SONAR-10018 Upgrade JJWT to 0.9.0

author Eric Hartmann <hartmann.eric@gmail.com>

Mon, 23 Oct 2017 14:51:57 +0000 (16:51 +0200)

committer Eric Hartmann <hartmann.eric@gmail.Com>

Mon, 23 Oct 2017 16:12:53 +0000 (18:12 +0200)
author Eric Hartmann <hartmann.eric@gmail.com>
Mon, 23 Oct 2017 14:51:57 +0000 (16:51 +0200)
committer Eric Hartmann <hartmann.eric@gmail.Com>
Mon, 23 Oct 2017 16:12:53 +0000 (18:12 +0200)
diff --git a/pom.xml b/pom.xml

index a7b14c9f60d3462442b7fb5890cd8843d653d2c6..6974435331a6e724afa6618027478b69465de520 100644 (file)
--- a/pom.xml
+++ b/pom.xml
@@ -86,7 +86,7 @@
      <orchestrator.version>3.15.0.1256</orchestrator.version>
      <okhttp.version>3.7.0</okhttp.version>
      <jackson.version>2.6.6</jackson.version>
-
+    <jjwt.version>0.9.0</jjwt.version>
      <protobuf.version>3.0.0-beta-2</protobuf.version>
  
      <hazelcast.version>3.8.6</hazelcast.version>
@@ -237,10 +237,11 @@
          <plugin>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-maven</artifactId>
-          <version>1.2.11</version>
+          <version>3.0.1</version>
            <configuration>
              <failBuildOnCVSS>8</failBuildOnCVSS>
-            <suppressionFile>cve-false-positives.xml</suppressionFile>
+            <suppressionFile>dependency-check-suppressions.xml</suppressionFile>
+            <enableExperimental>true</enableExperimental>
            </configuration>
          </plugin>
          <plugin>
@@ -817,7 +818,7 @@
        <dependency>
          <groupId>io.jsonwebtoken</groupId>
          <artifactId>jjwt</artifactId>
-        <version>0.6.0</version>
+        <version>${jjwt.version}</version>
        </dependency>
        <dependency>
          <groupId>com.fasterxml.jackson.core</groupId>
diff --git a/sonar-application/dependency-check-suppressions.xml b/sonar-application/dependency-check-suppressions.xml

new file mode 100644 (file)

