From e59875122c7b9090f41dc5a0fb7deb87573e4b79 Mon Sep 17 00:00:00 2001 From: Simon Brandhof Date: Tue, 22 Sep 2020 21:23:10 +0200 Subject: [PATCH] SONAR-13905 enable OWASP Dependency Check tool --- build.gradle | 34 +++++++ owasp-suppressions.xml | 190 ++++++++++++++++++++++++++++++++++++++ owasp-vulnerabilities.xml | 35 +++++++ 3 files changed, 259 insertions(+) create mode 100644 owasp-suppressions.xml create mode 100644 owasp-vulnerabilities.xml diff --git a/build.gradle b/build.gradle index b6a5a2830f1..1a25f8b9a29 100644 --- a/build.gradle +++ b/build.gradle @@ -8,6 +8,7 @@ plugins { id 'com.github.node-gradle.node' version '1.5.3' apply false id 'io.spring.dependency-management' version '1.0.10.RELEASE' id 'net.rdrei.android.buildtimetracker' version '0.11.0' + id 'org.owasp.dependencycheck' version '6.0.1' id 'org.sonarqube' version '2.8' } @@ -30,6 +31,39 @@ if (!JavaVersion.current().java11Compatible) { throw new GradleException("JDK 11+ is required to perform this build. It's currently " + System.getProperty("java.home") + ".") } +apply plugin: 'org.owasp.dependencycheck' +dependencyCheck { + analyzers { + assemblyEnabled = false + autoconfEnabled = false + bundleAuditEnabled = false + cmakeEnabled = false + cocoapodsEnabled = false + composerEnabled = false + cocoapodsEnabled = false + golangDepEnabled = false + golangModEnabled = false + nodeAudit { + skipDevDependencies = true + } + nuspecEnabled = false + nugetconfEnabled = false + rubygemsEnabled = false + swiftEnabled = false + + } + format = 'ALL' + junitFailOnCVSS = 0 + failBuildOnCVSS = 0 + suppressionFiles = ["${project.rootDir}/owasp-suppressions.xml", "${project.rootDir}/owasp-vulnerabilities.xml"] + skipProjects = project.subprojects + .findAll {it.name.contains('testing') || + it.name.startsWith('it-') || + it.name.contains('-test') || + it.name == 'sonar-ws-generator'} + .collect { it.path } +} + allprojects { apply plugin: 'com.jfrog.artifactory' apply plugin: 'maven-publish' diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml new file mode 100644 index 00000000000..f4e3114039a --- /dev/null +++ b/owasp-suppressions.xml @@ -0,0 +1,190 @@ + + + + + + + + CVE-2019-7619 + CVE-2020-7009 + CVE-2020-7014 + + + CVE-2020-7019 + + + CVE-2019-7614 + + + CVE-2018-1000425 + + + CVE-2018-20200 + + + CVE-2020-5398 + + + CVE-2020-9488 + + + CVE-2017-18640 + + + CVE-2007-1651 + CVE-2007-1652 + + + CVE-2020-8022 + + + CVE-2019-17579 + + + CVE-2018-19413 + + + + + .*build\.gradle + cpe:/a:gitlab:gitlab + + + + + .*sonar-auth-gitlab-8.*\.jar.* + cpe:/a:gitlab:gitlab:8 + + + + + + .*sonar-css-plugin-1\.2.*\.jar.* + CVE-2019-12402 + + + + + pkg:maven/org\.sonarsource\.slang/sonar-ruby-plugin@1\..* + cpe:/a:ruby-lang:ruby:1 + + + + + pkg:maven/org\.sonarsource\.slang/sonar-scala-plugin@1\..* + cpe:/a:scala-lang:scala:1 + + + + + ^pkg:maven/org\.jruby/dirgra@.*$ + cpe:/a:jruby:jruby + + + + + pkg:maven/org.sonarsource.scm.git/sonar-scm-git-plugin@1.12.0.2034 + cpe:/a:git-scm:git + + + + + ^pkg:maven/.*$ + cpe:/a:json_project:json + + + + + .*com\.sonarsource\.abap/sonar-abap-plugin.* + CVE-2018-10237 + + + + + .*com\.sonarsource\.plsql/sonar-plsql-plugin/3\.4.* + CVE-2018-10237 + + + + + pkg:maven/com\.jcraft/jsch\.agentproxy\..*@0.0.7 + CVE-2016-5725 + + diff --git a/owasp-vulnerabilities.xml b/owasp-vulnerabilities.xml new file mode 100644 index 00000000000..1ca6b4655e5 --- /dev/null +++ b/owasp-vulnerabilities.xml @@ -0,0 +1,35 @@ + + + + + + .*sonar-swift-plugin-4\.2.*\.jar.* + Remote code execution + CVE-2015-6420 + CVE-2017-15708 + + + + + ^pkg:maven/io\.netty/netty-.*@4\.1\.32.*$ + CVE-2019-16869 + CVE-2019-20444 + CVE-2019-20445 + CVE-2020-11612 + + + + + .*sonar-kotlin-plugin-1\.5.*\.jar.* + CWE-476: NULL Pointer Dereference + + -- 2.39.5