Merge remote-tracking branch 'origin/pr/1147'

master
Andrew DeMaria 5 years ago
commit 680da7a190
No known key found for this signature in database
GPG Key ID: 0A3F5E91F8364EDF
  1. 35
      airsonic-main/cve-suppressed.xml
  2. 2
      airsonic-main/pom.xml
  3. 21
      pom.xml

@ -168,4 +168,39 @@
<gav regex="true">^com\.sun\.xml\.bind\.external:relaxng-datatype:.*</gav>
<cve>CVE-2018-18749</cve>
</suppress>
<suppress>
<notes>False positive for jflac-codec</notes>
<gav regex="true">.*jflac-codec.*</gav>
<cve>CVE-2018-14948</cve>
</suppress>
<suppress>
<notes>We do not enable default typing for jackson</notes>
<gav regex="true">.*jackson-databind.*</gav>
<cve>CVE-2019-12814</cve>
</suppress>
<suppress>
<notes>We do not use the liquibase sdk</notes>
<filePath regex="true">.*liquibase/sdk/.*</filePath>
<cvssBelow>9.0</cvssBelow>
</suppress>
<suppress>
<notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
<gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
<cve>CVE-2016-5425</cve>
</suppress>
<suppress>
<notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
<gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
<cve>CVE-2017-6056</cve>
</suppress>
<suppress>
<notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
<gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
<cve>CVE-2019-10072</cve>
</suppress>
<suppress>
<notes>This cve is for apache standard taglibs before 1.2.3. However jstl:1.2 is a separate PROVIDED lib</notes>
<gav regex="true">^javax\.servlet:jstl:.*$</gav>
<cve>CVE-2015-0254</cve>
</suppress>
</suppressions>

@ -538,7 +538,7 @@
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<version>42.1.4</version>
<version>42.2.5</version>
<scope>runtime</scope>
</dependency>
<dependency>

@ -18,6 +18,7 @@
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<cxf.version>3.3.1</cxf.version>
<jackson.version>2.9.9</jackson.version>
<tomcat.version>8.5.42</tomcat.version>
</properties>
<repositories>
@ -87,7 +88,7 @@
<!-- Import dependency management from Spring Boot -->
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>1.5.20.RELEASE</version>
<version>1.5.21.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
@ -192,37 +193,37 @@
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-core</artifactId>
<version>8.5.40</version>
<version>${tomcat.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-el</artifactId>
<version>8.5.40</version>
<version>${tomcat.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId>
<version>8.5.40</version>
<version>${tomcat.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-websocket</artifactId>
<version>8.5.40</version>
<version>${tomcat.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-annotations-api</artifactId>
<version>8.5.40</version>
<version>${tomcat.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-jdbc</artifactId>
<version>8.5.40</version>
<version>${tomcat.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-juli</artifactId>
<version>8.5.40</version>
<version>${tomcat.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
@ -300,13 +301,15 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>4.0.0</version>
<version>5.0.0</version>
<inherited>true</inherited>
<configuration>
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
<suppressionFiles>
<suppressionFile>${project.basedir}/cve-suppressed.xml</suppressionFile>
</suppressionFiles>
<!-- disabled due to the poor quality of the data from this analyzer -->
<ossindexAnalyzerEnabled>false</ossindexAnalyzerEnabled>
</configuration>
<executions>
<execution>

Loading…
Cancel
Save