From f1ff872d4321e81824b7ad8732151757028113ad Mon Sep 17 00:00:00 2001 From: Martin Stockhammer Date: Wed, 1 Jul 2020 22:27:51 +0200 Subject: [PATCH] Updating dependency with owasp check --- archiva-jetty/pom.xml | 5 +- .../archiva-web/archiva-rss/pom.xml | 5 +- .../archiva-web/archiva-web-common/pom.xml | 5 +- .../archiva-web/archiva-webapp/pom.xml | 19 +++++ .../META-INF/owasp/cve-suppressions.xml | 67 +++++++++++++++++ .../metadata-store-cassandra/pom.xml | 41 ++++++++++- .../oak-jcr/metadata-store-jcr/pom.xml | 54 ++++++++++++++ .../repository/jcr/OakRepositoryFactory.java | 5 +- archiva-modules/pom.xml | 2 - pom.xml | 73 ++++++++++++++++++- 10 files changed, 255 insertions(+), 21 deletions(-) create mode 100644 archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml diff --git a/archiva-jetty/pom.xml b/archiva-jetty/pom.xml index 21b779780..86a8d2985 100644 --- a/archiva-jetty/pom.xml +++ b/archiva-jetty/pom.xml @@ -171,9 +171,6 @@ archiva.cassandra.configuration.file=%ARCHIVA_BASE%/conf/archiva-cassandra.properties org.apache.jackrabbit.core.state.validatehierarchy=true - - -XX:MaxPermSize=128m - 512 512 @@ -253,6 +250,8 @@ apache-archiva-${project.version} + + diff --git a/archiva-modules/archiva-web/archiva-rss/pom.xml b/archiva-modules/archiva-web/archiva-rss/pom.xml index 048f26926..95a1bb532 100644 --- a/archiva-modules/archiva-web/archiva-rss/pom.xml +++ b/archiva-modules/archiva-web/archiva-rss/pom.xml @@ -131,10 +131,7 @@ maven-surefire-plugin false - - -Xms512m -Xmx1024m -server -XX:MaxPermSize=256m + -Xms512m -Xmx1024m -server ${project.build.directory}/appserver-base ${project.build.directory}/appserver-base diff --git a/archiva-modules/archiva-web/archiva-web-common/pom.xml b/archiva-modules/archiva-web/archiva-web-common/pom.xml index 15535cd8b..25206ac1c 100644 --- a/archiva-modules/archiva-web/archiva-web-common/pom.xml +++ b/archiva-modules/archiva-web/archiva-web-common/pom.xml @@ -564,10 +564,7 @@ maven-surefire-plugin false - - -Xms1024m -Xmx2048m -server -XX:MaxPermSize=256m + -Xms1024m -Xmx2048m -server ${project.build.directory}/appserver-base ${project.build.directory}/appserver-base diff --git a/archiva-modules/archiva-web/archiva-webapp/pom.xml b/archiva-modules/archiva-web/archiva-webapp/pom.xml index 3d51bed4e..e2f38ad7d 100644 --- a/archiva-modules/archiva-web/archiva-webapp/pom.xml +++ b/archiva-modules/archiva-web/archiva-webapp/pom.xml @@ -554,6 +554,7 @@ src/test/repositories/test-repo/** src/main/resources/META-INF/services/* src/main/resources/META-INF/cxf/* + src/main/resources/META-INF/owasp/cve-suppressions.xml @@ -828,6 +829,24 @@ + + + org.owasp + dependency-check-maven + 5.3.2 + + true + 8 + ${project.basedir}/src/main/resources/META-INF/owasp/cve-suppressions.xml + + + + + check + + + + diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml new file mode 100644 index 000000000..420e6a55e --- /dev/null +++ b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml @@ -0,0 +1,67 @@ + + + + + ^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$ + cpe:/a:fasterxml:jackson-mapper-asl + cpe:/a:fasterxml:jackson + CVE-2017-15095 + CVE-2017-7525 + CVE-2017-17485 + CVE-2018-5968 + CVE-2018-14718 + CVE-2018-7489 + CVE-2018-1000873 + CVE-2019-14540 + CVE-2019-14893 + CVE-2019-16335 + CVE-2019-17267 + CVE-2020-10672 + CVE-2020-10673 + + + + + ^pkg:maven/org\.apache\.jackrabbit/oak\-.*@.*$ + cpe:/a:apache:jackrabbit + + + + + ^pkg:maven/io\.netty/netty\-transport@.*$ + cpe:/a:netty:netty + CVE-2020-11612 + CVE-2019-20445 + CVE-2019-20444 + + + + + ^.*oak-segment-tar.*$ + cpe:/a:netty:netty + CVE-2020-11612 + CVE-2019-20445 + CVE-2019-20444 + + + + ^pkg:maven/io\.netty/netty\-.*@.