classpath 'io.spring.gradle:dependency-management-plugin:1.0.4.RELEASE'
classpath 'net.rdrei.android.buildtimetracker:gradle-plugin:0.11.0'
classpath 'org.jfrog.buildinfo:build-info-extractor-gradle:4.7.5'
- classpath "org.owasp:dependency-check-gradle:4.0.2"
+ classpath 'org.owasp:dependency-check-gradle:6.0.2'
classpath 'org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.7.1'
}
}
throw new GradleException("JDK 11+ is required to perform this build. It's currently " + System.getProperty("java.home") + ".")
}
+apply plugin: 'org.owasp.dependencycheck'
+dependencyCheck {
+ analyzers {
+ assemblyEnabled = false
+ autoconfEnabled = false
+ bundleAuditEnabled = false
+ cmakeEnabled = false
+ cocoapodsEnabled = false
+ composerEnabled = false
+ cocoapodsEnabled = false
+ golangDepEnabled = false
+ golangModEnabled = false
+ nodeAudit {
+ skipDevDependencies = true
+ }
+ nuspecEnabled = false
+ nugetconfEnabled = false
+ rubygemsEnabled = false
+ swiftEnabled = false
+
+ }
+ format = 'ALL'
+ junitFailOnCVSS = 0
+ failBuildOnCVSS = 0
+ suppressionFiles = ["${project.rootDir}/owasp-suppressions.xml", "${project.rootDir}/owasp-vulnerabilities.xml"]
+ skipProjects = project.subprojects
+ .findAll {it.name.contains('testing') ||
+ it.name.startsWith('it-') ||
+ it.name.contains('-test') ||
+ it.name == 'sonar-ws-generator'}
+ .collect { it.path }
+}
+
allprojects {
apply plugin: 'com.jfrog.artifactory'
apply plugin: 'maven-publish'
apply plugin: 'java'
apply plugin: 'jacoco'
apply plugin: 'idea'
- apply plugin: 'org.owasp.dependencycheck'
// do not deploy to Artifactory by default
artifactoryPublish.skip = true
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+
+ <!--
+ This file lists the false-positives (the vulnerabilities that can not be exploited)
+ -->
+
+ <suppress>
+ <!--
+ Elasticsearch API key service is not enabled.
+ See https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908
+ Fixed in Elasticsearch 6.8.4
+ -->
+ <cve>CVE-2019-7619</cve>
+ <cve>CVE-2020-7009</cve>
+ <cve>CVE-2020-7014</cve>
+
+ <!--
+ Elasticsearch field level security feature is not used.
+ See https://www.elastic.co/guide/en/elasticsearch/reference/current/field-level-security.html
+ and https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456
+ Fixed in Elasticsearch 6.8.12
+ -->
+ <cve>CVE-2020-7019</cve>
+
+ <!--
+ The vulnerability is about multiple users submitting requests to Elasticsearch. It's not
+ a false-positive because requests are sent anonymously. Authentication is disabled.
+ Fixed in Elasticsearch 6.8.2
+ -->
+ <cve>CVE-2019-7614</cve>
+
+ <!--
+ Jenkins plugin - fixed in v2.8.1
+ See https://www.jenkins.io/security/advisory/2018-09-25/#SECURITY-1163CVE-2018-20200 and
+ https://jira.sonarsource.com/browse/SONARJNKNS-301
+ -->
+ <cve>CVE-2018-1000425</cve>
+
+ <!--
+ Irrelevant exploit in OkHttp. It requires to control the server and to allow sniffing network traffic!
+ Obfuscating the code makes the documentation of the CVE impossible to apply.
+ See https://github.com/square/okhttp/issues/4967 and https://github.com/boclips/videos/commit/9f6c5ba96063f14fb6033f4f6efa6caf3c2701bd
+ -->
+ <cve>CVE-2018-20200</cve>
+
+ <!--
+ Vulnerability in the Spring version embedded into sonar-security-java-frontend-plugin. Fixed in 8.4.
