From 95d91e6fff76d8561e5d9dd71379dde8bc6258fa Mon Sep 17 00:00:00 2001
From: Eric Hartmann <hartmann.eric@gmail.com>
Date: Mon, 23 Oct 2017 16:51:57 +0200
Subject: [PATCH] SONAR-10018 Upgrade JJWT to 0.9.0

---
 pom.xml                                       |   9 +-
 .../dependency-check-suppressions.xml         | 178 ++++++++++++++++++
 sonar-plugin-api-deps/pom.xml                 |  34 ++++
 3 files changed, 217 insertions(+), 4 deletions(-)
 create mode 100644 sonar-application/dependency-check-suppressions.xml

diff --git a/pom.xml b/pom.xml
index a7b14c9f60d..6974435331a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -86,7 +86,7 @@
     <orchestrator.version>3.15.0.1256</orchestrator.version>
     <okhttp.version>3.7.0</okhttp.version>
     <jackson.version>2.6.6</jackson.version>
-
+    <jjwt.version>0.9.0</jjwt.version>
     <protobuf.version>3.0.0-beta-2</protobuf.version>
 
     <hazelcast.version>3.8.6</hazelcast.version>
@@ -237,10 +237,11 @@
         <plugin>
           <groupId>org.owasp</groupId>
           <artifactId>dependency-check-maven</artifactId>
-          <version>1.2.11</version>
+          <version>3.0.1</version>
           <configuration>
             <failBuildOnCVSS>8</failBuildOnCVSS>
-            <suppressionFile>cve-false-positives.xml</suppressionFile>
+            <suppressionFile>dependency-check-suppressions.xml</suppressionFile>
+            <enableExperimental>true</enableExperimental>
           </configuration>
         </plugin>
         <plugin>
@@ -817,7 +818,7 @@
       <dependency>
         <groupId>io.jsonwebtoken</groupId>
         <artifactId>jjwt</artifactId>
-        <version>0.6.0</version>
+        <version>${jjwt.version}</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.core</groupId>
diff --git a/sonar-application/dependency-check-suppressions.xml b/sonar-application/dependency-check-suppressions.xml
new file mode 100644
index 00000000000..28e626eabd7
--- /dev/null
+++ b/sonar-application/dependency-check-suppressions.xml
@@ -0,0 +1,178 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+  <!--
+  TODO : Remove this snippet when sonar-plugin-api-deps is removed
+  -->
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-core-6.7-SNAPSHOT.jar: sonar-plugin-api-deps.jar/META-INF/maven/org.apache.commons/commons-email/pom.xml
+   ]]></notes>
+    <gav regex="true">^org\.apache\.commons:commons-email:.*$</gav>
+    <cpe>cpe:/a:apache:commons_email</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-core-6.7-SNAPSHOT.jar: sonar-plugin-api-deps.jar/META-INF/maven/ch.qos.logback/logback-core/pom.xml
+   ]]></notes>
+    <gav regex="true">^ch\.qos\.logback:logback-core:.*$</gav>
+    <cpe>cpe:/a:logback:logback</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-core-6.7-SNAPSHOT.jar: sonar-plugin-api-deps.jar/META-INF/maven/ch.qos.logback/logback-classic/pom.xml
+   ]]></notes>
+    <gav regex="true">^ch\.qos\.logback:logback-classic:.*$</gav>
+    <cpe>cpe:/a:logback:logback</cpe>
+  </suppress>
+  <!--
+  End of TODO
+  -->
+
+  <!-- False positive -->
+
+  <!-- Protobuf (issue on C++ side) -->
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-scanner-engine-shaded-6.7-SNAPSHOT.jar/META-INF/maven/com.google.protobuf/protobuf-java/pom.xml
+   file name: sonar-csharp-plugin-6.4.1.3596.jar: protobuf-java-3.1.0.jar
+   ]]></notes>
+    <gav regex="true">^com\.google\.protobuf:protobuf-java:.*$</gav>
+    <cpe>cpe:/a:google:protobuf</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-csharp-plugin-6.4.1.3596.jar: SonarAnalyzer-6.4.1.3596.zip: Google.Protobuf.dll
+   ]]></notes>
+    <filePath regex="true">^.*Google.Protobuf.dll$</filePath>
+    <cve>CVE-2015-5237</cve>
+  </suppress>
+
+  <!-- Tomcat -->
+  <suppress>
+    <notes><![CDATA[
+   file name: tomcat-annotations-api-8.5.23.jar
+   ]]></notes>
+    <gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
+    <cpe>cpe:/a:apache:tomcat</cpe>
+    <cpe>cpe:/a:apache_software_foundation:tomcat</cpe>
+    <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
+  </suppress>
+
+
+  <!-- MsSQL -->
+  <suppress>
+    <notes><![CDATA[
+   file name: mssql-jdbc-6.2.2.jre8.jar
+   ]]></notes>
+    <gav regex="true">^com\.microsoft\.sqlserver:mssql-jdbc:.*$</gav>
+    <cpe>cpe:/a:microsoft:sql_server:6.2.2.jre8</cpe>
