This is an automated email from the ASF dual-hosted git repository.
martin_s pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/archiva.git
The following commit(s) were added to refs/heads/master by this push:
new f1ff872 Updating dependency with owasp check
f1ff872 is described below
commit f1ff872d4321e81824b7ad8732151757028113ad
Author: Martin Stockhammer <[email protected]>
AuthorDate: Wed Jul 1 22:27:51 2020 +0200
Updating dependency with owasp check
---
archiva-jetty/pom.xml | 5 +-
archiva-modules/archiva-web/archiva-rss/pom.xml | 5 +-
.../archiva-web/archiva-web-common/pom.xml | 5 +-
archiva-modules/archiva-web/archiva-webapp/pom.xml | 19 ++++++
.../resources/META-INF/owasp/cve-suppressions.xml | 67 ++++++++++++++++++++
.../metadata-store-cassandra/pom.xml | 41 +++++++++++-
.../oak-jcr/metadata-store-jcr/pom.xml | 54 ++++++++++++++++
.../repository/jcr/OakRepositoryFactory.java | 5 +-
archiva-modules/pom.xml | 2 -
pom.xml | 73 +++++++++++++++++++++-
10 files changed, 255 insertions(+), 21 deletions(-)
diff --git a/archiva-jetty/pom.xml b/archiva-jetty/pom.xml
index 21b7797..86a8d29 100644
--- a/archiva-jetty/pom.xml
+++ b/archiva-jetty/pom.xml
@@ -171,9 +171,6 @@
<systemProperty>archiva.cassandra.configuration.file=%ARCHIVA_BASE%/conf/archiva-cassandra.properties</systemProperty>
<systemProperty>org.apache.jackrabbit.core.state.validatehierarchy=true</systemProperty>
</systemProperties>
- <extraArguments>
- <extraArgument>-XX:MaxPermSize=128m</extraArgument>
- </extraArguments>
<initialMemorySize>512</initialMemorySize>
<maxMemorySize>512</maxMemorySize>
</jvmSettings>
@@ -253,6 +250,8 @@
<finalName>apache-archiva-${project.version}</finalName>
</configuration>
</plugin>
+
+
</plugins>
<pluginManagement>
<plugins>
diff --git a/archiva-modules/archiva-web/archiva-rss/pom.xml
b/archiva-modules/archiva-web/archiva-rss/pom.xml
index 048f269..95a1bb5 100644
--- a/archiva-modules/archiva-web/archiva-rss/pom.xml
+++ b/archiva-modules/archiva-web/archiva-rss/pom.xml
@@ -131,10 +131,7 @@
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<reuseForks>false</reuseForks>
- <!--
- <argLine>-Xms1024m -Xmx2048m -server -XX:MaxPermSize=256m
@{jacocoproperty}</argLine>
- -->
- <argLine>-Xms512m -Xmx1024m -server -XX:MaxPermSize=256m</argLine>
+ <argLine>-Xms512m -Xmx1024m -server</argLine>
<systemPropertyVariables>
<appserver.base>${project.build.directory}/appserver-base</appserver.base>
<plexus.home>${project.build.directory}/appserver-base</plexus.home>
diff --git a/archiva-modules/archiva-web/archiva-web-common/pom.xml
b/archiva-modules/archiva-web/archiva-web-common/pom.xml
index 15535cd..25206ac 100644
--- a/archiva-modules/archiva-web/archiva-web-common/pom.xml
+++ b/archiva-modules/archiva-web/archiva-web-common/pom.xml
@@ -564,10 +564,7 @@
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<reuseForks>false</reuseForks>
-<!--
- <argLine>-Xms1024m -Xmx2048m -server -XX:MaxPermSize=256m
@{jacocoproperty}</argLine>
--->
- <argLine>-Xms1024m -Xmx2048m -server -XX:MaxPermSize=256m</argLine>
+ <argLine>-Xms1024m -Xmx2048m -server</argLine>
<systemPropertyVariables>
<appserver.base>${project.build.directory}/appserver-base</appserver.base>
<plexus.home>${project.build.directory}/appserver-base</plexus.home>
diff --git a/archiva-modules/archiva-web/archiva-webapp/pom.xml
b/archiva-modules/archiva-web/archiva-webapp/pom.xml
index 3d51bed..e2f38ad 100644
--- a/archiva-modules/archiva-web/archiva-webapp/pom.xml
+++ b/archiva-modules/archiva-web/archiva-webapp/pom.xml
@@ -554,6 +554,7 @@
<exclude>src/test/repositories/test-repo/**</exclude>
<exclude>src/main/resources/META-INF/services/*</exclude>
<exclude>src/main/resources/META-INF/cxf/*</exclude>
+
