Add configuration for check of dep vulnerabilities listed in CVE registry

author: Simon Brandhof <simon.brandhof@sonarsource.com> 2015-02-14 14:29:52 +0100
committer: Simon Brandhof <simon.brandhof@sonarsource.com> 2015-02-14 14:29:52 +0100
commit: f7f1203ed3d3183df8802357f7815e248ea6b1a2 (patch)
tree: d9361508657623da0e55f22df739a80e7b793cb9
parent: 94c01944ba8e03b3206ace25853e84094cbacfda (diff)
download: sonarqube-f7f1203ed3d3183df8802357f7815e248ea6b1a2.tar.gz
sonarqube-f7f1203ed3d3183df8802357f7815e248ea6b1a2.zip
2 files changed, 52 insertions, 0 deletions
diff --git a/cve-false-positives.xml b/cve-false-positives.xml
new file mode 100644
index 00000000000..39a01d9e778
--- /dev/null
+++ b/cve-false-positives.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
+  <suppress>
+    <notes><![CDATA[
+      file name: gson-2.3.1.jar
+      ]]></notes>
+    <sha1>ECB6E1F8E4B0E84C4B886C2F14A1500CAF309757</sha1>
+    <cpe>cpe:/a:google:v8:2.3.1</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: geronimo-spec-jta-1.0-M1.jar
+   ]]></notes>
+    <sha1>1F01F94B5B83C33950E22CDE224868407FDF8B99</sha1>
+    <cpe>cpe:/a:apache:geronimo:1.0.m1</cpe>
+  </suppress>
+</suppressions>
diff --git a/pom.xml b/pom.xml
index 229b016c524..27e8fa50e17 100644
--- a/pom.xml
+++ b/pom.xml
@@ -288,6 +288,16 @@
           <artifactId>clirr-maven-plugin</artifactId>
           <version>2.6.1</version>
         </plugin>
+        <plugin>
+          <groupId>org.owasp</groupId>
+          <artifactId>dependency-check-maven</artifactId>
+          <version>1.2.8</version>
+          <configuration>
+            <failBuildOnCVSS>8</failBuildOnCVSS>
+            <suppressionFile>cve-false-positives.xml</suppressionFile>
+          </configuration>
+        </plugin>
+
       </plugins>
     </pluginManagement>
 
@@ -1502,6 +1512,7 @@
         </dependency>
       </dependencies>
     </profile>
+
     <profile>
       <!-- add microbenchmarks module to IDE -->
       <id>includeMicrobenchmarkModule</id>
@@ -1509,6 +1520,30 @@
         <module>microbenchmark-template</module>
       </modules>
     </profile>
+
+    <profile>
+      <!--
+      check if maven dependencies have vulnerabilities listed in CVE
+      Standalone command: mvn org.owasp:dependency-check-maven:check
+      See http://jeremylong.github.io/DependencyCheck
+      -->
+      <id>securityCheck</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>check</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
   </profiles>
 
 </project>
author	Simon Brandhof <simon.brandhof@sonarsource.com>	2015-02-14 14:29:52 +0100
committer	Simon Brandhof <simon.brandhof@sonarsource.com>	2015-02-14 14:29:52 +0100
commit	f7f1203ed3d3183df8802357f7815e248ea6b1a2 (patch)
tree	d9361508657623da0e55f22df739a80e7b793cb9
parent	94c01944ba8e03b3206ace25853e84094cbacfda (diff)
download	sonarqube-f7f1203ed3d3183df8802357f7815e248ea6b1a2.tar.gz sonarqube-f7f1203ed3d3183df8802357f7815e248ea6b1a2.zip