+ See https://jira.sonarsource.com/browse/SONARSEC-1189 and https://nvd.nist.gov/vuln/detail/CVE-2020-5398
+ -->
+ <cve>CVE-2020-5398</cve>
+
+ <!--
+ Log4J SMTP Appender is not enabled, so the vulnerability is not exploitable.
+ See https://nvd.nist.gov/vuln/detail/CVE-2020-9488
+ -->
+ <cve>CVE-2020-9488</cve>
+
+ <!--
+ SnakeYML vulnerability if the Elasticsearch YML configuration files have too many recursive aliases.
+ Fixed in SnakeYML 1.26.
+ Not exploitable because the file elasticsearch/config/*.yml are not supposed to be edited outside the build.
+ https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion
+ https://en.wikipedia.org/wiki/Billion_laughs_attack
+ -->
+ <cve>CVE-2017-18640</cve>
+
+ <!--
+ These 2 CVEs were opened in 2007, without any resolution. It's apparently about OpenID which
+ is not safe by design.
+ Anyway OpenID is not used. Microsoft authentication relies on OpenID Connect and OAuth 2.0.
+ See MSAL https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-adal-msal-java
+ -->
+ <cve>CVE-2007-1651</cve>
+ <cve>CVE-2007-1652</cve>
+
+ <!--
+ This is a Suse packaging issue, not a Tomcat one
+ See https://nvd.nist.gov/vuln/detail/CVE-2020-8022 and https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1@%3Cusers.tomcat.apache.org%3E
+ -->
+ <cve>CVE-2020-8022</cve>
+
+ <!--
+ Fixed in SQ 7.8. See https://jira.sonarsource.com/browse/SSF-74
+ -->
+ <cve>CVE-2019-17579</cve>
+
+ <!--
+ Fixed in SQ 7.4. See https://jira.sonarsource.com/browse/SONAR-11305
+ -->
+ <cve>CVE-2018-19413</cve>
+ </suppress>
+
+ <suppress>
+ <!--
+ false-positive - the OWASP tool considers SQ as being
+ gitlab 8.0, which comes with many vulnerabilities!
+ -->
+ <filePath regex="true">.*build\.gradle</filePath>
+ <cpe>cpe:/a:gitlab:gitlab</cpe>
+ </suppress>
+
+ <suppress>
+ <!--
+ false-positive - the OWASP tool considers sonar-auth-gitlab@8.0-SNAPSHOT as being
+ gitlab 8.0, which comes with many vulnerabilities!
+ -->
+ <filePath regex="true">.*sonar-auth-gitlab-8.*\.jar.*</filePath>
+ <cpe>cpe:/a:gitlab:gitlab:8</cpe>
+ </suppress>
+
+
+ <suppress>
+ <!--
+ The commons-compress 1.8 bundled with CSS analyzer is not used. Its vulnerabilities
+ can't be exploited.
+ Noise will be killed in https://github.com/SonarSource/sonar-css/issues/260
+ -->
+ <filePath regex="true">.*sonar-css-plugin-1\.2.*\.jar.*</filePath>
+ <cve>CVE-2019-12402</cve>
+ </suppress>
+
+ <suppress>
+ <!--
+ false-positive - the OWASP tool considers sonar-ruby-plugin 1.7 as being
+ ruby 1.7, which comes with many vulnerabilities!
