Merge remote-tracking branch 'origin/pr/1147'

airsonic-main/cve-suppressed.xml

@@ -168,4 +168,39 @@
         <gav regex="true">^com\.sun\.xml\.bind\.external:relaxng-datatype:.*</gav>
         <cve>CVE-2018-18749</cve>
     </suppress>
+    <suppress>
+        <notes>False positive for jflac-codec</notes>
+        <gav regex="true">.*jflac-codec.*</gav>
+        <cve>CVE-2018-14948</cve>
+    </suppress>
+    <suppress>
+        <notes>We do not enable default typing for jackson</notes>
+        <gav regex="true">.*jackson-databind.*</gav>
+        <cve>CVE-2019-12814</cve>
+    </suppress>
+    <suppress>
+        <notes>We do not use the liquibase sdk</notes>
+        <filePath regex="true">.*liquibase/sdk/.*</filePath>
+        <cvssBelow>9.0</cvssBelow>
+    </suppress>
+    <suppress>
+        <notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
+        <gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
+        <cve>CVE-2016-5425</cve>
+    </suppress>
+    <suppress>
+        <notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
+        <gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
+        <cve>CVE-2017-6056</cve>
+    </suppress>
+    <suppress>
+        <notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
+        <gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
+        <cve>CVE-2019-10072</cve>
+    </suppress>
+    <suppress>
+        <notes>This cve is for apache standard taglibs before 1.2.3. However jstl:1.2 is a separate PROVIDED lib</notes>
+        <gav regex="true">^javax\.servlet:jstl:.*$</gav>
+        <cve>CVE-2015-0254</cve>
+    </suppress>
 </suppressions>

airsonic-main/pom.xml

@@ -538,7 +538,7 @@
         <dependency>
             <groupId>org.postgresql</groupId>
             <artifactId>postgresql</artifactId>
-            <version>42.1.4</version>
+            <version>42.2.5</version>
             <scope>runtime</scope>
         </dependency>
         <dependency>

pom.xml

@@ -18,6 +18,7 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <cxf.version>3.3.1</cxf.version>
         <jackson.version>2.9.9</jackson.version>
+        <tomcat.version>8.5.42</tomcat.version>
     </properties>
 
     <repositories>
@@ -87,7 +88,7 @@
                 <!-- Import dependency management from Spring Boot -->
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-dependencies</artifactId>
-                <version>1.5.20.RELEASE</version>
+                <version>1.5.21.RELEASE</version>
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
@@ -192,37 +193,37 @@
             <dependency>
                 <groupId>org.apache.tomcat.embed</groupId>
                 <artifactId>tomcat-embed-core</artifactId>
-                <version>8.5.40</version>
+                <version>${tomcat.version}</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.tomcat.embed</groupId>
                 <artifactId>tomcat-embed-el</artifactId>
-                <version>8.5.40</version>
+                <version>${tomcat.version}</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.tomcat.embed</groupId>
                 <artifactId>tomcat-embed-jasper</artifactId>
-                <version>8.5.40</version>
+                <version>${tomcat.version}</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.tomcat.embed</groupId>
                 <artifactId>tomcat-embed-websocket</artifactId>
-                <version>8.5.40</version>
+                <version>${tomcat.version}</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.tomcat</groupId>
                 <artifactId>tomcat-annotations-api</artifactId>
-                <version>8.5.40</version>
+                <version>${tomcat.version}</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.tomcat</groupId>
                 <artifactId>tomcat-jdbc</artifactId>
-                <version>8.5.40</version>
+                <version>${tomcat.version}</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.tomcat</groupId>
                 <artifactId>tomcat-juli</artifactId>
-                <version>8.5.40</version>
+                <version>${tomcat.version}</version>
             </dependency>
         </dependencies>
     </dependencyManagement>
@@ -300,13 +301,15 @@
                 <plugin>
                     <groupId>org.owasp</groupId>
                     <artifactId>dependency-check-maven</artifactId>
-                    <version>4.0.0</version>
+                    <version>5.0.0</version>
                     <inherited>true</inherited>
                     <configuration>
                         <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
                         <suppressionFiles>
                             <suppressionFile>${project.basedir}/cve-suppressed.xml</suppressionFile>
                         </suppressionFiles>
+                        <!-- disabled due to the poor quality of the data from this analyzer -->
+                        <ossindexAnalyzerEnabled>false</ossindexAnalyzerEnabled>
                     </configuration>
                     <executions>
                         <execution>