<exclude>src/main/resources/META-INF/owasp/cve-suppressions.xml</exclude>
</excludes>
</configuration>
</plugin>
@@ -828,6 +829,24 @@
</configuration>
</plugin>
+
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>5.3.2</version>
+ <configuration>
+ <skipProvidedScope>true</skipProvidedScope>
+ <failBuildOnCVSS>8</failBuildOnCVSS>
+
<suppressionFile>${project.basedir}/src/main/resources/META-INF/owasp/cve-suppressions.xml</suppressionFile>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</build>
diff --git
a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml
b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml
new file mode 100644
index 0000000..420e6a5
--- /dev/null
+++
b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml
@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd";>
+ <suppress until="2020-09-01Z">
+ <notes><![CDATA[
+ file name: jackson-mapper-asl-1.9.2.jar is a dependency of cassandra -
Waiting for update of cassandra
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$</packageUrl>
+ <cpe>cpe:/a:fasterxml:jackson-mapper-asl</cpe>
+ <cpe>cpe:/a:fasterxml:jackson</cpe>
+ <vulnerabilityName>CVE-2017-15095</vulnerabilityName>
+ <vulnerabilityName>CVE-2017-7525</vulnerabilityName>
+ <vulnerabilityName>CVE-2017-17485</vulnerabilityName>
+ <vulnerabilityName>CVE-2018-5968</vulnerabilityName>
+ <vulnerabilityName>CVE-2018-14718</vulnerabilityName>
+ <vulnerabilityName>CVE-2018-7489</vulnerabilityName>
+ <vulnerabilityName>CVE-2018-1000873</vulnerabilityName>
+ <vulnerabilityName>CVE-2019-14540</vulnerabilityName>
+ <vulnerabilityName>CVE-2019-14893</vulnerabilityName>
+ <vulnerabilityName>CVE-2019-16335</vulnerabilityName>
+ <vulnerabilityName>CVE-2019-17267</vulnerabilityName>
+ <vulnerabilityName>CVE-2020-10672</vulnerabilityName>
+ <vulnerabilityName>CVE-2020-10673</vulnerabilityName>
+ </suppress>
+
+ <suppress>
+ <notes><![CDATA[
+ False positive for oak-jcr packages
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.jackrabbit/oak\-.*@.*$</packageUrl>
+ <cpe>cpe:/a:apache:jackrabbit</cpe>
+ </suppress>
+
+ <suppress>
+ <notes><![CDATA[
+ False positive for oak-segment-tar-1.30.0.jar:
netty-transport-4.1.14.Final.jar
+ Updated netty to higher version
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/io\.netty/netty\-transport@.*$</packageUrl>
+ <cpe>cpe:/a:netty:netty</cpe>
+ <vulnerabilityName>CVE-2020-11612</vulnerabilityName>
+ <vulnerabilityName>CVE-2019-20445</vulnerabilityName>
+ <vulnerabilityName>CVE-2019-20444</vulnerabilityName>
+ </suppress>
+
+ <suppress>
+ <notes><![CDATA[
+ False positive for oak-segment-tar-1.30.0.jar:
netty-transport-4.1.14.Final.jar
+ Updated netty to higher version
+ ]]></notes>
+ <packageUrl regex="true">^.*oak-segment-tar.*$</packageUrl>
+ <cpe>cpe:/a:netty:netty</cpe>
+ <vulnerabilityName>CVE-2020-11612</vulnerabilityName>
+ <vulnerabilityName>CVE-2019-20445</vulnerabilityName>
+ <vulnerabilityName>CVE-2019-20444</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: oak-segment-tar-1.30.0.jar: netty-codec-4.1.14.Final.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl>
+ <cpe>cpe:/a:netty:netty</cpe>
+ <vulnerabilityName>CVE-2020-11612</vulnerabilityName>
+ <vulnerabilityName>CVE-2019-20445</vulnerabilityName>
+ <vulnerabilityName>CVE-2019-20444</vulnerabilityName>
+ </suppress>
+
+</suppressions>
diff --git
a/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml
b/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml
index 77beb35..364ce76 100644
---
a/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml
+++
b/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml
@@ -31,7 +31,7 @@
<properties>
<site.staging.base>${project.parent.parent.basedir}</site.staging.base>
