Updating dependency with owasp check

author: Martin Stockhammer <martin_s@apache.org> 2020-07-01 22:27:51 +0200
committer: Martin Stockhammer <martin_s@apache.org> 2020-07-01 22:27:51 +0200
commit: f1ff872d4321e81824b7ad8732151757028113ad (patch)
tree: e556c62faba6ef62ee78f9f7adc6699cf28e500a
parent: 509aad470c1ed42e108ea3294d1db71fdcee8aac (diff)
download: archiva-f1ff872d4321e81824b7ad8732151757028113ad.tar.gz
archiva-f1ff872d4321e81824b7ad8732151757028113ad.zip
10 files changed, 255 insertions, 21 deletions
diff --git a/archiva-jetty/pom.xml b/archiva-jetty/pom.xml
index 21b779780..86a8d2985 100644
--- a/archiva-jetty/pom.xml
+++ b/archiva-jetty/pom.xml
@@ -171,9 +171,6 @@
                   <systemProperty>archiva.cassandra.configuration.file=%ARCHIVA_BASE%/conf/archiva-cassandra.properties</systemProperty>
                   <systemProperty>org.apache.jackrabbit.core.state.validatehierarchy=true</systemProperty>
                 </systemProperties>
-                <extraArguments>
-                  <extraArgument>-XX:MaxPermSize=128m</extraArgument>
-                </extraArguments>
                 <initialMemorySize>512</initialMemorySize>
                 <maxMemorySize>512</maxMemorySize>
               </jvmSettings>
@@ -253,6 +250,8 @@
           <finalName>apache-archiva-${project.version}</finalName>
         </configuration>
       </plugin>
+
+
     </plugins>
     <pluginManagement>
       <plugins>
diff --git a/archiva-modules/archiva-web/archiva-rss/pom.xml b/archiva-modules/archiva-web/archiva-rss/pom.xml
index 048f26926..95a1bb532 100644
--- a/archiva-modules/archiva-web/archiva-rss/pom.xml
+++ b/archiva-modules/archiva-web/archiva-rss/pom.xml
@@ -131,10 +131,7 @@
         <artifactId>maven-surefire-plugin</artifactId>
         <configuration>
           <reuseForks>false</reuseForks>
-          <!--
-                    <argLine>-Xms1024m -Xmx2048m -server -XX:MaxPermSize=256m @{jacocoproperty}</argLine>
-          -->
-          <argLine>-Xms512m -Xmx1024m -server -XX:MaxPermSize=256m</argLine>
+          <argLine>-Xms512m -Xmx1024m -server</argLine>
           <systemPropertyVariables>
             <appserver.base>${project.build.directory}/appserver-base</appserver.base>
             <plexus.home>${project.build.directory}/appserver-base</plexus.home>
diff --git a/archiva-modules/archiva-web/archiva-web-common/pom.xml b/archiva-modules/archiva-web/archiva-web-common/pom.xml
index 15535cd8b..25206ac1c 100644
--- a/archiva-modules/archiva-web/archiva-web-common/pom.xml
+++ b/archiva-modules/archiva-web/archiva-web-common/pom.xml
@@ -564,10 +564,7 @@
         <artifactId>maven-surefire-plugin</artifactId>
         <configuration>
           <reuseForks>false</reuseForks>
-<!--
-          <argLine>-Xms1024m -Xmx2048m -server -XX:MaxPermSize=256m @{jacocoproperty}</argLine>
--->
-          <argLine>-Xms1024m -Xmx2048m -server -XX:MaxPermSize=256m</argLine>
+          <argLine>-Xms1024m -Xmx2048m -server</argLine>
           <systemPropertyVariables>
             <appserver.base>${project.build.directory}/appserver-base</appserver.base>
             <plexus.home>${project.build.directory}/appserver-base</plexus.home>
diff --git a/archiva-modules/archiva-web/archiva-webapp/pom.xml b/archiva-modules/archiva-web/archiva-webapp/pom.xml
index 3d51bed4e..e2f38ad7d 100644
--- a/archiva-modules/archiva-web/archiva-webapp/pom.xml
+++ b/archiva-modules/archiva-web/archiva-webapp/pom.xml
@@ -554,6 +554,7 @@
               <exclude>src/test/repositories/test-repo/**</exclude>
               <exclude>src/main/resources/META-INF/services/*</exclude>
               <exclude>src/main/resources/META-INF/cxf/*</exclude>
+              <exclude>src/main/resources/META-INF/owasp/cve-suppressions.xml</exclude>
             </excludes>
           </configuration>
         </plugin>
@@ -828,6 +829,24 @@
         </configuration>
       </plugin>
 
