Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
- Added enforcer plugin
- Fix some version conflicts
- Moved custom initializer to spring.factories
- Bump spring boot version
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
- Use external library chamelon (lizzy)
- Adds the ability to specify playlist export format
- Fixes some deficiences with playlist handling
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
Spring boot supports both Jetty and Tomcat, however only one is supposed
to be used at a time. This is problematic for us, because we would like
to have both on the classpath so we can configure them (i.e.
org.libresonic.player.boot.TomcatApplication). To remedy this, we mark
both as provided, but have two profiles which then tell spring to
exclude one or the other from the lib-provided war. These exclude rules
are a bit fragile, but can be reproduced by analyzing mvn
dependency:tree output.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
- Use sl4fj as a backend to org.libresonic.Logger
- Output the same logs to libresonic.log as the console
- Use spring-boot logging constructs
- Turn down logging to error for non-libresonic classes info for
libresonic classes and liquibase (perhaps change this in the future,
but might be helpful for folks migrating their databases).
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>