*$ + cpe:/a:netty:netty + CVE-2020-11612 + CVE-2019-20445 + CVE-2019-20444 + + + diff --git a/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml b/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml index 77beb3547..364ce76f5 100644 --- a/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml +++ b/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml @@ -31,7 +31,7 @@ ${project.parent.parent.basedir} - 3.11.2 + 3.11.6 @@ -143,6 +143,7 @@ org.jboss.logging jboss-logging + @@ -169,24 +170,57 @@ - org.apache.cassandra cassandra-thrift - 3.11.2 + ${cassandraVersion} javax.servlet servlet-api + + org.apache.ant + ant + + + org.apache.thrift + libthrift + 0.13.0 + + + + + + io.netty + netty-all + ${netty.version} + org.jboss.logging jboss-logging + + + org.hibernate + hibernate-validator + 4.3.2.Final + @@ -236,6 +270,7 @@ + diff --git a/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/pom.xml b/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/pom.xml index 26a94f3ab..22cd0c659 100644 --- a/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/pom.xml +++ b/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/pom.xml @@ -84,6 +84,32 @@ org.apache.jackrabbit oak-segment-tar + + + io.netty + netty-transport + + + io.netty + netty-resolver + + + io.netty + netty-handler + + + io.netty + netty-common + + + io.netty + netty-codec + + + io.netty + netty-buffer + + org.apache.jackrabbit @@ -113,6 +139,34 @@ org.apache.jackrabbit oak-core + + + io.netty + netty-transport + + + io.netty + netty-resolver + + + io.netty + netty-handler + + + io.netty + netty-common + + + io.netty + netty-codec + + + io.netty + netty-buffer + + + javax.inject diff --git a/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java b/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java index 8822ff07b..a8cb1a700 100644 --- a/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java +++ b/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java @@ -44,8 +44,6 @@ import org.apache.jackrabbit.oak.plugins.index.lucene.hybrid.LocalIndexObserver; import org.apache.jackrabbit.oak.plugins.index.lucene.hybrid.NRTIndexFactory; import org.apache.jackrabbit.oak.plugins.index.lucene.property.PropertyIndexCleaner; import org.apache.jackrabbit.oak.plugins.index.lucene.reader.DefaultIndexReaderFactory; -import org.apache.jackrabbit.oak.plugins.index.lucene.score.ScorerProviderFactory; -import org.apache.jackrabbit.oak.plugins.index.lucene.score.impl.ScorerProviderFactoryImpl; import org.apache.jackrabbit.oak.plugins.index.lucene.util.IndexDefinitionBuilder; import org.apache.jackrabbit.oak.plugins.index.search.ExtractedTextCache; import org.apache.jackrabbit.oak.plugins.index.search.FulltextIndexConstants; @@ -142,7 +140,6 @@ public class OakRepositoryFactory private LuceneIndexProvider indexProvider; - private ScorerProviderFactory scorerFactory = new ScorerProviderFactoryImpl( ); private IndexAugmentorFactory augmentorFactory = new IndexAugmentorFactory( ); private ActiveDeletedBlobCollectorFactory.ActiveDeletedBlobCollector activeDeletedBlobCollector = ActiveDeletedBlobCollectorFactory.NOOP; @@ -396,7 +393,7 @@ public class OakRepositoryFactory tracker = createTracker(); - indexProvider = new LuceneIndexProvider(tracker, scorerFactory, augmentorFactory); + indexProvider = new LuceneIndexProvider(tracker, augmentorFactory); initialize(); registerObserver(); diff --git a/archiva-modules/pom.xml b/archiva-modules/pom.xml index aa0e4889e..fb74868d2 100644 --- a/archiva-modules/pom.xml +++ b/archiva-modules/pom.xml @@ -217,8 +217,6 @@ - - diff --git a/pom.xml b/pom.xml index 1188a71d5..1bd70fb38 100644 --- a/pom.xml +++ b/pom.xml @@ -74,7 +74,8 @@ 2.0 - 1.22.3 + 1.30.0 + 4.1.50.Final @@ -502,6 +503,64 @@ org.apache.jackrabbit oak-segment-tar ${jcr-oak.version} + + + io.netty + netty-transport + + + io.netty + netty-resolver + + + io.netty + netty-handler + + + io.netty + netty-common + + + io.netty + netty-codec + + + io.netty + netty-buffer + + + + + + io.netty + netty-transport + ${netty.version} + + + io.netty + netty-resolver + ${netty.version} + + + io.netty + netty-handler + ${netty.version} + + + io.netty + netty-common + ${netty.version} + + + io.netty + netty-codec + ${netty.version} + + + io.netty + netty-buffer + ${netty.version} org.apache.jackrabbit @@ -1351,6 +1410,14 @@ + + + com.google.guava + guava + 29.0-jre + + + org.xmlunit xmlunit-core @@ -1818,6 +1885,10 @@ + + + + -- 2.39.5