- <cassandraVersion>3.11.2</cassandraVersion>
+ <cassandraVersion>3.11.6</cassandraVersion>
</properties>
<dependencies>
@@ -143,6 +143,7 @@
<groupId>org.jboss.logging</groupId>
<artifactId>jboss-logging</artifactId>
</exclusion>
+
</exclusions>
</dependency>
@@ -169,24 +170,57 @@
</exclusion>
</exclusions>
</dependency>
-
<dependency>
<groupId>org.apache.cassandra</groupId>
<artifactId>cassandra-thrift</artifactId>
- <version>3.11.2</version>
+ <version>${cassandraVersion}</version>
<exclusions>
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>org.apache.ant</groupId>
+ <artifactId>ant</artifactId>
+ </exclusion>
</exclusions>
</dependency>
+ <dependency>
+ <groupId>org.apache.thrift</groupId>
+ <artifactId>libthrift</artifactId>
+ <version>0.13.0</version>
+ </dependency>
+ <!--
+ <dependency>
+ <groupId>org.codehaus.jackson</groupId>
+ <artifactId>jackson-core-asl</artifactId>
+ <version>1.9.13</version>
+ </dependency>
+ <dependency>
+ <groupId>org.codehaus.jackson</groupId>
+ <artifactId>jackson-mapper-asl</artifactId>
+ <version>1.9.13</version>
+ </dependency>
+ -->
+
+ <!-- Transitive dependency. Declared here to increase the version. -->
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-all</artifactId>
+ <version>${netty.version}</version>
+ </dependency>
<!-- Is a dependency of cassandra -> hibernate-validator and replaced by
new version -->
<dependency>
<groupId>org.jboss.logging</groupId>
<artifactId>jboss-logging</artifactId>
</dependency>
+ <!-- Dependency of cassandra -> replacing by new version -->
+ <dependency>
+ <groupId>org.hibernate</groupId>
+ <artifactId>hibernate-validator</artifactId>
+ <version>4.3.2.Final</version>
+ </dependency>
<!-- TEST Scope -->
@@ -236,6 +270,7 @@
</dependencies>
+
<build>
<testResources>
<testResource>
diff --git
a/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/pom.xml
b/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/pom.xml
index 26a94f3..22cd0c6 100644
---
a/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/pom.xml
+++
b/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/pom.xml
@@ -84,6 +84,32 @@
<dependency>
<groupId>org.apache.jackrabbit</groupId>
<artifactId>oak-segment-tar</artifactId>
+ <exclusions>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-transport</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-resolver</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-handler</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-common</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-codec</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-buffer</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>org.apache.jackrabbit</groupId>
@@ -113,6 +139,34 @@
<groupId>org.apache.jackrabbit</groupId>
<artifactId>oak-core</artifactId>
</dependency>
+ <!-- netty is a transitive dependencies of oak-segment-tar
+ increasing version -->
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-transport</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-resolver</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-handler</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-common</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-codec</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-buffer</artifactId>
+ </dependency>
+
+
<dependency>
<groupId>javax.inject</groupId>
diff --git
a/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java
b/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java
index 8822ff0..a8cb1a7 100644
---
a/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java
+++
b/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java
@@ -44,8 +44,6 @@ import
org.apache.jackrabbit.oak.plugins.index.lucene.hybrid.LocalIndexObserver;
