mirrors
/
archiva
mirror of https://github.com/apache/archiva.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 70 Wiki Activity
Browse Source

Updating dependency with owasp check

pull/61/head
Martin Stockhammer 3 years ago
parent
509aad470c
commit
f1ff872d43
10 changed files with 255 additions and 21 deletions
Split View Show Diff Stats
  1. 2
    3
      archiva-jetty/pom.xml
  2. 1
    4
      archiva-modules/archiva-web/archiva-rss/pom.xml
  3. 1
    4
      archiva-modules/archiva-web/archiva-web-common/pom.xml
  4. 19
    0
      archiva-modules/archiva-web/archiva-webapp/pom.xml
  5. 67
    0
      archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml
  6. 38
    3
      archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml
  7. 54
    0
      archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/pom.xml
  8. 1
    4
      archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java
  9. 0
    2
      archiva-modules/pom.xml
  10. 72
    1
      pom.xml

+ 2
- 3
archiva-jetty/pom.xml View File

@@ -171,9 +171,6 @@
<systemProperty>archiva.cassandra.configuration.file=%ARCHIVA_BASE%/conf/archiva-cassandra.properties</systemProperty>
<systemProperty>org.apache.jackrabbit.core.state.validatehierarchy=true</systemProperty>
</systemProperties>
<extraArguments>
<extraArgument>-XX:MaxPermSize=128m</extraArgument>
</extraArguments>
<initialMemorySize>512</initialMemorySize>
<maxMemorySize>512</maxMemorySize>
</jvmSettings>
@@ -253,6 +250,8 @@
<finalName>apache-archiva-${project.version}</finalName>
</configuration>
</plugin>


</plugins>
<pluginManagement>
<plugins>

+ 1
- 4
archiva-modules/archiva-web/archiva-rss/pom.xml View File

@@ -131,10 +131,7 @@
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<reuseForks>false</reuseForks>
<!--
<argLine>-Xms1024m -Xmx2048m -server -XX:MaxPermSize=256m @{jacocoproperty}</argLine>
-->
<argLine>-Xms512m -Xmx1024m -server -XX:MaxPermSize=256m</argLine>
<argLine>-Xms512m -Xmx1024m -server</argLine>
<systemPropertyVariables>
<appserver.base>${project.build.directory}/appserver-base</appserver.base>
<plexus.home>${project.build.directory}/appserver-base</plexus.home>

+ 1
- 4
archiva-modules/archiva-web/archiva-web-common/pom.xml View File

@@ -564,10 +564,7 @@
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<reuseForks>false</reuseForks>
<!--
<argLine>-Xms1024m -Xmx2048m -server -XX:MaxPermSize=256m @{jacocoproperty}</argLine>
-->
<argLine>-Xms1024m -Xmx2048m -server -XX:MaxPermSize=256m</argLine>
<argLine>-Xms1024m -Xmx2048m -server</argLine>
<systemPropertyVariables>
<appserver.base>${project.build.directory}/appserver-base</appserver.base>
<plexus.home>${project.build.directory}/appserver-base</plexus.home>

+ 19
- 0
archiva-modules/archiva-web/archiva-webapp/pom.xml View File

@@ -554,6 +554,7 @@
<exclude>src/test/repositories/test-repo/**</exclude>
<exclude>src/main/resources/META-INF/services/*</exclude>
<exclude>src/main/resources/META-INF/cxf/*</exclude>
<exclude>src/main/resources/META-INF/owasp/cve-suppressions.xml</exclude>
</excludes>
</configuration>
</plugin>
@@ -828,6 +829,24 @@
</configuration>
</plugin>


<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>5.3.2</version>
<configuration>
<skipProvidedScope>true</skipProvidedScope>
<failBuildOnCVSS>8</failBuildOnCVSS>
<suppressionFile>${project.basedir}/src/main/resources/META-INF/owasp/cve-suppressions.xml</suppressionFile>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>