+
+      <plugin>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-maven</artifactId>
+        <version>5.3.2</version>
+        <configuration>
+          <skipProvidedScope>true</skipProvidedScope>
+          <failBuildOnCVSS>8</failBuildOnCVSS>
+          <suppressionFile>${project.basedir}/src/main/resources/META-INF/owasp/cve-suppressions.xml</suppressionFile>
+        </configuration>
+        <executions>
+          <execution>
+            <goals>
+              <goal>check</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
   </build>
 
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml
new file mode 100644
index 000000000..420e6a55e
--- /dev/null
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml
@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress until="2020-09-01Z">
+    <notes><![CDATA[
+   file name: jackson-mapper-asl-1.9.2.jar is a dependency of cassandra - Waiting for update of cassandra
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$</packageUrl>
+    <cpe>cpe:/a:fasterxml:jackson-mapper-asl</cpe>
+    <cpe>cpe:/a:fasterxml:jackson</cpe>
+    <vulnerabilityName>CVE-2017-15095</vulnerabilityName>
+    <vulnerabilityName>CVE-2017-7525</vulnerabilityName>
+    <vulnerabilityName>CVE-2017-17485</vulnerabilityName>
+    <vulnerabilityName>CVE-2018-5968</vulnerabilityName>
+    <vulnerabilityName>CVE-2018-14718</vulnerabilityName>
+    <vulnerabilityName>CVE-2018-7489</vulnerabilityName>
+    <vulnerabilityName>CVE-2018-1000873</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-14540</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-14893</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-16335</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-17267</vulnerabilityName>
+    <vulnerabilityName>CVE-2020-10672</vulnerabilityName>
+    <vulnerabilityName>CVE-2020-10673</vulnerabilityName>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+   False positive for oak-jcr packages
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.jackrabbit/oak\-.*@.*$</packageUrl>
+    <cpe>cpe:/a:apache:jackrabbit</cpe>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+    False positive for oak-segment-tar-1.30.0.jar: netty-transport-4.1.14.Final.jar
+    Updated netty to higher version
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty\-transport@.*$</packageUrl>
+    <cpe>cpe:/a:netty:netty</cpe>
+    <vulnerabilityName>CVE-2020-11612</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-20445</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-20444</vulnerabilityName>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+    False positive for oak-segment-tar-1.30.0.jar: netty-transport-4.1.14.Final.jar
+    Updated netty to higher version
+   ]]></notes>
+    <packageUrl regex="true">^.*oak-segment-tar.*$</packageUrl>
+    <cpe>cpe:/a:netty:netty</cpe>
+    <vulnerabilityName>CVE-2020-11612</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-20445</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-20444</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: oak-segment-tar-1.30.0.jar: netty-codec-4.1.14.Final.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl>
+    <cpe>cpe:/a:netty:netty</cpe>
+    <vulnerabilityName>CVE-2020-11612</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-20445</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-20444</vulnerabilityName>
+  </suppress>
+
+</suppressions>
diff --git a/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml b/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml
index 77beb3547..364ce76f5 100644
--- a/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml
+++ b/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml
@@ -31,7 +31,7 @@
 
   <properties>
     <site.staging.base>${project.parent.parent.basedir}</site.staging.base>
-    <cassandraVersion>3.11.2</cassandraVersion>
+    <cassandraVersion>3.11.6</cassandraVersion>
   </properties>
 
   <dependencies>
@@ -143,6 +143,7 @@
           <groupId>org.jboss.logging</groupId>
           <artifactId>jboss-logging</artifactId>
         </exclusion>
+
       </exclusions>
     </dependency>
 
