MightyPork
/
airsonic-custom
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'origin/pr/1147'

Browse Source
master
Andrew DeMaria 5 years ago
parent e9986606ca 4d615a35f4
commit 680da7a190
No known key found for this signature in database
GPG Key ID: 0A3F5E91F8364EDF
3 changed files with 48 additions and 10 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 35
      airsonic-main/cve-suppressed.xml
  2. 2
      airsonic-main/pom.xml
  3. 21
      pom.xml

35
airsonic-main/cve-suppressed.xml
Unescape View File

@ -168,4 +168,39 @@
<gav regex="true">^com\.sun\.xml\.bind\.external:relaxng-datatype:.*</gav>
<cve>CVE-2018-18749</cve>
</suppress>
<suppress>
<notes>False positive for jflac-codec</notes>
<gav regex="true">.*jflac-codec.*</gav>
<cve>CVE-2018-14948</cve>
</suppress>
<suppress>
<notes>We do not enable default typing for jackson</notes>
<gav regex="true">.*jackson-databind.*</gav>
<cve>CVE-2019-12814</cve>
</suppress>
<suppress>
<notes>We do not use the liquibase sdk</notes>
<filePath regex="true">.*liquibase/sdk/.*</filePath>
<cvssBelow>9.0</cvssBelow>
</suppress>
<suppress>
<notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
<gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
<cve>CVE-2016-5425</cve>
</suppress>
<suppress>
<notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
<gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
<cve>CVE-2017-6056</cve>
</suppress>
<suppress>
<notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
<gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
<cve>CVE-2019-10072</cve>
</suppress>
<suppress>
<notes>This cve is for apache standard taglibs before 1.2.3. However jstl:1.2 is a separate PROVIDED lib</notes>
<gav regex="true">^javax\.servlet:jstl:.*$</gav>
<cve>CVE-2015-0254</cve>
</suppress>
</suppressions>

2
airsonic-main/pom.xml
Unescape View File

@ -538,7 +538,7 @@
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<version>42.1.4</version>
<version>42.2.5</version>
<scope>runtime</scope>
</dependency>
<dependency>

21
pom.xml
Unescape View File

@ -18,6 +18,7 @@
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<cxf.version>3.3.1</cxf.version>
<jackson.version>2.9.9</jackson.version>
<tomcat.version>8.5.42</tomcat.version>
</properties>
<repositories>
@ -87,7 +88,7 @@
<!-- Import dependency management from Spring Boot -->
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>1.5.20.RELEASE</version>
<version>1.5.21.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
@ -192,37 +193,37 @@
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-core</artifactId>
<version>8.5.40</version>
<version>${tomcat.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-el</artifactId>
<version>8.5.40</version>
<version>${tomcat.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId>
<version>8.5.40</version>
<version>${tomcat.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-websocket</artifactId>
<version>8.5.40</version>
<version>${tomcat.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-annotations-api</artifactId>
<version>8.5.40</version>
<version>${tomcat.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-jdbc</artifactId>
<version>8.5.40</version>
<version>${tomcat.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-juli</artifactId>
<version>8.5.40</version>
<version>${tomcat.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
@ -300,13 +301,15 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>4.0.0</version>
<version>5.0.0</version>
<inherited>true</inherited>
<configuration>
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
<suppressionFiles>
<suppressionFile>${project.basedir}/cve-suppressed.xml</suppressionFile>
</suppressionFiles>
<!-- disabled due to the poor quality of the data from this analyzer -->
<ossindexAnalyzerEnabled>false</ossindexAnalyzerEnabled>
</configuration>
<executions>
<execution>

Write Preview
Loading…
Cancel
Save