From e59875122c7b9090f41dc5a0fb7deb87573e4b79 Mon Sep 17 00:00:00 2001
From: Simon Brandhof <simon@brandhof.net>
Date: Tue, 22 Sep 2020 21:23:10 +0200
Subject: [PATCH] SONAR-13905 enable OWASP Dependency Check tool

---
 build.gradle              |  34 +++++++
 owasp-suppressions.xml    | 190 ++++++++++++++++++++++++++++++++++++++
 owasp-vulnerabilities.xml |  35 +++++++
 3 files changed, 259 insertions(+)
 create mode 100644 owasp-suppressions.xml
 create mode 100644 owasp-vulnerabilities.xml

diff --git a/build.gradle b/build.gradle
index b6a5a2830f1..1a25f8b9a29 100644
--- a/build.gradle
+++ b/build.gradle
@@ -8,6 +8,7 @@ plugins {
   id 'com.github.node-gradle.node' version '1.5.3' apply false
   id 'io.spring.dependency-management' version '1.0.10.RELEASE'
   id 'net.rdrei.android.buildtimetracker' version '0.11.0'
+  id 'org.owasp.dependencycheck' version '6.0.1'
   id 'org.sonarqube' version '2.8'
 }
 
@@ -30,6 +31,39 @@ if (!JavaVersion.current().java11Compatible) {
   throw new GradleException("JDK 11+ is required to perform this build. It's currently " + System.getProperty("java.home") + ".")
 }
 
+apply plugin: 'org.owasp.dependencycheck'
+dependencyCheck {
+  analyzers {
+    assemblyEnabled = false
+    autoconfEnabled = false
+    bundleAuditEnabled = false
+    cmakeEnabled = false
+    cocoapodsEnabled = false
+    composerEnabled = false
+    cocoapodsEnabled = false
+    golangDepEnabled = false
+    golangModEnabled = false
+    nodeAudit {
+      skipDevDependencies = true
+    }
+    nuspecEnabled = false
+    nugetconfEnabled = false
+    rubygemsEnabled = false
+    swiftEnabled = false
+
+  }
+  format = 'ALL'
+  junitFailOnCVSS = 0
+  failBuildOnCVSS = 0
+  suppressionFiles = ["${project.rootDir}/owasp-suppressions.xml", "${project.rootDir}/owasp-vulnerabilities.xml"]
+  skipProjects = project.subprojects
+      .findAll {it.name.contains('testing') ||
+          it.name.startsWith('it-') ||
+          it.name.contains('-test') ||
+          it.name == 'sonar-ws-generator'}
+      .collect { it.path }
+}
+
 allprojects {
   apply plugin: 'com.jfrog.artifactory'
   apply plugin: 'maven-publish'
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
new file mode 100644
index 00000000000..f4e3114039a
--- /dev/null
+++ b/owasp-suppressions.xml
@@ -0,0 +1,190 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+
+  <!--
+  This file lists the false-positives (the vulnerabilities that can not be exploited)
+  -->
+
+  <suppress>
+    <!--
+      Elasticsearch API key service is not enabled.
+      See https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908
+      Fixed in Elasticsearch 6.8.4
+    -->
+    <cve>CVE-2019-7619</cve>
+    <cve>CVE-2020-7009</cve>
+    <cve>CVE-2020-7014</cve>
+
+    <!--
+      Elasticsearch field level security feature is not used.
+      See https://www.elastic.co/guide/en/elasticsearch/reference/current/field-level-security.html
+      and https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456
+      Fixed in Elasticsearch 6.8.12
+    -->
+    <cve>CVE-2020-7019</cve>
+
+    <!--
+      The vulnerability is about multiple users submitting requests to Elasticsearch. It's not
+      a false-positive because requests are sent anonymously. Authentication is disabled.
+      Fixed in Elasticsearch 6.8.2
+    -->
+    <cve>CVE-2019-7614</cve>
+
+    <!--
+    Jenkins plugin - fixed in v2.8.1
+    See https://www.jenkins.io/security/advisory/2018-09-25/#SECURITY-1163CVE-2018-20200 and
+    https://jira.sonarsource.com/browse/SONARJNKNS-301
+     -->
+    <cve>CVE-2018-1000425</cve>
+
+    <!--
+    Irrelevant exploit in OkHttp. It requires to control the server and to allow sniffing network traffic!