@@ -169,24 +170,57 @@
         </exclusion>
       </exclusions>
     </dependency>
-
     <dependency>
       <groupId>org.apache.cassandra</groupId>
       <artifactId>cassandra-thrift</artifactId>
-      <version>3.11.2</version>
+      <version>${cassandraVersion}</version>
       <exclusions>
         <exclusion>
           <groupId>javax.servlet</groupId>
           <artifactId>servlet-api</artifactId>
         </exclusion>
+          <exclusion>
+            <groupId>org.apache.ant</groupId>
+            <artifactId>ant</artifactId>
+          </exclusion>
       </exclusions>
     </dependency>
+    <dependency>
+      <groupId>org.apache.thrift</groupId>
+      <artifactId>libthrift</artifactId>
+      <version>0.13.0</version>
+    </dependency>
+    <!--
+    <dependency>
+      <groupId>org.codehaus.jackson</groupId>
+      <artifactId>jackson-core-asl</artifactId>
+      <version>1.9.13</version>
+    </dependency>
+    <dependency>
+      <groupId>org.codehaus.jackson</groupId>
+      <artifactId>jackson-mapper-asl</artifactId>
+      <version>1.9.13</version>
+    </dependency>
+    -->
+
+    <!-- Transitive dependency. Declared here to increase the version. -->
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-all</artifactId>
+      <version>${netty.version}</version>
+    </dependency>
 
     <!-- Is a dependency of cassandra -> hibernate-validator and replaced by new version -->
     <dependency>
       <groupId>org.jboss.logging</groupId>
       <artifactId>jboss-logging</artifactId>
     </dependency>
+    <!-- Dependency of cassandra -> replacing by new version -->
+    <dependency>
+      <groupId>org.hibernate</groupId>
+      <artifactId>hibernate-validator</artifactId>
+      <version>4.3.2.Final</version>
+    </dependency>
 
 
     <!-- TEST Scope -->
@@ -236,6 +270,7 @@
 
 
   </dependencies>
+
   <build>
     <testResources>
       <testResource>
diff --git a/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/pom.xml b/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/pom.xml
index 26a94f3ab..22cd0c659 100644
--- a/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/pom.xml
+++ b/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/pom.xml
@@ -84,6 +84,32 @@
     <dependency>
       <groupId>org.apache.jackrabbit</groupId>
       <artifactId>oak-segment-tar</artifactId>
+      <exclusions>
+        <exclusion>
+          <groupId>io.netty</groupId>
+          <artifactId>netty-transport</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>io.netty</groupId>
+          <artifactId>netty-resolver</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>io.netty</groupId>
+          <artifactId>netty-handler</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>io.netty</groupId>
+          <artifactId>netty-common</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>io.netty</groupId>
+          <artifactId>netty-codec</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>io.netty</groupId>
+          <artifactId>netty-buffer</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.apache.jackrabbit</groupId>
@@ -113,6 +139,34 @@
       <groupId>org.apache.jackrabbit</groupId>
       <artifactId>oak-core</artifactId>
     </dependency>
+    <!-- netty is a transitive dependencies of oak-segment-tar
+     increasing version -->
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-transport</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-resolver</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-handler</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-common</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-codec</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-buffer</artifactId>
+    </dependency>
+
+
 
     <dependency>
       <groupId>javax.inject</groupId>
diff --git a/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java b/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java
index 8822ff07b..a8cb1a700 100644
--- a/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java
+++ b/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java
@@ -44,8 +44,6 @@ import org.apache.jackrabbit.oak.plugins.index.lucene.hybrid.LocalIndexObserver;
 import org.apache.jackrabbit.oak.plugins.index.lucene.hybrid.NRTIndexFactory;
 import org.apache.jackrabbit.oak.plugins.index.lucene.property.PropertyIndexCleaner;
 import org.apache.jackrabbit.oak.plugins.index.lucene.reader.DefaultIndexReaderFactory;
-import org.apache.jackrabbit.oak.plugins.index.lucene.score.ScorerProviderFactory;
-import org.apache.jackrabbit.oak.plugins.index.lucene.score.impl.ScorerProviderFactoryImpl;
 import org.apache.jackrabbit.oak.plugins.index.lucene.util.IndexDefinitionBuilder;
 import org.apache.jackrabbit.oak.plugins.index.search.ExtractedTextCache;
 import org.apache.jackrabbit.oak.plugins.index.search.FulltextIndexConstants;
@@ -142,7 +140,6 @@ public class OakRepositoryFactory
 
     private LuceneIndexProvider indexProvider;
 
