Repository: calcite-avatica Updated Branches: refs/heads/master 933d3dca8 -> f0bce9859
[CALCITE-2467] Upgrade owasp-dependency-check maven plugin to 3.3.1 Upgrade protobuf-java to 3.5.1, jackson to 2.9.6, jetty to 9.4.11.v20180605. Close apache/calcite-avatica#66 Project: http://git-wip-us.apache.org/repos/asf/calcite-avatica/repo Commit: http://git-wip-us.apache.org/repos/asf/calcite-avatica/commit/f0bce985 Tree: http://git-wip-us.apache.org/repos/asf/calcite-avatica/tree/f0bce985 Diff: http://git-wip-us.apache.org/repos/asf/calcite-avatica/diff/f0bce985 Branch: refs/heads/master Commit: f0bce98597868d7176ed4d8ead47372367f88900 Parents: 933d3dc Author: Julian Hyde <[email protected]> Authored: Tue Aug 14 20:59:37 2018 -0700 Committer: Julian Hyde <[email protected]> Committed: Wed Aug 15 12:22:22 2018 -0700 ---------------------------------------------------------------------- pom.xml | 38 ++++++++++++++++++-- .../server/PropertyBasedSpnegoLoginService.java | 4 ++- site/_docs/howto.md | 2 ++ .../config/dependency-check/suppressions.xml | 32 +++++++++++++++++ 4 files changed, 72 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/calcite-avatica/blob/f0bce985/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index bf0b3a6..4794435 100644 --- a/pom.xml +++ b/pom.xml @@ -55,6 +55,7 @@ limitations under the License. <avatica.release.version>${project.version}</avatica.release.version> <version.major>1</version.major> <version.minor>12</version.minor> + <!-- This list is in alphabetical order. --> <bouncycastle.version>1.59</bouncycastle.version> <build-helper-maven-plugin.version>3.0.0</build-helper-maven-plugin.version> @@ -72,13 +73,13 @@ limitations under the License. <httpclient.version>4.5.2</httpclient.version> <httpcore.version>4.4.4</httpcore.version> <hydromatic-toolbox.version>0.3</hydromatic-toolbox.version> - <jackson.version>2.9.4</jackson.version> + <jackson.version>2.9.6</jackson.version> <!-- Default to html4 for JDK 8 but html5 on jdk9+ --> <javadoc-additionalOptions /> <javadoc-link>https://docs.oracle.com/javase/8/docs/api/</javadoc-link> <jcip-annotations.version>1.0-1</jcip-annotations.version> <jcommander.version>1.48</jcommander.version> - <jetty.version>9.2.19.v20160908</jetty.version> + <jetty.version>9.4.11.v20180605</jetty.version> <junit.version>4.12</junit.version> <kerby.version>1.0.0-RC2</kerby.version> <maven-assembly-plugin.version>3.0.0</maven-assembly-plugin.version> @@ -92,7 +93,8 @@ limitations under the License. <!-- Apache 19 has 2.20.1, but need 2.21.0+ for [MPOM-184] --> <maven-surefire-plugin.version>2.21.0</maven-surefire-plugin.version> <mockito.version>2.5.5</mockito.version> - <protobuf.version>3.3.0</protobuf.version> + <owasp-dependency-check.version>3.3.1</owasp-dependency-check.version> + <protobuf.version>3.5.1</protobuf.version> <scott-data-hsqldb.version>0.1</scott-data-hsqldb.version> <servlet.version>3.0.1</servlet.version> <slf4j.version>1.7.13</slf4j.version> @@ -639,6 +641,11 @@ limitations under the License. </configuration> </plugin> <plugin> + <groupId>org.owasp</groupId> + <artifactId>dependency-check-maven</artifactId> + <version>${owasp-dependency-check.version}</version> + </plugin> + <plugin> <groupId>org.xolstice.maven.plugins</groupId> <artifactId>protobuf-maven-plugin</artifactId> <version>0.5.0</version> @@ -776,5 +783,30 @@ limitations under the License. <javadoc-link>https://docs.oracle.com/javase/9/docs/api/</javadoc-link> </properties> </profile> + <profile> + <!