import org.apache.jackrabbit.oak.plugins.index.lucene.hybrid.NRTIndexFactory;
import
org.apache.jackrabbit.oak.plugins.index.lucene.property.PropertyIndexCleaner;
import
org.apache.jackrabbit.oak.plugins.index.lucene.reader.DefaultIndexReaderFactory;
-import
org.apache.jackrabbit.oak.plugins.index.lucene.score.ScorerProviderFactory;
-import
org.apache.jackrabbit.oak.plugins.index.lucene.score.impl.ScorerProviderFactoryImpl;
import
org.apache.jackrabbit.oak.plugins.index.lucene.util.IndexDefinitionBuilder;
import org.apache.jackrabbit.oak.plugins.index.search.ExtractedTextCache;
import org.apache.jackrabbit.oak.plugins.index.search.FulltextIndexConstants;
@@ -142,7 +140,6 @@ public class OakRepositoryFactory
private LuceneIndexProvider indexProvider;
- private ScorerProviderFactory scorerFactory = new
ScorerProviderFactoryImpl( );
private IndexAugmentorFactory augmentorFactory = new
IndexAugmentorFactory( );
private ActiveDeletedBlobCollectorFactory.ActiveDeletedBlobCollector
activeDeletedBlobCollector = ActiveDeletedBlobCollectorFactory.NOOP;
@@ -396,7 +393,7 @@ public class OakRepositoryFactory
tracker = createTracker();
- indexProvider = new LuceneIndexProvider(tracker, scorerFactory,
augmentorFactory);
+ indexProvider = new LuceneIndexProvider(tracker, augmentorFactory);
initialize();
registerObserver();
diff --git a/archiva-modules/pom.xml b/archiva-modules/pom.xml
index aa0e488..fb74868 100644
--- a/archiva-modules/pom.xml
+++ b/archiva-modules/pom.xml
@@ -217,8 +217,6 @@
</reportSets>
</plugin>
-
-
</plugins>
</reporting>
diff --git a/pom.xml b/pom.xml
index 1188a71..1bd70fb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -74,7 +74,8 @@
<javax.jcr.version>2.0</javax.jcr.version>
<!-- If you change the JCR OAK version, you may have to update the pom.xml
in the module oak-jcr-lucene
to adapt to dependency changes -->
- <jcr-oak.version>1.22.3</jcr-oak.version>
+ <jcr-oak.version>1.30.0</jcr-oak.version>
+ <netty.version>4.1.50.Final</netty.version>
<!-- Jackrabbit classes are still used for webdav -->
@@ -502,6 +503,64 @@
<groupId>org.apache.jackrabbit</groupId>
<artifactId>oak-segment-tar</artifactId>
<version>${jcr-oak.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-transport</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-resolver</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-handler</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-common</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-codec</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-buffer</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <!-- netty is a transitive dependencies of oak-segment-tar
+ increasing version -->
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-transport</artifactId>
+ <version>${netty.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-resolver</artifactId>
+ <version>${netty.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-handler</artifactId>
+ <version>${netty.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-common</artifactId>
+ <version>${netty.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-codec</artifactId>
+ <version>${netty.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-buffer</artifactId>
+ <version>${netty.version}</version>
</dependency>
<dependency>
<groupId>org.apache.jackrabbit</groupId>
@@ -1351,6 +1410,14 @@
</dependency>
+ <!-- Transitive dependency - fixing version -->
+ <dependency>
+ <groupId>com.google.guava</groupId>
+ <artifactId>guava</artifactId>
+ <version>29.0-jre</version>
+ </dependency>
+
+
<dependency>
<groupId>org.xmlunit</groupId>
<artifactId>xmlunit-core</artifactId>
@@ -1818,6 +1885,10 @@
</execution>
</executions>
</plugin>
+
+
+
+
</plugins>
<pluginManagement>
<plugins>