+    Obfuscating the code makes the documentation of the CVE impossible to apply.
+    See https://github.com/square/okhttp/issues/4967 and https://github.com/boclips/videos/commit/9f6c5ba96063f14fb6033f4f6efa6caf3c2701bd
+    -->
+    <cve>CVE-2018-20200</cve>
+
+    <!--
+    Vulnerability in the Spring version embedded into sonar-security-java-frontend-plugin. Fixed in 8.4.
+    See https://jira.sonarsource.com/browse/SONARSEC-1189 and https://nvd.nist.gov/vuln/detail/CVE-2020-5398
+    -->
+    <cve>CVE-2020-5398</cve>
+
+    <!--
+    Log4J SMTP Appender is not enabled, so the vulnerability is not exploitable.
+    See https://nvd.nist.gov/vuln/detail/CVE-2020-9488
+    -->
+    <cve>CVE-2020-9488</cve>
+
+    <!--
+    SnakeYML vulnerability if the Elasticsearch YML configuration files have too many recursive aliases.
+    Fixed in SnakeYML 1.26.
+    Not exploitable because the file elasticsearch/config/*.yml are not supposed to be edited outside the build.
+    https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion
+    https://en.wikipedia.org/wiki/Billion_laughs_attack
+    -->
+    <cve>CVE-2017-18640</cve>
+
+    <!--
+    These 2 CVEs were opened in 2007, without any resolution. It's apparently about OpenID which
+    is not safe by design.
+    Anyway OpenID is not used. Microsoft authentication relies on OpenID Connect and OAuth 2.0.
+    See MSAL https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-adal-msal-java
+    -->
+    <cve>CVE-2007-1651</cve>
+    <cve>CVE-2007-1652</cve>
+
+    <!--
+    This is a Suse packaging issue, not a Tomcat one
+    See https://nvd.nist.gov/vuln/detail/CVE-2020-8022 and https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1@%3Cusers.tomcat.apache.org%3E
+    -->
+    <cve>CVE-2020-8022</cve>
+
+    <!--
+    Fixed in SQ 7.8. See https://jira.sonarsource.com/browse/SSF-74
+    -->
+    <cve>CVE-2019-17579</cve>
+
+    <!--
+    Fixed in SQ 7.4. See https://jira.sonarsource.com/browse/SONAR-11305
+    -->
+    <cve>CVE-2018-19413</cve>
+  </suppress>
+
+  <suppress>
+    <!--
+    false-positive - the OWASP tool considers SQ as being
+    gitlab 8.0, which comes with many vulnerabilities!
+    -->
+    <filePath regex="true">.*build\.gradle</filePath>
+    <cpe>cpe:/a:gitlab:gitlab</cpe>
+  </suppress>
+
+  <suppress>
+    <!--
+    false-positive - the OWASP tool considers sonar-auth-gitlab@8.0-SNAPSHOT as being
+    gitlab 8.0, which comes with many vulnerabilities!
+    -->
+    <filePath regex="true">.*sonar-auth-gitlab-8.*\.jar.*</filePath>
+    <cpe>cpe:/a:gitlab:gitlab:8</cpe>
+  </suppress>
+
+
+  <suppress>
+    <!--
+    The commons-compress 1.8 bundled with CSS analyzer is not used. Its vulnerabilities
+    can't be exploited.
+    Noise will be killed in https://github.com/SonarSource/sonar-css/issues/260
+    -->
+    <filePath regex="true">.*sonar-css-plugin-1\.2.*\.jar.*</filePath>
+    <cve>CVE-2019-12402</cve>
+  </suppress>
+
+  <suppress>
+    <!--
+    false-positive - the OWASP tool considers sonar-ruby-plugin 1.7 as being
+    ruby 1.7, which comes with many vulnerabilities!