-- Extra checks that are disabled in the regular build, enabled for + releases and on demand. --> + <id>pedantic</id> + <build> + <plugins> + <plugin> + <groupId>org.owasp</groupId> + <artifactId>dependency-check-maven</artifactId> + <configuration> + <suppressionFiles> + <suppressionFile>${top.dir}/src/main/config/dependency-check/suppressions.xml</suppressionFile> + </suppressionFiles> + </configuration> + <executions> + <execution> + <goals> + <goal>check</goal> + </goals> + </execution> + </executions> + </plugin> + </plugins> + </build> + </profile> </profiles> </project> http://git-wip-us.apache.org/repos/asf/calcite-avatica/blob/f0bce985/server/src/main/java/org/apache/calcite/avatica/server/PropertyBasedSpnegoLoginService.java ---------------------------------------------------------------------- diff --git a/server/src/main/java/org/apache/calcite/avatica/server/PropertyBasedSpnegoLoginService.java b/server/src/main/java/org/apache/calcite/avatica/server/PropertyBasedSpnegoLoginService.java index c5126c3..027b369 100644 --- a/server/src/main/java/org/apache/calcite/avatica/server/PropertyBasedSpnegoLoginService.java +++ b/server/src/main/java/org/apache/calcite/avatica/server/PropertyBasedSpnegoLoginService.java @@ -33,6 +33,7 @@ import java.lang.reflect.Field; import java.util.Objects; import javax.security.auth.Subject; +import javax.servlet.ServletRequest; /** * A customization of {@link SpnegoLoginService} which directly specifies the server's @@ -60,7 +61,8 @@ public class PropertyBasedSpnegoLoginService extends SpnegoLoginService { targetNameField.set(this, serverPrincipal); } - @Override public UserIdentity login(String username, Object credentials) { + @Override public UserIdentity login(String username, Object credentials, + ServletRequest request) { String encodedAuthToken = (String) credentials; byte[] authToken = B64Code.decode(encodedAuthToken); http://git-wip-us.apache.org/repos/asf/calcite-avatica/blob/f0bce985/site/_docs/howto.md ---------------------------------------------------------------------- diff --git a/site/_docs/howto.md b/site/_docs/howto.md index 20789a1..f985fbe 100644 --- a/site/_docs/howto.md +++ b/site/_docs/howto.md @@ -202,6 +202,8 @@ Before you start: * Add release notes to `site/_docs/history.md`. Include the commit history, and say which versions of Java, Guava and operating systems the release is tested against. +* Generate a report of vulnerabilities that occur among dependencies, + using `mvn verify -Ppedantic`. * Make sure that <a href="https://issues.apache.org/jira/issues/?jql=project%20%3D%20CALCITE%20AND%20status%20%3D%20Resolved%20and%20fixVersion%20is%20null"> every "resolved" JIRA case</a> (including duplicates) has http://git-wip-us.apache.org/repos/asf/calcite-avatica/blob/f0bce985/src/main/config/dependency-check/suppressions.xml ---------------------------------------------------------------------- diff --git a/src/main/config/dependency-check/suppressions.xml b/src/main/config/dependency-check/suppressions.xml new file mode 100644 index 0000000..01f0b29 --- /dev/null +++ b/src/main/config/dependency-check/suppressions.xml @@ -0,0 +1,32 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to you under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd"> + <suppress> + <notes><![CDATA[Suppress all CVE entries that have a score below CVSS 7.]]></notes> + <cvssBelow>7</cvssBelow> + </suppress> + <suppress> + <notes><![CDATA[Suppress some false positives identified on + avatica-server-1.13, which the CVE database thinks looks similar to + Apache HTTPD version 1.13.]]></notes> + <cve>CVE-1999-1412</cve> + <cve>CVE-2003-0789</cve> + <cve>CVE-1999-1237</cve> + <cve>CVE-1999-0236</cve> + </suppress> +</suppressions>
