Author: jleroux
Date: Sun Dec 6 11:26:00 2015
New Revision: 1718162
URL: http://svn.apache.org/viewvc?rev=1718162&view=rev
Log:
More info about dependency-check command line option. Ref in wiki:
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61331040
Added:
ofbiz/trunk/tools/security/
ofbiz/trunk/tools/security/LICENSE.txt (with props)
ofbiz/trunk/tools/security/NOTICE.txt (with props)
ofbiz/trunk/tools/security/README (with props)
ofbiz/trunk/tools/security/README.md
ofbiz/trunk/tools/security/check.bat (with props)
ofbiz/trunk/tools/security/dependency-check-report.html (with props)
ofbiz/trunk/tools/security/suppress.xml (with props)
Added: ofbiz/trunk/tools/security/LICENSE.txt
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/LICENSE.txt?rev=1718162&view=auto
==============================================================================
--- ofbiz/trunk/tools/security/LICENSE.txt (added)
+++ ofbiz/trunk/tools/security/LICENSE.txt Sun Dec 6 11:26:00 2015
@@ -0,0 +1,202 @@
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
Propchange: ofbiz/trunk/tools/security/LICENSE.txt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: ofbiz/trunk/tools/security/LICENSE.txt
------------------------------------------------------------------------------
svn:keywords = Date Rev Author URL Id
Propchange: ofbiz/trunk/tools/security/LICENSE.txt
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: ofbiz/trunk/tools/security/NOTICE.txt
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/NOTICE.txt?rev=1718162&view=auto
==============================================================================
--- ofbiz/trunk/tools/security/NOTICE.txt (added)
+++ ofbiz/trunk/tools/security/NOTICE.txt Sun Dec 6 11:26:00 2015
@@ -0,0 +1,18 @@
+dependency-check-cli
+
+Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+
+The licenses for the software listed below can be found in the licenses.
+
+This product includes software developed by The Apache Software Foundation
(http://www.apache.org/).
+
+This product includes software developed by Jquery.com (http://jquery.com/).
+
+This product includes software developed by Jonathan Hedley (jsoup.org)
+
+This software contains unmodified binary redistributions for H2 database
engine (http://www.h2database.com/), which is dual licensed and available under
a modified version of the MPL 1.1 (Mozilla Public License) or under the
(unmodified) EPL 1.0 (Eclipse Public License).
+An original copy of the license agreement can be found at:
http://www.h2database.com/html/license.html
+
+This product includes data from the Common Weakness Enumeration (CWE):
http://cwe.mitre.org/
+
+This product downloads and utilizes data from the National Vulnerability
Database hosted by NIST: http://nvd.nist.gov/download.cfm
\ No newline at end of file
Propchange: ofbiz/trunk/tools/security/NOTICE.txt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: ofbiz/trunk/tools/security/NOTICE.txt
------------------------------------------------------------------------------
svn:keywords = Date Rev Author URL Id
Propchange: ofbiz/trunk/tools/security/NOTICE.txt
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: ofbiz/trunk/tools/security/README
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/README?rev=1718162&view=auto
==============================================================================
--- ofbiz/trunk/tools/security/README (added)
+++ ofbiz/trunk/tools/security/README Sun Dec 6 11:26:00 2015
@@ -0,0 +1,4 @@
+This is only given as an example. It uses the
https://www.owasp.org/index.php/OWASP_Dependency_Check command line option
+To have it working you must have the dependency-check command line option
correctly installed.
+
+In any cases be sure to check
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61331040
\ No newline at end of file
Propchange: ofbiz/trunk/tools/security/README
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: ofbiz/trunk/tools/security/README
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: ofbiz/trunk/tools/security/README.md
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/README.md?rev=1718162&view=auto
==============================================================================
--- ofbiz/trunk/tools/security/README.md (added)
+++ ofbiz/trunk/tools/security/README.md Sun Dec 6 11:26:00 2015
@@ -0,0 +1,24 @@
+Dependency-Check Command Line
+================
+Dependency-Check Command Line can be used to check project dependencies for
published security vulnerabilities. The checks
+performed are a "best effort" and as such, there could be false positives as
well as false negatives. However,
+vulnerabilities in 3rd party components is a well-known problem and is
currently documented in the 2013 OWASP
+Top 10 as [A9 - Using Components with Known
Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
+
+Documentation and links to production binary releases can be found on the
[github
pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html).