+    -->
+    <packageUrl regex="true">pkg:maven/org\.sonarsource\.slang/sonar-ruby-plugin@1\..*</packageUrl>
+    <cpe>cpe:/a:ruby-lang:ruby:1</cpe>
+  </suppress>
+
+  <suppress>
+    <!--
+    false-positive - the OWASP tool considers sonar-scala-plugin 1.x as being
+    scala 1.x, which come with many vulnerabilities
+    -->
+    <packageUrl regex="true">pkg:maven/org\.sonarsource\.slang/sonar-scala-plugin@1\..*</packageUrl>
+    <cpe>cpe:/a:scala-lang:scala:1</cpe>
+  </suppress>
+
+  <suppress>
+    <!-- JRuby dirgra 0.3 is unexpectedly considered as JRuby 0.3 -->
+    <packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
+    <cpe>cpe:/a:jruby:jruby</cpe>
+  </suppress>
+
+  <suppress>
+    <!-- The sonar-scm-git-plugin 1.12 is unexpectedly considered as git 1.12 -->
+    <packageUrl>pkg:maven/org.sonarsource.scm.git/sonar-scm-git-plugin@1.12.0.2034</packageUrl>
+    <cpe>cpe:/a:git-scm:git</cpe>
+  </suppress>
+
+  <suppress>
+    <!--
+    The Java JSON libraries are unexpectedly considered as JS libraries suffering from
+    the json node module vulnerabilities.
+    -->
+    <packageUrl regex="true">^pkg:maven/.*$</packageUrl>
+    <cpe>cpe:/a:json_project:json</cpe>
+  </suppress>
+
+  <suppress>
+    <!--
+    This Guava vulnerability is not exploitable in the ABAP analyzer.
+    However it's planned to kill the noise:
+    https://jira.sonarsource.com/browse/SONARABAP-421
+    -->
+    <filePath regex="true">.*com\.sonarsource\.abap/sonar-abap-plugin.*</filePath>
+    <cve>CVE-2018-10237</cve>
+  </suppress>
+
+  <suppress>
+    <!--
+    This Guava vulnerability is not exploitable in the PLSQL analyzer.
+    However it's planned to kill the noise:
+    https://jira.sonarsource.com/browse/SONARPLSQL-738
+    -->
+    <filePath regex="true">.*com\.sonarsource\.plsql/sonar-plsql-plugin/3\.4.*</filePath>
+    <cve>CVE-2018-10237</cve>
+  </suppress>
+
+  <suppress>
+    <!--
+    False-positive - the subproject agentproxy
+    is considered as being the JCraft project.
+    -->
+    <packageUrl regex="true">pkg:maven/com\.jcraft/jsch\.agentproxy\..*@0.0.7</packageUrl>
+    <cve>CVE-2016-5725</cve>
+  </suppress>
+</suppressions>
diff --git a/owasp-vulnerabilities.xml b/owasp-vulnerabilities.xml
new file mode 100644
index 00000000000..1ca6b4655e5
--- /dev/null
+++ b/owasp-vulnerabilities.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+
+  <suppress>
+    <!--
+    Vulnerabilities in the SWIFT analyzer.
+    See https://jira.sonarsource.com/browse/SONARSWIFT-451
+    -->
+    <filePath regex="true">.*sonar-swift-plugin-4\.2.*\.jar.*</filePath>
+    <vulnerabilityName>Remote code execution</vulnerabilityName>
+    <cve>CVE-2015-6420</cve>
+    <cve>CVE-2017-15708</cve>
+  </suppress>
+
+  <suppress>
+    <!--
+    The version of Netty packaged with Elasticsearch 6.8.x suffers from a few vulnerabilities.
+    The latter are considered as low risk by the Elastic team. Upgrading Netty in Elasticsearch 6.8.x
+    is not planned. See https://github.com/elastic/elasticsearch/issues/49396
+    -->
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty-.*@4\.1\.32.*$</packageUrl>
+    <cve>CVE-2019-16869</cve>
+    <cve>CVE-2019-20444</cve>
+    <cve>CVE-2019-20445</cve>
+    <cve>CVE-2020-11612</cve>
+  </suppress>
+
+  <suppress>
+    <!--
+    AssertJ should not be bundled with the Kotlin analyzer. Should be fixed in 1.6.
+    -->
+    <filePath regex="true">.*sonar-kotlin-plugin-1\.5.*\.jar.*</filePath>
+    <vulnerabilityName>CWE-476: NULL Pointer Dereference</vulnerabilityName>
+  </suppress>
+</suppressions>
-- 
2.39.5