Detail ------ Add a dependency check plugin to find reported issues with dependencies we use. From adding this, there were quite a few false positives which are documented in airsonic-main/cve-suppressed.xml. The applicable vulnerabilities are as follows: ``` commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2, cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031, CVE-2014-0050, CVE-2013-0248 castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1, cpe:/a:castor_project:castor:1.3.1, org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004 tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617 ``` CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content from any multipart uploads so doesn't apply. Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>master
parent
afa3a589df
commit
438461933d
@ -0,0 +1,111 @@ |
||||
<?xml version="1.0" encoding="UTF-8"?> |
||||
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd"> |
||||
<suppress> |
||||
<notes><![CDATA[RC4 vulnerability in ssl. We don't use ssl at the application container level]]></notes> |
||||
<gav regex="true">^.*$</gav> |
||||
<cve>CVE-2015-2808</cve> |
||||
</suppress> |
||||
<suppress> |
||||
<notes><![CDATA[RC4 vulnerability in ssl. We don't use ssl at the application container level]]></notes> |
||||
<gav regex="true">^.*$</gav> |
||||
<cve>CVE-2013-2566</cve> |
||||
</suppress> |
||||
<suppress> |
||||
<notes> |
||||
<![CDATA[This is for ruby - not for java and besides we don't allow user supplied information in emails]]></notes> |
||||
<gav regex="true">^.*$</gav> |
||||
<cve>CVE-2015-9097</cve> |
||||
</suppress> |
||||
|
||||
<!-- This is for the oracle/glassfish application server implementation, not the api. --> |
||||
<suppress> |
||||
<notes><![CDATA[file name: javax.servlet.jsp-api-2.3.1.jar]]></notes> |
||||
<gav regex="true">^javax\.servlet\.jsp:javax\.servlet\.jsp-api:.*$</gav> |
||||
<cve>CVE-2011-5035</cve> |
||||
</suppress> |
||||
|
||||
<!-- For drupal, so doesn't apply to us --> |
||||
<suppress> |
||||
<notes><![CDATA[file name: validation-api-1.1.0.Final.jar]]></notes> |
||||
<gav regex="true">^javax\.validation:validation-api:.*$</gav> |
||||
<cve>CVE-2013-4499</cve> |
||||
</suppress> |
||||
|
||||
<!-- This seems to pick up many false positives for the server component which we have no control over --> |
||||
<suppress> |
||||
<notes><![CDATA[file name: mysql-connector-java-5.1.43.jar]]></notes> |
||||
<gav regex="true">^mysql:mysql-connector-java:.*$</gav> |
||||
<cpe regex="true">.*</cpe> |
||||
</suppress> |
||||
|
||||
<!-- Jetty is currently only used for developer experimentation --> |
||||
<suppress> |
||||
<notes><![CDATA[file name: jetty-schemas-3.1.jar]]></notes> |
||||
<gav regex="true">^org\.eclipse\.jetty\.toolchain:jetty-schemas:.*$</gav> |
||||
<cve>CVE-2017-9735</cve> |
||||
</suppress> |
||||
|
||||
<!-- No git functionality is used from the following dependencies --> |
||||
<suppress> |
||||
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes> |
||||
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav> |
||||
<cve>CVE-2017-14867</cve> |
||||
</suppress> |
||||
<suppress> |
||||
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes> |
||||
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav> |
||||
<cve>CVE-2015-7545</cve> |
||||
</suppress> |
||||
<suppress> |
||||
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes> |
||||
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav> |
||||
<cve>CVE-2015-7082</cve> |
||||
</suppress> |
||||
<suppress> |
||||
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes> |
||||
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav> |
||||
<cve>CVE-2010-2542</cve> |
||||
</suppress> |
||||
|
||||
<!-- Ignore all false positives for the server component --> |
||||
<suppress> |
||||
<notes><![CDATA[file name: mariadb-java-client-2.1.0.jar]]></notes> |
||||
<gav regex="true">^org\.mariadb\.jdbc:mariadb-java-client:.*$</gav> |
||||
<cpe>cpe:/a:mariadb:mariadb</cpe> |
||||
</suppress> |
||||
|
||||
<!-- This cve is not for spring ldap, but for typo3 --> |
||||
<suppress> |
||||
<notes><![CDATA[file name: spring-ldap-core-2.3.1.RELEASE.jar]]></notes> |
||||
<gav regex="true">^org\.springframework\.ldap:spring-ldap-core:.*$</gav> |
||||
<cve>CVE-2014-6232</cve> |
||||
</suppress> |
||||
|
||||
<!-- We do not support https for the embedded tomcat setup --> |
||||
<suppress> |
||||
<notes><![CDATA[file name: tomcat-annotations-api-8.5.23.jar]]></notes> |
||||
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav> |
||||
<cve>CVE-2017-6056</cve> |
||||
</suppress> |
||||
|
||||
<!-- This only impacts distro packages, not embedded --> |
||||
<suppress> |
||||
<notes><![CDATA[file name: tomcat-annotations-api-8.5.23.jar]]></notes> |
||||
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav> |
||||
<cve>CVE-2016-6325</cve> |
||||
</suppress> |
||||
|
||||
<!-- This only impacts distro packages, not embedded --> |
||||
<suppress> |
||||
<notes><![CDATA[file name: tomcat-annotations-api-8.5.23.jar]]></notes> |
||||
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav> |
||||
<cve>CVE-2016-5425</cve> |
||||
</suppress> |
||||
|
||||
<!-- Jetty is currently disabled and not added to the built war --> |
||||
<suppress> |
||||
<notes><![CDATA[file name: jetty-schemas-3.1.jar]]></notes> |
||||
<gav regex="true">^org\.eclipse\.jetty\..*$</gav> |
||||
<cpe>cpe:/a:mortbay_jetty:jetty</cpe> |
||||
</suppress> |
||||
</suppressions> |
Loading…
Reference in new issue