airsonic-custom

Commit Graph

Author	SHA1	Message	Date
Andrew DeMaria	ef22d6d8ed	Remove optional jetty runtime - Simplifies pom making future upgrades easier - Fixes tests picking up jetty runtime Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>	5 years ago
jvoisin	c0fa01206a	Ignore yet an other jackson vulnerability	5 years ago
jvoisin	49c6e89f73	Ignore CVE-2019-14439 too	5 years ago
jvoisin	8260fed1b3	Ignore CVE-2019-14379	5 years ago
Andrew DeMaria	05580ae7f3	Fix typo	5 years ago
Andrew DeMaria	7c7ac3e591	Update dependency check	5 years ago
jvoisin	58daacd9ab	Jetty is only used by developers, and never in production So we're free to completely ignore CVE against it.	5 years ago
Andrew DeMaria	df352d8cb0	Fix #611 Add support for Java 9 and greater Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>	5 years ago
jvoisin	4a1a5467c7	Remove the embedded copy of ant-zip	5 years ago
Andrew DeMaria	54e1237320	Exclude new spring 5.0.5 cve	5 years ago
tesshu	3e6d224550	#1 CVE-2018-1000840 stax-api-1.0.1.jar stax-api-1.0-2.jar	5 years ago
Andrew DeMaria	ee4cb71052	Ignore CVE-2018-8088 related to slf4j ext	6 years ago
randomnicode	94f4a85bb7	Suppress CVE-2018-8088	6 years ago
randomnicode	77ca475fbe	Add additional suppression	6 years ago
randomnicode	f3cc48f8cb	Suppress vulnerabilities file	6 years ago
Andrew DeMaria	609ca71307	Skip another irrelevant CVE Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>	6 years ago
Andrew DeMaria	5281d9ab6e	Fix for false positive node vuln Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>	6 years ago
Peter Marheine	cfdedea452	Suppress CVE-2018-13684 for dependency-check False positive matching ant-zip against a CVE for ZIP, an Ethereum token. Signed-off-by: Peter Marheine <peter@taricorp.net>	6 years ago
Andrew DeMaria	8d3c0ec9a0	Updates - Update Spring boot Version - Update dependency check version - Exclude irrelevant nodejs cve Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>	6 years ago
Andrew DeMaria	431c98b496	Exclude cve CVE-2018-1115 Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>	6 years ago
Andrew DeMaria	5cca85f516	Ignore irrelevant CVE Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>	6 years ago
Manuel Müller	524d8da190	suppressed vulnerabiltiy warning in build, for Postgres JDBC-Driver, since it's a vulnerability in Postgre itself Signed-off-by:Manuel Müller <manuel.mueller@geekinbusiness.de>	7 years ago
Andrew DeMaria	438461933d	Dep Check Plugin and update vuln dependencies Detail ------ Add a dependency check plugin to find reported issues with dependencies we use. From adding this, there were quite a few false positives which are documented in airsonic-main/cve-suppressed.xml. The applicable vulnerabilities are as follows: ``` commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2, cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031, CVE-2014-0050, CVE-2013-0248 castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1, cpe:/a:castor_project:castor:1.3.1, org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004 tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617 ``` CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content from any multipart uploads so doesn't apply. Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>	7 years ago

23 Commits (0041fd79510f798adad578ccd6e81ffeb00bd685)