Merge remote-tracking branch 'origin/pr/1147'

master
Andrew DeMaria 5 years ago
commit 680da7a190
No known key found for this signature in database
GPG Key ID: 0A3F5E91F8364EDF
  1. 35
      airsonic-main/cve-suppressed.xml
  2. 2
      airsonic-main/pom.xml
  3. 21
      pom.xml

@ -168,4 +168,39 @@
<gav regex="true">^com\.sun\.xml\.bind\.external:relaxng-datatype:.*</gav> <gav regex="true">^com\.sun\.xml\.bind\.external:relaxng-datatype:.*</gav>
<cve>CVE-2018-18749</cve> <cve>CVE-2018-18749</cve>
</suppress> </suppress>
<suppress>
<notes>False positive for jflac-codec</notes>
<gav regex="true">.*jflac-codec.*</gav>
<cve>CVE-2018-14948</cve>
</suppress>
<suppress>
<notes>We do not enable default typing for jackson</notes>
<gav regex="true">.*jackson-databind.*</gav>
<cve>CVE-2019-12814</cve>
</suppress>
<suppress>
<notes>We do not use the liquibase sdk</notes>
<filePath regex="true">.*liquibase/sdk/.*</filePath>
<cvssBelow>9.0</cvssBelow>
</suppress>
<suppress>
<notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
<gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
<cve>CVE-2016-5425</cve>
</suppress>
<suppress>
<notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
<gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
<cve>CVE-2017-6056</cve>
</suppress>
<suppress>
<notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
<gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
<cve>CVE-2019-10072</cve>
</suppress>
<suppress>
<notes>This cve is for apache standard taglibs before 1.2.3. However jstl:1.2 is a separate PROVIDED lib</notes>
<gav regex="true">^javax\.servlet:jstl:.*$</gav>
<cve>CVE-2015-0254</cve>
</suppress>
</suppressions> </suppressions>

@ -538,7 +538,7 @@
<dependency> <dependency>
<groupId>org.postgresql</groupId> <groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId> <artifactId>postgresql</artifactId>
<version>42.1.4</version> <version>42.2.5</version>
<scope>runtime</scope> <scope>runtime</scope>
</dependency> </dependency>
<dependency> <dependency>

@ -18,6 +18,7 @@
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<cxf.version>3.3.1</cxf.version> <cxf.version>3.3.1</cxf.version>
<jackson.version>2.9.9</jackson.version> <jackson.version>2.9.9</jackson.version>
<tomcat.version>8.5.42</tomcat.version>
</properties> </properties>
<repositories> <repositories>
@ -87,7 +88,7 @@
<!-- Import dependency management from Spring Boot --> <!-- Import dependency management from Spring Boot -->
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId> <artifactId>spring-boot-dependencies</artifactId>
<version>1.5.20.RELEASE</version> <version>1.5.21.RELEASE</version>
<type>pom</type> <type>pom</type>
<scope>import</scope> <scope>import</scope>
</dependency> </dependency>
@ -192,37 +193,37 @@
<dependency> <dependency>
<groupId>org.apache.tomcat.embed</groupId> <groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-core</artifactId> <artifactId>tomcat-embed-core</artifactId>
<version>8.5.40</version> <version>${tomcat.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.tomcat.embed</groupId> <groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-el</artifactId> <artifactId>tomcat-embed-el</artifactId>
<version>8.5.40</version> <version>${tomcat.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.tomcat.embed</groupId> <groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId> <artifactId>tomcat-embed-jasper</artifactId>
<version>8.5.40</version> <version>${tomcat.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.tomcat.embed</groupId> <groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-websocket</artifactId> <artifactId>tomcat-embed-websocket</artifactId>
<version>8.5.40</version> <version>${tomcat.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.tomcat</groupId> <groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-annotations-api</artifactId> <artifactId>tomcat-annotations-api</artifactId>
<version>8.5.40</version> <version>${tomcat.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.tomcat</groupId> <groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-jdbc</artifactId> <artifactId>tomcat-jdbc</artifactId>
<version>8.5.40</version> <version>${tomcat.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.tomcat</groupId> <groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-juli</artifactId> <artifactId>tomcat-juli</artifactId>
<version>8.5.40</version> <version>${tomcat.version}</version>
</dependency> </dependency>
</dependencies> </dependencies>
</dependencyManagement> </dependencyManagement>
@ -300,13 +301,15 @@
<plugin> <plugin>
<groupId>org.owasp</groupId> <groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId> <artifactId>dependency-check-maven</artifactId>
<version>4.0.0</version> <version>5.0.0</version>
<inherited>true</inherited> <inherited>true</inherited>
<configuration> <configuration>
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability> <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
<suppressionFiles> <suppressionFiles>
<suppressionFile>${project.basedir}/cve-suppressed.xml</suppressionFile> <suppressionFile>${project.basedir}/cve-suppressed.xml</suppressionFile>
</suppressionFiles> </suppressionFiles>
<!-- disabled due to the poor quality of the data from this analyzer -->
<ossindexAnalyzerEnabled>false</ossindexAnalyzerEnabled>
</configuration> </configuration>
<executions> <executions>
<execution> <execution>

Loading…
Cancel
Save