-    private ScorerProviderFactory scorerFactory = new ScorerProviderFactoryImpl( );
     private IndexAugmentorFactory augmentorFactory = new IndexAugmentorFactory( );
 
     private ActiveDeletedBlobCollectorFactory.ActiveDeletedBlobCollector activeDeletedBlobCollector = ActiveDeletedBlobCollectorFactory.NOOP;
@@ -396,7 +393,7 @@ public class OakRepositoryFactory
 
         tracker = createTracker();
 
-        indexProvider = new LuceneIndexProvider(tracker, scorerFactory, augmentorFactory);
+        indexProvider = new LuceneIndexProvider(tracker, augmentorFactory);
 
         initialize();
         registerObserver();
diff --git a/archiva-modules/pom.xml b/archiva-modules/pom.xml
index aa0e4889e..fb74868d2 100644
--- a/archiva-modules/pom.xml
+++ b/archiva-modules/pom.xml
@@ -217,8 +217,6 @@
         </reportSets>
       </plugin>
 
-
-
     </plugins>
   </reporting>
 
diff --git a/pom.xml b/pom.xml
index 1188a71d5..1bd70fb38 100644
--- a/pom.xml
+++ b/pom.xml
@@ -74,7 +74,8 @@
     <javax.jcr.version>2.0</javax.jcr.version>
     <!-- If you change the JCR OAK version, you may have to update the pom.xml in the module oak-jcr-lucene
          to adapt to dependency changes -->
-    <jcr-oak.version>1.22.3</jcr-oak.version>
+    <jcr-oak.version>1.30.0</jcr-oak.version>
+    <netty.version>4.1.50.Final</netty.version>
 
 
     <!-- Jackrabbit classes are still used for webdav -->
@@ -502,6 +503,64 @@
         <groupId>org.apache.jackrabbit</groupId>
         <artifactId>oak-segment-tar</artifactId>
         <version>${jcr-oak.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-transport</artifactId>
+          </exclusion>
+          <exclusion>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-resolver</artifactId>
+          </exclusion>
+          <exclusion>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-handler</artifactId>
+          </exclusion>
+          <exclusion>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-common</artifactId>
+          </exclusion>
+          <exclusion>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-codec</artifactId>
+          </exclusion>
+          <exclusion>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-buffer</artifactId>
+          </exclusion>
+        </exclusions>
+      </dependency>
+      <!-- netty is a transitive dependencies of oak-segment-tar
+           increasing version -->
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-transport</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-resolver</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-handler</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-common</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-codec</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-buffer</artifactId>
+        <version>${netty.version}</version>
       </dependency>
       <dependency>
         <groupId>org.apache.jackrabbit</groupId>
@@ -1351,6 +1410,14 @@
       </dependency>
 
 
+      <!-- Transitive dependency - fixing version -->
+      <dependency>
+        <groupId>com.google.guava</groupId>
+        <artifactId>guava</artifactId>
+        <version>29.0-jre</version>
+      </dependency>
+
+
       <dependency>
         <groupId>org.xmlunit</groupId>
         <artifactId>xmlunit-core</artifactId>
@@ -1818,6 +1885,10 @@
           </execution>
         </executions>
       </plugin>
+
+
+
+
    </plugins>
     <pluginManagement>
       <plugins>
author	Martin Stockhammer <martin_s@apache.org>	2020-07-01 22:27:51 +0200
committer	Martin Stockhammer <martin_s@apache.org>	2020-07-01 22:27:51 +0200
commit	f1ff872d4321e81824b7ad8732151757028113ad (patch)
tree	e556c62faba6ef62ee78f9f7adc6699cf28e500a
parent	509aad470c1ed42e108ea3294d1db71fdcee8aac (diff)
download	archiva-f1ff872d4321e81824b7ad8732151757028113ad.tar.gz archiva-f1ff872d4321e81824b7ad8732151757028113ad.zip