jvoisin
5c1451b904
Bump Spring
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
5 years ago
frankdelange
1e7cbcc190
Upgrade jackson-* to 2.10.0.pr3 to fix CVE-2019-16335, CVE-2019-14540
5 years ago
Shen-Ta Hsieh
394dfa1ce7
upgrade jackson-databind and commons-beanutils for CVEs
...
Signed-off-by: Shen-Ta Hsieh <ibmibmibm.tw@gmail.com>
5 years ago
jvoisin
b650ac70d6
Temporarily skip a test
...
Based on tesshucom's #1192
5 years ago
jvoisin
9a5f3f9483
Replace a now-defunct maven repo with a working one
5 years ago
Andrew DeMaria
e7bd5da6fa
Precompile jsp
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
5 years ago
Andrew DeMaria
859d08fc02
Bump version
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
5 years ago
Andrew DeMaria
8db4ec12e1
Add sha256sums and gpg sign outside of maven process
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
5 years ago
jvoisin
a997fd4873
Bump jaxb-impl and jaxb-core
5 years ago
jvoisin
61e3bc059d
Bump javax annotation
5 years ago
jvoisin
36985e151b
Bump dependency checker
5 years ago
Andrew DeMaria
4d615a35f4
Add comment for why ossindex is disabled
6 years ago
Andrew DeMaria
c2acc36f85
Disable ossindex analyzer as its data is questionable
6 years ago
Andrew DeMaria
7c7ac3e591
Update dependency check
6 years ago
jvoisin
b8d64c1dbd
Bump the version of maven-checkstyle-plugin
6 years ago
Andrew DeMaria
310156f891
CVE-2019-12086 - bump jackson version
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
Andrew DeMaria
8be0746bd4
Bump to 10.4.0 SNAPSHOT
6 years ago
Andrew DeMaria
df352d8cb0
Fix #611 Add support for Java 9 and greater
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
Andrew DeMaria
ab07462530
Update tomcat to 8.5.40
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
tesshucom
f54e72026f
version upgrade of spring-boot-dependencies,spring-boot-maven-plugin
...
- Safety version for CVE-2019-3795
- Match the new jetty ecj version because the version of ecj used by
tomcat and jetty is different.
6 years ago
jvoisin
ec4b969e2c
Replace latin encoding with utf-8
6 years ago
jvoisin
cb0866d5fd
Download dependencies via https on download.java.net
6 years ago
jvoisin
615e317b01
Bump liquibase version
...
Signed-off-by: jvoisin <julien.voisin@dustri.org>
6 years ago
jvoisin
a9d5f73287
Bump guava version
...
Signed-off-by: jvoisin <julien.voisin@dustri.org>
6 years ago
Andrew DeMaria
972c6cd462
Dont sign until verify stage
6 years ago
Andrew DeMaria
faedfd8a62
Bump version to 10.3.0-SNAPSHOT
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
Andrew DeMaria
a16b89e0ac
Bump to version 10.2.0-RELEASE
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
Ben Kelsey
8ea47b71ff
Update jackson version
6 years ago
Andrew DeMaria
355868bf60
Bump spring version
6 years ago
randomnicode
325938a574
Update main pom
6 years ago
randomnicode
f3cc48f8cb
Suppress vulnerabilities file
6 years ago
randomnicode
51f17675d5
Update plugins
6 years ago
Andrew DeMaria
5202845373
Bump version of guava to deal with CVE-2018-10237
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
Andrew DeMaria
8c6ddb1aba
Dependency tweaks and remove extraneous code
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
Rémi Cocula
6b4874f33c
archetype code for rest api integration tests
6 years ago
Andrew DeMaria
004b8bba37
Added docker based integration testing
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
Andrew DeMaria
8e1470a45a
Dependency updates
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
Andrew DeMaria
c2c14b0dbe
Update dependency check
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
Andrew DeMaria
8d3c0ec9a0
Updates
...
- Update Spring boot Version
- Update dependency check version
- Exclude irrelevant nodejs cve
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
Andrew DeMaria
36d773dbfc
Update cxf
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
Andrew DeMaria
2ea980d642
Update spring boot
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
Andrew DeMaria
893b652bcd
Update dependency checker with updated maven too
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
Romain DEP.
c2416a57a8
deps: update jackson to a vuln-free version,
...
bump java-jwt in the process
7 years ago
Andrew DeMaria
caae31452e
Bump to 10.2.0 snapshot
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
Andrew DeMaria
535d5d06cb
Release 10.1.1
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
Andrew DeMaria
5e47bc500e
Fix maven profile mixup with sign/tomcat-embed
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
Andrew DeMaria
e39f5d98d0
Fixed dependency check issues
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
Andrew DeMaria
78006946ea
Bump 10.2.0-SNAPSHOT
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
Andrew DeMaria
e04cda4293
Release 10.1.0
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago
Andrew DeMaria
438461933d
Dep Check Plugin and update vuln dependencies
...
Detail
------
Add a dependency check plugin to find reported issues with dependencies
we use.
From adding this, there were quite a few false positives which are
documented in airsonic-main/cve-suppressed.xml. The applicable
vulnerabilities are as follows:
```
commons-fileupload-1.2.jar (commons-fileupload:commons-fileupload:1.2,
cpe:/a:apache:commons_fileupload:1.2) : CVE-2016-3092, CVE-2016-1000031,
CVE-2014-0050, CVE-2013-0248
castor-core-1.3.1.jar (cpe:/a:castor:castor:1.3.1,
cpe:/a:castor_project:castor:1.3.1,
org.codehaus.castor:castor-core:1.3.1) : CVE-2014-3004
tomcat-embed-core-8.5.16.jar (cpe:/a:apache_software_foundation:tomcat:8.5.16, cpe:/a:apache:tomcat:8.5.16, cpe:/a:apache_tomcat:apache_tomcat:8.5.16, org.apache.tomcat.embed:tomcat-embed-core:8.5.16) : CVE-2017-12617
```
CVE-2016-1000031 is rated as CRITICAL, but we do not deserialize content
from any multipart uploads so doesn't apply.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
7 years ago