>CVE-2019-10072</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes>This cve is for apache standard taglibs before 1.2.3. However jstl:1.2 is a separate PROVIDED lib</notes>
|
|
|
|
<gav regex="true">^javax\.servlet:jstl:.*$</gav>
|
|
|
|
<cve>CVE-2015-0254</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes>We do not enable default typing for jackson</notes>
|
|
|
|
<gav regex="true">.*jackson-databind.*</gav>
|
|
|
|
<cve>CVE-2019-14379</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes>We do not enable default typing for jackson</notes>
|
|
|
|
<gav regex="true">.*jackson-databind.*</gav>
|
|
|
|
<cve>CVE-2019-14439</cve>
|
|
|
|
</suppress>
|
|
|
|
<suppress>
|
|
|
|
<notes>We do not enable default typing for jackson</notes>
|
|
|
|
<gav regex="true">.*jackson-databind.*</gav>
|
|
|
|
<cve>CVE-2019-12384</cve>
|
|
|
|
</suppress>
|
Dep Check Plugin and update vuln dependencies
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
|
|
|
</suppressions>
|