From 7c7ac3e591642abc532060f93bba721dc85e837c Mon Sep 17 00:00:00 2001 From: Andrew DeMaria Date: Wed, 26 Jun 2019 10:57:49 -0600 Subject: [PATCH 1/4] Update dependency check --- airsonic-main/cve-suppressed.xml | 35 ++++++++++++++++++++++++++++++++ airsonic-main/pom.xml | 2 +- pom.xml | 19 +++++++++-------- 3 files changed, 46 insertions(+), 10 deletions(-) diff --git a/airsonic-main/cve-suppressed.xml b/airsonic-main/cve-suppressed.xml index 548e6b40..caa93990 100644 --- a/airsonic-main/cve-suppressed.xml +++ b/airsonic-main/cve-suppressed.xml @@ -168,4 +168,39 @@ ^com\.sun\.xml\.bind\.external:relaxng-datatype:.* CVE-2018-18749 + + False positive for jflac-codec + .*jflac-codec.* + CVE-2018-14948 + + + We do not enable default typing for jackson + .*jackson-databind.* + CVE-2019-12814 + + + We do not sue the liquibase sdk + .*liquibase/sdk/.* + 9.0 + + + False positive for tomcat vuln in eclipse jetty/jasper compat lib + ^org\.mortbay\.jasper:apache-jsp:.*$ + CVE-2016-5425 + + + False positive for tomcat vuln in eclipse jetty/jasper compat lib + ^org\.mortbay\.jasper:apache-jsp:.*$ + CVE-2017-6056 + + + False positive for tomcat vuln in eclipse jetty/jasper compat lib + ^org\.mortbay\.jasper:apache-jsp:.*$ + CVE-2019-10072 + + + This cve is for apache standard taglibs before 1.2.3. However jstl:1.2 is a separate PROVIDED lib + ^javax\.servlet:jstl:.*$ + CVE-2015-0254 + diff --git a/airsonic-main/pom.xml b/airsonic-main/pom.xml index d50db52b..e2166468 100755 --- a/airsonic-main/pom.xml +++ b/airsonic-main/pom.xml @@ -538,7 +538,7 @@ org.postgresql postgresql - 42.1.4 + 42.2.5 runtime diff --git a/pom.xml b/pom.xml index 6277f7c7..5f8c669d 100644 --- a/pom.xml +++ b/pom.xml @@ -18,6 +18,7 @@ UTF-8 3.3.1 2.9.9 + 8.5.42 @@ -87,7 +88,7 @@ org.springframework.boot spring-boot-dependencies - 1.5.20.RELEASE + 1.5.21.RELEASE pom import @@ -192,37 +193,37 @@ org.apache.tomcat.embed tomcat-embed-core - 8.5.40 + ${tomcat.version} org.apache.tomcat.embed tomcat-embed-el - 8.5.40 + ${tomcat.version} org.apache.tomcat.embed tomcat-embed-jasper - 8.5.40 + ${tomcat.version} org.apache.tomcat.embed tomcat-embed-websocket - 8.5.40 + ${tomcat.version} org.apache.tomcat tomcat-annotations-api - 8.5.40 + ${tomcat.version} org.apache.tomcat tomcat-jdbc - 8.5.40 + ${tomcat.version} org.apache.tomcat tomcat-juli - 8.5.40 + ${tomcat.version} @@ -300,7 +301,7 @@ org.owasp dependency-check-maven - 4.0.0 + 5.0.0 true true From c2acc36f85a3c2f230b222e5ae6f9fe6758e998c Mon Sep 17 00:00:00 2001 From: Andrew DeMaria Date: Wed, 26 Jun 2019 11:20:45 -0600 Subject: [PATCH 2/4] Disable ossindex analyzer as its data is questionable --- pom.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/pom.xml b/pom.xml index 5f8c669d..a0ef4995 100644 --- a/pom.xml +++ b/pom.xml @@ -308,6 +308,7 @@ ${project.basedir}/cve-suppressed.xml + false From 05580ae7f30553a4c23423a653fd211536ef03b2 Mon Sep 17 00:00:00 2001 From: Andrew DeMaria Date: Wed, 26 Jun 2019 11:23:49 -0600 Subject: [PATCH 3/4] Fix typo --- airsonic-main/cve-suppressed.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/airsonic-main/cve-suppressed.xml b/airsonic-main/cve-suppressed.xml index caa93990..ce449ee7 100644 --- a/airsonic-main/cve-suppressed.xml +++ b/airsonic-main/cve-suppressed.xml @@ -179,7 +179,7 @@ CVE-2019-12814 - We do not sue the liquibase sdk + We do not use the liquibase sdk .*liquibase/sdk/.* 9.0 From 4d615a35f441b88c538f2a7c86b7d70c48fc5cf4 Mon Sep 17 00:00:00 2001 From: Andrew DeMaria Date: Wed, 26 Jun 2019 11:52:11 -0600 Subject: [PATCH 4/4] Add comment for why ossindex is disabled --- pom.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/pom.xml b/pom.xml index a0ef4995..8a7a89ae 100644 --- a/pom.xml +++ b/pom.xml @@ -308,6 +308,7 @@ ${project.basedir}/cve-suppressed.xml + false