+ -->
+ <packageUrl regex="true">pkg:maven/org\.sonarsource\.slang/sonar-ruby-plugin@1\..*</packageUrl>
+ <cpe>cpe:/a:ruby-lang:ruby:1</cpe>
+ </suppress>
+
+ <suppress>
+ <!--
+ false-positive - the OWASP tool considers sonar-scala-plugin 1.x as being
+ scala 1.x, which come with many vulnerabilities
+ -->
+ <packageUrl regex="true">pkg:maven/org\.sonarsource\.slang/sonar-scala-plugin@1\..*</packageUrl>
+ <cpe>cpe:/a:scala-lang:scala:1</cpe>
+ </suppress>
+
+ <suppress>
+ <!-- JRuby dirgra 0.3 is unexpectedly considered as JRuby 0.3 -->
+ <packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
+ <cpe>cpe:/a:jruby:jruby</cpe>
+ </suppress>
+
+ <suppress>
+ <!-- The sonar-scm-git-plugin 1.12 is unexpectedly considered as git 1.12 -->
+ <packageUrl>pkg:maven/org.sonarsource.scm.git/sonar-scm-git-plugin@1.12.0.2034</packageUrl>
+ <cpe>cpe:/a:git-scm:git</cpe>
+ </suppress>
+
+ <suppress>
+ <!--
+ The Java JSON libraries are unexpectedly considered as JS libraries suffering from
+ the json node module vulnerabilities.
+ -->
+ <packageUrl regex="true">^pkg:maven/.*$</packageUrl>
+ <cpe>cpe:/a:json_project:json</cpe>
+ </suppress>
+
+ <suppress>
+ <!--
+ This Guava vulnerability is not exploitable in the ABAP analyzer.
+ However it's planned to kill the noise:
+ https://jira.sonarsource.com/browse/SONARABAP-421
+ -->
+ <filePath regex="true">.*com\.sonarsource\.abap/sonar-abap-plugin.*</filePath>
+ <cve>CVE-2018-10237</cve>
+ </suppress>
+
+ <suppress>
+ <!--
+ This Guava vulnerability is not exploitable in the PLSQL analyzer.
+ However it's planned to kill the noise:
+ https://jira.sonarsource.com/browse/SONARPLSQL-738
+ -->
+ <filePath regex="true">.*com\.sonarsource\.plsql/sonar-plsql-plugin/3\.4.*</filePath>
+ <cve>CVE-2018-10237</cve>
+ </suppress>
+
+ <suppress>
+ <!--
+ False-positive - the subproject agentproxy
+ is considered as being the JCraft project.
+ -->
+ <packageUrl regex="true">pkg:maven/com\.jcraft/jsch\.agentproxy\..*@0.0.7</packageUrl>
+ <cve>CVE-2016-5725</cve>
+ </suppress>
+</suppressions>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+
+ <suppress>
+ <!--
+ Vulnerabilities in the SWIFT analyzer.
+ See https://jira.sonarsource.com/browse/SONARSWIFT-451
+ -->
+ <filePath regex="true">.*sonar-swift-plugin-4\.2.*\.jar.*</filePath>
+ <vulnerabilityName>Remote code execution</vulnerabilityName>
+ <cve>CVE-2015-6420</cve>
+ <cve>CVE-2017-15708</cve>
+ </suppress>
+
+ <suppress>
+ <!--
+ The version of Netty packaged with Elasticsearch 6.8.x suffers from a few vulnerabilities.
+ The latter are considered as low risk by the Elastic team. Upgrading Netty in Elasticsearch 6.8.x
+ is not planned. See https://github.com/elastic/elasticsearch/issues/49396
+ -->
+ <packageUrl regex="true">^pkg:maven/io\.netty/netty-.*@4\.1\.32.*$</packageUrl>
+ <cve>CVE-2019-16869</cve>
+ <cve>CVE-2019-20444</cve>
+ <cve>CVE-2019-20445</cve>
+ <cve>CVE-2020-11612</cve>
+ </suppress>
+
+ <suppress>
+ <!--
+ AssertJ should not be bundled with the Kotlin analyzer. Should be fixed in 1.6.
+ -->
+ <filePath regex="true">.*sonar-kotlin-plugin-1\.5.*\.jar.*</filePath>
+ <vulnerabilityName>CWE-476: NULL Pointer Dereference</vulnerabilityName>
+ </suppress>
+</suppressions>
projects / sonarqube.git / commitdiff