MightyPork
/
airsonic-custom
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'airsonic/pr/602'

Browse Source
master
Andrew DeMaria 7 years ago
parent c0c359a8f0 438461933d
commit 9a34d19726
No known key found for this signature in database
GPG Key ID: 0A3F5E91F8364EDF
3 changed files with 151 additions and 7 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 111
      airsonic-main/cve-suppressed.xml
  2. 19
      airsonic-main/pom.xml
  3. 28
      pom.xml

111
airsonic-main/cve-suppressed.xml
Unescape View File

@ -0,0 +1,111 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[RC4 vulnerability in ssl. We don't use ssl at the application container level]]></notes>
<gav regex="true">^.*$</gav>
<cve>CVE-2015-2808</cve>
</suppress>
<suppress>
<notes><![CDATA[RC4 vulnerability in ssl. We don't use ssl at the application container level]]></notes>
<gav regex="true">^.*$</gav>
<cve>CVE-2013-2566</cve>
</suppress>
<suppress>
<notes>
<![CDATA[This is for ruby - not for java and besides we don't allow user supplied information in emails]]></notes>
<gav regex="true">^.*$</gav>
<cve>CVE-2015-9097</cve>
</suppress>
<!-- This is for the oracle/glassfish application server implementation, not the api. -->
<suppress>
<notes><![CDATA[file name: javax.servlet.jsp-api-2.3.1.jar]]></notes>
<gav regex="true">^javax\.servlet\.jsp:javax\.servlet\.jsp-api:.*$</gav>
<cve>CVE-2011-5035</cve>
</suppress>
<!-- For drupal, so doesn't apply to us -->
<suppress>
<notes><![CDATA[file name: validation-api-1.1.0.Final.jar]]></notes>
<gav regex="true">^javax\.validation:validation-api:.*$</gav>
<cve>CVE-2013-4499</cve>
</suppress>
<!-- This seems to pick up many false positives for the server component which we have no control over -->
<suppress>
<notes><![CDATA[file name: mysql-connector-java-5.1.43.jar]]></notes>
<gav regex="true">^mysql:mysql-connector-java:.*$</gav>
<cpe regex="true">.*</cpe>
</suppress>
<!-- Jetty is currently only used for developer experimentation -->
<suppress>
<notes><![CDATA[file name: jetty-schemas-3.1.jar]]></notes>
<gav regex="true">^org\.eclipse\.jetty\.toolchain:jetty-schemas:.*$</gav>
<cve>CVE-2017-9735</cve>
</suppress>
<!-- No git functionality is used from the following dependencies -->
<suppress>
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
<cve>CVE-2017-14867</cve>
</suppress>
<suppress>
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
<cve>CVE-2015-7545</cve>
</suppress>
<suppress>
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
<cve>CVE-2015-7082</cve>
</suppress>
<suppress>
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
<cve>CVE-2010-2542</cve>
</suppress>
<!-- Ignore all false positives for the server component -->
<suppress>
<notes><![CDATA[file name: mariadb-java-client-2.1.0.jar]]></notes>
<gav regex="true">^org\.mariadb\.jdbc:mariadb-java-client:.*$</gav>
<cpe>cpe:/a:mariadb:mariadb</cpe>
</suppress>
<!-- This cve is not for spring ldap, but for typo3 -->
<suppress>
<notes><![CDATA[file name: spring-ldap-core-2.3.1.RELEASE.jar]]></notes>
<gav regex="true">^org\.springframework\.ldap:spring-ldap-core:.*$</gav>
<cve>CVE-2014-6232</cve>
</suppress>
<!-- We do not support https for the embedded tomcat setup -->
<suppress>
<notes><![CDATA[file name: tomcat-annotations-api-8.5.23.jar]]></notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
<cve>CVE-2017-6056</cve>
</suppress>
<!-- This only impacts distro packages, not embedded -->
<suppress>
<notes><![CDATA[file name: tomcat-annotations-api-8.5.23.jar]]></notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
<cve>CVE-2016-6325</cve>
</suppress>
<!-- This only impacts distro packages, not embedded -->
<suppress>
<notes><![CDATA[file name: tomcat-annotations-api-8.5.23.jar]]></notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
<cve>CVE-2016-5425</cve>
</suppress>
<!-- Jetty is currently disabled and not added to the built war -->
<suppress>
<notes><![CDATA[file name: jetty-schemas-3.1.jar]]></notes>
<gav regex="true">^org\.eclipse\.jetty\..*$</gav>
<cpe>cpe:/a:mortbay_jetty:jetty</cpe>
</suppress>
</suppressions>

19
airsonic-main/pom.xml
Unescape View File

@ -14,7 +14,7 @@
<properties>
<metrics.version>3.1.0</metrics.version>
<chameleon.version>1.2.0-RELEASE</chameleon.version>
<chameleon.version>1.2.1-RELEASE</chameleon.version>
</properties>
<dependencies>
@ -135,7 +135,7 @@
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.2</version>
<version>1.3.3</version>
</dependency>
<dependency>
@ -153,7 +153,7 @@
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<version>2.1</version>
<version>2.6</version>
</dependency>
<dependency>
@ -266,6 +266,12 @@
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>stax</groupId>
<artifactId>stax-api</artifactId>
<version>1.0.1</version>
</dependency>
<dependency>
<groupId>javax.mail</groupId>
<artifactId>javax.mail-api</artifactId>
@ -491,7 +497,7 @@
<dependency>
<groupId>org.mariadb.jdbc</groupId>
<artifactId>mariadb-java-client</artifactId>
<version>2.1.0</version>
<version>2.1.2</version>
<scope>runtime</scope>
</dependency>
</dependencies>
@ -568,7 +574,10 @@
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
</plugin>
</plugins>
</build>
<profiles>

28
pom.xml
Unescape View File

@ -86,7 +86,7 @@
<!-- Import dependency management from Spring Boot -->
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>1.5.6.RELEASE</version>
<version>1.5.8.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
@ -108,6 +108,11 @@
<artifactId>commons-lang3</artifactId>
<version>3.3.2</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.5</version>
</dependency>
</dependencies>
</dependencyManagement>
@ -187,11 +192,29 @@
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>3.0.1</version>
<inherited>true</inherited>
<configuration>
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
<suppressionFile>${project.basedir}/cve-suppressed.xml</suppressionFile>
</configuration>
<executions>
<execution>
<id>run-dependency-checker</id>
<phase>verify</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
@ -223,6 +246,7 @@
<ignoredUsedUndeclaredDependency>org.springframework.security:*</ignoredUsedUndeclaredDependency>
<ignoredUsedUndeclaredDependency>org.springframework.boot:*</ignoredUsedUndeclaredDependency>
<ignoredUsedUndeclaredDependency>org.apache.tomcat.embed:tomcat-embed-core*</ignoredUsedUndeclaredDependency>
<ignoredUsedUndeclaredDependency>org.apache.tomcat:tomcat-annotations-api:*</ignoredUsedUndeclaredDependency>
</ignoredUsedUndeclaredDependencies>
<ignoredUnusedDeclaredDependencies>
<ignoredUnusedDeclaredDependency>com.sun.mail:javax.mail*</ignoredUnusedDeclaredDependency>

Write Preview
Loading…
Cancel
Save