index 0000000..28e626e
--- /dev/null
+++ b/sonar-application/dependency-check-suppressions.xml
@@ -0,0 +1,178 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+  <!--
+  TODO : Remove this snippet when sonar-plugin-api-deps is removed
+  -->
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-core-6.7-SNAPSHOT.jar: sonar-plugin-api-deps.jar/META-INF/maven/org.apache.commons/commons-email/pom.xml
+   ]]></notes>
+    <gav regex="true">^org\.apache\.commons:commons-email:.*$</gav>
+    <cpe>cpe:/a:apache:commons_email</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-core-6.7-SNAPSHOT.jar: sonar-plugin-api-deps.jar/META-INF/maven/ch.qos.logback/logback-core/pom.xml
+   ]]></notes>
+    <gav regex="true">^ch\.qos\.logback:logback-core:.*$</gav>
+    <cpe>cpe:/a:logback:logback</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-core-6.7-SNAPSHOT.jar: sonar-plugin-api-deps.jar/META-INF/maven/ch.qos.logback/logback-classic/pom.xml
+   ]]></notes>
+    <gav regex="true">^ch\.qos\.logback:logback-classic:.*$</gav>
+    <cpe>cpe:/a:logback:logback</cpe>
+  </suppress>
+  <!--
+  End of TODO
+  -->
+
+  <!-- False positive -->
+
+  <!-- Protobuf (issue on C++ side) -->
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-scanner-engine-shaded-6.7-SNAPSHOT.jar/META-INF/maven/com.google.protobuf/protobuf-java/pom.xml
+   file name: sonar-csharp-plugin-6.4.1.3596.jar: protobuf-java-3.1.0.jar
+   ]]></notes>
+    <gav regex="true">^com\.google\.protobuf:protobuf-java:.*$</gav>
+    <cpe>cpe:/a:google:protobuf</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-csharp-plugin-6.4.1.3596.jar: SonarAnalyzer-6.4.1.3596.zip: Google.Protobuf.dll
+   ]]></notes>
+    <filePath regex="true">^.*Google.Protobuf.dll$</filePath>
+    <cve>CVE-2015-5237</cve>
+  </suppress>
+
+  <!-- Tomcat -->
+  <suppress>
+    <notes><![CDATA[
+   file name: tomcat-annotations-api-8.5.23.jar
+   ]]></notes>
+    <gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
+    <cpe>cpe:/a:apache:tomcat</cpe>
+    <cpe>cpe:/a:apache_software_foundation:tomcat</cpe>
+    <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
+  </suppress>
+
+
+  <!-- MsSQL -->
+  <suppress>
+    <notes><![CDATA[
+   file name: mssql-jdbc-6.2.2.jre8.jar
+   ]]></notes>
+    <gav regex="true">^com\.microsoft\.sqlserver:mssql-jdbc:.*$</gav>
+    <cpe>cpe:/a:microsoft:sql_server:6.2.2.jre8</cpe>
+    <cpe>cpe:/a:microsoft:project_server:6.2.2.jre8</cpe>
+    <cpe>cpe:/a:microsoft:server:6.2.2.jre8</cpe>
+  </suppress>
+
+  <!-- MySQL Driver -->
+  <suppress>
+    <notes><![CDATA[
+   file name: mysql-connector-java-5.1.44.jar
+   ]]></notes>
+    <gav regex="true">^mysql:mysql-connector-java:.*$</gav>
+    <cpe>cpe:/a:oracle:mysql_connectors</cpe>
+    <cpe>cpe:/a:mysql:mysql:5.1.44</cpe>
+    <cpe>cpe:/a:oracle:connector/j:5.1.44</cpe>
+    <cpe>cpe:/a:oracle:mysql:5.1.44</cpe>
+    <cpe>cpe:/a:sun:mysql_connector/j:5.1.44</cpe>
+  </suppress>
+
+  <!-- Flex plugin -->
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-flex-plugin-2.3.jar/META-INF/maven/org.sonarsource.flex/flex-checks/pom.xml
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.flex:flex-checks:.*$</gav>
+    <cpe>cpe:/a:flex_project:flex</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-flex-plugin-2.3.jar
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.flex:sonar-flex-plugin:.*$</gav>
+    <cpe>cpe:/a:flex_project:flex</cpe>
+  </suppress>
+
+  <!-- PHP plugin -->
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-php-plugin-2.10.0.2087.jar
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.php:sonar-php-plugin:.*$</gav>
+    <cpe>cpe:/a:php:php</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: php-checks-2.10.0.2087.jar
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.php:php-checks:.*$</gav>
+    <cpe>cpe:/a:php:php</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: php-frontend-2.10.0.2087.jar
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.php:php-frontend:.*$</gav>
+    <cpe>cpe:/a:php:php</cpe>
+  </suppress>
+
+  <!-- Python plugin -->
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-python-plugin-1.8.0.1496.jar
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.python:sonar-python-plugin:.*$</gav>
+    <cpe>cpe:/a:python:python</cpe>
+    <cpe>cpe:/a:python_software_foundation:python</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-python-plugin-1.8.0.1496.jar/META-INF/maven/org.sonarsource.python/python-checks/pom.xml
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.python:python-checks:.*$</gav>
+    <cpe>cpe:/a:python:python</cpe>
+    <cpe>cpe:/a:python_software_foundation:python</cpe>
+  </suppress>
+
+  <!-- Git plugin -->
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-scm-git-plugin-1.3.0.869.jar
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.scm\.git:sonar-scm-git-plugin:.*$</gav>
+    <cpe>cpe:/a:git:git</cpe>
+    <cpe>cpe:/a:git_project:git</cpe>
+    <cpe>cpe:/a:git-scm:git</cpe>
+  </suppress>
+
+  <!-- SVN plugin -->
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-scm-svn-plugin-1.6.0.860.jar
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.scm\.svn:sonar-scm-svn-plugin:.*$</gav>
+    <cpe>cpe:/a:subversion:subversion</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-scm-svn-plugin-1.6.0.860.jar: sqljet-1.1.10.jar
+   ]]></notes>
+    <gav regex="true">^org\.tmatesoft\.sqljet:sqljet:.*$</gav>
+    <cpe>cpe:/a:sqlite:sqlite</cpe>
+  </suppress>
+
+  <!-- Squid plugin -->
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-xml-plugin-1.4.3.1027.jar: xml-squid-1.4.3.1027.jar
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.xml:xml-squid:.*$</gav>
+    <cpe>cpe:/a:squid:squid</cpe>
+  </suppress>
+</suppressions>
diff --git a/sonar-plugin-api-deps/pom.xml b/sonar-plugin-api-deps/pom.xml

index 8bf169b14b80d57388bb0f9975816f7edd7bc1ae..ae4048405a4bdc5bead6b1748c146a4099d4b62c 100644 (file)
--- a/sonar-plugin-api-deps/pom.xml
+++ b/sonar-plugin-api-deps/pom.xml
@@ -194,4 +194,38 @@
        </plugin>
      </plugins>
    </build>
+
+  <profiles>
+    <!--
+    This module contains deprecated dependencies (containing vulnerability issues) for plugins built for SonarQube < 5.2
+    It will be removed for 7.0
+    -->
+    <profile>
+      <!--
+      check if maven dependencies have vulnerabilities listed in CVE
+      Standalone command: mvn org.owasp:dependency-check-maven:check
+      See http://jeremylong.github.io/DependencyCheck
+      -->
+      <id>securityCheck</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>check</goal>
+                </goals>
+                <configuration>
+                  <skip>true</skip>
+                </configuration>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+  </profiles>
+
  </project>
author	Eric Hartmann <hartmann.eric@gmail.com>
	Mon, 23 Oct 2017 14:51:57 +0000 (16:51 +0200)
committer	Eric Hartmann <hartmann.eric@gmail.Com>
	Mon, 23 Oct 2017 16:12:53 +0000 (18:12 +0200)
pom.xml		patch \| blob \| history
sonar-application/dependency-check-suppressions.xml	[new file with mode: 0644]	patch \| blob
sonar-plugin-api-deps/pom.xml		patch \| blob \| history