From 438461933d63b1183999f90ca36860eeb12f19e5 Mon Sep 17 00:00:00 2001 From: Andrew DeMaria Date: Wed, 4 Oct 2017 20:53:44 -0600 Subject: [PATCH] Dep Check Plugin and update vuln dependencies Detail ------ Add a dependency check plugin to find reported issues with dependencies we use. From adding this, there were quite a few false positives which are documented in airsonic-main/cve-suppressed.xml. The applicable vulnerabilities are as follows: ``` commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2, cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031, CVE-2014-0050, CVE-2013-0248 castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1, cpe:/a:castor_project:castor:1.3.1, org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004 tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617 ``` CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content from any multipart uploads so doesn't apply. Signed-off-by: Andrew DeMaria --- airsonic-main/cve-suppressed.xml | 111 +++++++++++++++++++++++++++++++ airsonic-main/pom.xml | 19 ++++-- pom.xml | 28 +++++++- 3 files changed, 151 insertions(+), 7 deletions(-) create mode 100644 airsonic-main/cve-suppressed.xml diff --git a/airsonic-main/cve-suppressed.xml b/airsonic-main/cve-suppressed.xml new file mode 100644 index 00000000..19ae4a41 --- /dev/null +++ b/airsonic-main/cve-suppressed.xml @@ -0,0 +1,111 @@ + + + + + ^.*$ + CVE-2015-2808 + + + + ^.*$ + CVE-2013-2566 + + + + + ^.*$ + CVE-2015-9097 + + + + + + ^javax\.servlet\.jsp:javax\.servlet\.jsp-api:.*$ + CVE-2011-5035 + + + + + + ^javax\.validation:validation-api:.*$ + CVE-2013-4499 + + + + + + ^mysql:mysql-connector-java:.*$ + .* + + + + + + ^org\.eclipse\.jetty\.toolchain:jetty-schemas:.*$ + CVE-2017-9735 + + + + + + ^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$ + CVE-2017-14867 + + + + ^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$ + CVE-2015-7545 + + + + ^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$ + CVE-2015-7082 + + + + ^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$ + CVE-2010-2542 + + + + + + ^org\.mariadb\.jdbc:mariadb-java-client:.*$ + cpe:/a:mariadb:mariadb + + + + + + ^org\.springframework\.ldap:spring-ldap-core:.*$ + CVE-2014-6232 + + + + + + ^org\.apache\.tomcat:tomcat-annotations-api:.*$ + CVE-2017-6056 + + + + + + ^org\.apache\.tomcat:tomcat-annotations-api:.*$ + CVE-2016-6325 + + + + + + ^org\.apache\.tomcat:tomcat-annotations-api:.*$ + CVE-2016-5425 + + + + + + ^org\.eclipse\.jetty\..*$ + cpe:/a:mortbay_jetty:jetty + + diff --git a/airsonic-main/pom.xml b/airsonic-main/pom.xml index 6f2dad83..a467acec 100644 --- a/airsonic-main/pom.xml +++ b/airsonic-main/pom.xml @@ -14,7 +14,7 @@ 3.1.0 - 1.2.0-RELEASE + 1.2.1-RELEASE @@ -135,7 +135,7 @@ commons-fileupload commons-fileupload - 1.2 + 1.3.3 @@ -153,7 +153,7 @@ commons-lang commons-lang - 2.1 + 2.6 @@ -266,6 +266,12 @@ runtime + + stax + stax-api + 1.0.1 + + javax.mail javax.mail-api @@ -491,7 +497,7 @@ org.mariadb.jdbc mariadb-java-client - 2.1.0 + 2.1.2 runtime @@ -568,7 +574,10 @@ - + + org.owasp + dependency-check-maven + diff --git a/pom.xml b/pom.xml index 9ac650de..8437d404 100644 --- a/pom.xml +++ b/pom.xml @@ -86,7 +86,7 @@ org.springframework.boot spring-boot-dependencies - 1.5.6.RELEASE + 1.5.8.RELEASE pom import @@ -108,6 +108,11 @@ commons-lang3 3.3.2 + + commons-io + commons-io + 2.5 + @@ -187,11 +192,29 @@ + + org.owasp + dependency-check-maven + 3.0.1 + true + + true + ${project.basedir}/cve-suppressed.xml + + + + run-dependency-checker + verify + + check + + + + - org.apache.maven.plugins maven-compiler-plugin @@ -223,6 +246,7 @@ org.springframework.security:* org.springframework.boot:* org.apache.tomcat.embed:tomcat-embed-core* + org.apache.tomcat:tomcat-annotations-api:* com.sun.mail:javax.mail*