+ 67
- 0
archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml View File

@@ -0,0 +1,67 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress until="2020-09-01Z">
<notes><![CDATA[
file name: jackson-mapper-asl-1.9.2.jar is a dependency of cassandra - Waiting for update of cassandra
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$</packageUrl>
<cpe>cpe:/a:fasterxml:jackson-mapper-asl</cpe>
<cpe>cpe:/a:fasterxml:jackson</cpe>
<vulnerabilityName>CVE-2017-15095</vulnerabilityName>
<vulnerabilityName>CVE-2017-7525</vulnerabilityName>
<vulnerabilityName>CVE-2017-17485</vulnerabilityName>
<vulnerabilityName>CVE-2018-5968</vulnerabilityName>
<vulnerabilityName>CVE-2018-14718</vulnerabilityName>
<vulnerabilityName>CVE-2018-7489</vulnerabilityName>
<vulnerabilityName>CVE-2018-1000873</vulnerabilityName>
<vulnerabilityName>CVE-2019-14540</vulnerabilityName>
<vulnerabilityName>CVE-2019-14893</vulnerabilityName>
<vulnerabilityName>CVE-2019-16335</vulnerabilityName>
<vulnerabilityName>CVE-2019-17267</vulnerabilityName>
<vulnerabilityName>CVE-2020-10672</vulnerabilityName>
<vulnerabilityName>CVE-2020-10673</vulnerabilityName>
</suppress>

<suppress>
<notes><![CDATA[
False positive for oak-jcr packages
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.jackrabbit/oak\-.*@.*$</packageUrl>
<cpe>cpe:/a:apache:jackrabbit</cpe>
</suppress>

<suppress>
<notes><![CDATA[
False positive for oak-segment-tar-1.30.0.jar: netty-transport-4.1.14.Final.jar
Updated netty to higher version
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty\-transport@.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
<vulnerabilityName>CVE-2020-11612</vulnerabilityName>
<vulnerabilityName>CVE-2019-20445</vulnerabilityName>
<vulnerabilityName>CVE-2019-20444</vulnerabilityName>
</suppress>

<suppress>
<notes><![CDATA[
False positive for oak-segment-tar-1.30.0.jar: netty-transport-4.1.14.Final.jar
Updated netty to higher version
]]></notes>
<packageUrl regex="true">^.*oak-segment-tar.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
<vulnerabilityName>CVE-2020-11612</vulnerabilityName>
<vulnerabilityName>CVE-2019-20445</vulnerabilityName>
<vulnerabilityName>CVE-2019-20444</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: oak-segment-tar-1.30.0.jar: netty-codec-4.1.14.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
<vulnerabilityName>CVE-2020-11612</vulnerabilityName>
<vulnerabilityName>CVE-2019-20445</vulnerabilityName>
<vulnerabilityName>CVE-2019-20444</vulnerabilityName>
</suppress>

</suppressions>

+ 38
- 3
archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml View File

@@ -31,7 +31,7 @@

<properties>
<site.staging.base>${project.parent.parent.basedir}</site.staging.base>
<cassandraVersion>3.11.2</cassandraVersion>
<cassandraVersion>3.11.6</cassandraVersion>
</properties>

<dependencies>
@@ -143,6 +143,7 @@
<groupId>org.jboss.logging</groupId>
<artifactId>jboss-logging</artifactId>
</exclusion>

</exclusions>
</dependency>

@@ -169,24 +170,57 @@
</exclusion>
</exclusions>
</dependency>

<dependency>
<groupId>org.apache.cassandra</groupId>
<artifactId>cassandra-thrift</artifactId>
<version>3.11.2</version>
<version>${cassandraVersion}</version>
<exclusions>
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.thrift</groupId>
<artifactId>libthrift</artifactId>
<version>0.13.0</version>
</dependency>
<!--
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-core-asl</artifactId>
<version>1.9.13</version>
</dependency>
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-asl</artifactId>
<version>1.9.13</version>
</dependency>
-->

<!-- Transitive dependency. Declared here to increase the version. -->
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-all</artifactId>
<version>${netty.version}</version>
</dependency>

<!-- Is a dependency of cassandra -> hibernate-validator and replaced by new version -->
<dependency>
<groupId>org.jboss.logging</groupId>
<artifactId>jboss-logging</artifactId>
</dependency>
<!-- Dependency of cassandra -> replacing by new version -->
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-validator</artifactId>
<version>4.3.2.Final</version>
</dependency>


<!-- TEST Scope -->
@@ -236,6 +270,7 @@


</dependencies>

<build>
<testResources>
<testResource>

+ 54
- 0
archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/pom.xml View File