+    <cpe>cpe:/a:microsoft:project_server:6.2.2.jre8</cpe>
+    <cpe>cpe:/a:microsoft:server:6.2.2.jre8</cpe>
+  </suppress>
+
+  <!-- MySQL Driver -->
+  <suppress>
+    <notes><![CDATA[
+   file name: mysql-connector-java-5.1.44.jar
+   ]]></notes>
+    <gav regex="true">^mysql:mysql-connector-java:.*$</gav>
+    <cpe>cpe:/a:oracle:mysql_connectors</cpe>
+    <cpe>cpe:/a:mysql:mysql:5.1.44</cpe>
+    <cpe>cpe:/a:oracle:connector/j:5.1.44</cpe>
+    <cpe>cpe:/a:oracle:mysql:5.1.44</cpe>
+    <cpe>cpe:/a:sun:mysql_connector/j:5.1.44</cpe>
+  </suppress>
+
+  <!-- Flex plugin -->
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-flex-plugin-2.3.jar/META-INF/maven/org.sonarsource.flex/flex-checks/pom.xml
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.flex:flex-checks:.*$</gav>
+    <cpe>cpe:/a:flex_project:flex</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-flex-plugin-2.3.jar
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.flex:sonar-flex-plugin:.*$</gav>
+    <cpe>cpe:/a:flex_project:flex</cpe>
+  </suppress>
+
+  <!-- PHP plugin -->
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-php-plugin-2.10.0.2087.jar
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.php:sonar-php-plugin:.*$</gav>
+    <cpe>cpe:/a:php:php</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: php-checks-2.10.0.2087.jar
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.php:php-checks:.*$</gav>
+    <cpe>cpe:/a:php:php</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: php-frontend-2.10.0.2087.jar
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.php:php-frontend:.*$</gav>
+    <cpe>cpe:/a:php:php</cpe>
+  </suppress>
+
+  <!-- Python plugin -->
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-python-plugin-1.8.0.1496.jar
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.python:sonar-python-plugin:.*$</gav>
+    <cpe>cpe:/a:python:python</cpe>
+    <cpe>cpe:/a:python_software_foundation:python</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-python-plugin-1.8.0.1496.jar/META-INF/maven/org.sonarsource.python/python-checks/pom.xml
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.python:python-checks:.*$</gav>
+    <cpe>cpe:/a:python:python</cpe>
+    <cpe>cpe:/a:python_software_foundation:python</cpe>
+  </suppress>
+
+  <!-- Git plugin -->
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-scm-git-plugin-1.3.0.869.jar
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.scm\.git:sonar-scm-git-plugin:.*$</gav>
+    <cpe>cpe:/a:git:git</cpe>
+    <cpe>cpe:/a:git_project:git</cpe>
+    <cpe>cpe:/a:git-scm:git</cpe>
+  </suppress>
+
+  <!-- SVN plugin -->
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-scm-svn-plugin-1.6.0.860.jar
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.scm\.svn:sonar-scm-svn-plugin:.*$</gav>
+    <cpe>cpe:/a:subversion:subversion</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-scm-svn-plugin-1.6.0.860.jar: sqljet-1.1.10.jar
+   ]]></notes>
+    <gav regex="true">^org\.tmatesoft\.sqljet:sqljet:.*$</gav>
+    <cpe>cpe:/a:sqlite:sqlite</cpe>
+  </suppress>
+
+  <!-- Squid plugin -->
+  <suppress>
+    <notes><![CDATA[
+   file name: sonar-xml-plugin-1.4.3.1027.jar: xml-squid-1.4.3.1027.jar
+   ]]></notes>
+    <gav regex="true">^org\.sonarsource\.xml:xml-squid:.*$</gav>
+    <cpe>cpe:/a:squid:squid</cpe>
+  </suppress>
+</suppressions>
diff --git a/sonar-plugin-api-deps/pom.xml b/sonar-plugin-api-deps/pom.xml
index 8bf169b14b8..ae4048405a4 100644
--- a/sonar-plugin-api-deps/pom.xml
+++ b/sonar-plugin-api-deps/pom.xml
@@ -194,4 +194,38 @@
       </plugin>
     </plugins>
   </build>
+
+  <profiles>
+    <!--
+    This module contains deprecated dependencies (containing vulnerability issues) for plugins built for SonarQube < 5.2
+    It will be removed for 7.0
+    -->
+    <profile>
+      <!--
+      check if maven dependencies have vulnerabilities listed in CVE
+      Standalone command: mvn org.owasp:dependency-check-maven:check
+      See http://jeremylong.github.io/DependencyCheck
+      -->
+      <id>securityCheck</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>check</goal>
+                </goals>
+                <configuration>
+                  <skip>true</skip>
+                </configuration>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+  </profiles>
+
 </project>
-- 
2.39.5