@@ -84,6 +84,32 @@
<dependency>
<groupId>org.apache.jackrabbit</groupId>
<artifactId>oak-segment-tar</artifactId>
<exclusions>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-transport</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-resolver</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-common</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-codec</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-buffer</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.jackrabbit</groupId>
@@ -113,6 +139,34 @@
<groupId>org.apache.jackrabbit</groupId>
<artifactId>oak-core</artifactId>
</dependency>
<!-- netty is a transitive dependencies of oak-segment-tar
increasing version -->
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-transport</artifactId>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-resolver</artifactId>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-common</artifactId>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-codec</artifactId>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-buffer</artifactId>
</dependency>



<dependency>
<groupId>javax.inject</groupId>

+ 1
- 4
archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java View File

@@ -44,8 +44,6 @@ import org.apache.jackrabbit.oak.plugins.index.lucene.hybrid.LocalIndexObserver;
import org.apache.jackrabbit.oak.plugins.index.lucene.hybrid.NRTIndexFactory;
import org.apache.jackrabbit.oak.plugins.index.lucene.property.PropertyIndexCleaner;
import org.apache.jackrabbit.oak.plugins.index.lucene.reader.DefaultIndexReaderFactory;
import org.apache.jackrabbit.oak.plugins.index.lucene.score.ScorerProviderFactory;
import org.apache.jackrabbit.oak.plugins.index.lucene.score.impl.ScorerProviderFactoryImpl;
import org.apache.jackrabbit.oak.plugins.index.lucene.util.IndexDefinitionBuilder;
import org.apache.jackrabbit.oak.plugins.index.search.ExtractedTextCache;
import org.apache.jackrabbit.oak.plugins.index.search.FulltextIndexConstants;
@@ -142,7 +140,6 @@ public class OakRepositoryFactory

private LuceneIndexProvider indexProvider;

private ScorerProviderFactory scorerFactory = new ScorerProviderFactoryImpl( );
private IndexAugmentorFactory augmentorFactory = new IndexAugmentorFactory( );

private ActiveDeletedBlobCollectorFactory.ActiveDeletedBlobCollector activeDeletedBlobCollector = ActiveDeletedBlobCollectorFactory.NOOP;
@@ -396,7 +393,7 @@ public class OakRepositoryFactory

tracker = createTracker();

indexProvider = new LuceneIndexProvider(tracker, scorerFactory, augmentorFactory);
indexProvider = new LuceneIndexProvider(tracker, augmentorFactory);

initialize();
registerObserver();

+ 0
- 2
archiva-modules/pom.xml View File

@@ -217,8 +217,6 @@
</reportSets>
</plugin>



</plugins>
</reporting>


+ 72
- 1
pom.xml View File

@@ -74,7 +74,8 @@
<javax.jcr.version>2.0</javax.jcr.version>
<!-- If you change the JCR OAK version, you may have to update the pom.xml in the module oak-jcr-lucene
to adapt to dependency changes -->
<jcr-oak.version>1.22.3</jcr-oak.version>
<jcr-oak.version>1.30.0</jcr-oak.version>
<netty.version>4.1.50.Final</netty.version>


<!-- Jackrabbit classes are still used for webdav -->
@@ -502,6 +503,64 @@
<groupId>org.apache.jackrabbit</groupId>
<artifactId>oak-segment-tar</artifactId>
<version>${jcr-oak.version}</version>
<exclusions>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-transport</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-resolver</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-common</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-codec</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-buffer</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- netty is a transitive dependencies of oak-segment-tar
increasing version -->
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-transport</artifactId>
<version>${netty.version}</version>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-resolver</artifactId>
<version>${netty.version}</version>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
<version>${netty.version}</version>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-common</artifactId>
<version>${netty.version}</version>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-codec</artifactId>
<version>${netty.version}</version>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-buffer</artifactId>
<version>${netty.version}</version>
</dependency>
<dependency>
<groupId>org.apache.jackrabbit</groupId>
@@ -1351,6 +1410,14 @@
</dependency>


<!-- Transitive dependency - fixing version -->
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>29.0-jre</version>
</dependency>


<dependency>
<groupId>org.xmlunit</groupId>
<artifactId>xmlunit-core</artifactId>
@@ -1818,6 +1885,10 @@
</execution>
</executions>
</plugin>




</plugins>
<pluginManagement>
<plugins>

Write Preview
Loading…
Cancel
Save