+
+Mailing List
+------------
+
+Subscribe:
[[email protected]](mailto:[email protected])
+
+Post:
[[email protected]](mailto:[email protected])
+
+Copyright & License
+------------
+
+Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
+
+Permission to modify and redistribute is granted under the terms of the Apache
2.0 license. See the
[LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt)
file for the full license.
+
+Dependency-Check Command Line makes use of other open source libraries. Please
see the
[NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-cli/NOTICE.txt)
file for more information.
Added: ofbiz/trunk/tools/security/check.bat
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/check.bat?rev=1718162&view=auto
==============================================================================
--- ofbiz/trunk/tools/security/check.bat (added)
+++ ofbiz/trunk/tools/security/check.bat Sun Dec 6 11:26:00 2015
@@ -0,0 +1,3 @@
+@echo %time%
+dependency-check -project OFBiz -scan C:\projectASF-Mars\ofbiz --suppression
C:\tools\dependency-check\suppress.xml
+@echo %time%
\ No newline at end of file
Propchange: ofbiz/trunk/tools/security/check.bat
------------------------------------------------------------------------------
svn:eol-style = CRLF
Added: ofbiz/trunk/tools/security/dependency-check-report.html
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/dependency-check-report.html?rev=1718162&view=auto
==============================================================================
--- ofbiz/trunk/tools/security/dependency-check-report.html (added)
+++ ofbiz/trunk/tools/security/dependency-check-report.html Sun Dec 6 11:26:00
2015
@@ -0,0 +1,23505 @@
+
+
+
+
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Dependency-Check Report</title>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+ <link rel="shortcut icon"
href="data:;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAVLSURBVFhHvZdvbFRFEMB3913v9Vr+FKUNRdtrewg1lQgRE0gMYkJSowYMwcSPkGDwg8ZigMR+UYzGaIuAEj+R+IfE+EUlRL+QYAwhGBMqkFQDpO1xd/YPBaSU9u767r0dZ5a513vtXVsq8Zcsb3bu9c3szuzsIMU8iEaj5fhYJlzRYCkZ7Utd+wbnQL+Nd0TeoyeAPLFgf/oiyTNxXw6g4WUhTz4JEtaiNXLCEE8l3seHJjlzsOJHfLxMsgHE4cje9B6eTUPxc0ZoxbFHG1qVFq9rCRsKjc+KFG3oFGQ6Kw6xJsCsDqDxNZYWbWSYVUFAJFkyaA2XWAxiHIlcGPukYg1rDCVDQKsOadmqBaxllY8CuKHBuqOlHlNKufFk/GdUmxxoeqTpMbBg1dGXRlZtqHc2R8rgedIXgk4eqNyXMblS1AE2vhWNP84qAxl2hewno6wyFHOAZOLAc6PRbU+kd2OyrmbVPTg3pjlQzDgazGmh40rKMY3LZrVBCi/Tl0z+gqJxYGV9fWNOWC0kF3Jm1/C2pZWwk6cG2olpOcDb7hsHgLQGcUWAGs0bV1K7EuSQFbbOLKmuPkOvkZ64mkzG8bXz5BirDBuP1fzQP6I+5yl9eAS9vxjYAVz9esx0P2a0ck+73VKGPFaR8Vtpx7k0ODiYZlVJmpcvfzirwi1SyUWsMiF5ZXX6A1zJzsq9mRO+A7T1lO2BIyZVN/6bJZFWnQO4Wl1dnerq6sqRbq401TWtw9qxjGT6zhfbs3+0Hrw+THPfgVhdA8Xdz3j84RpIdZOngrY1kUgMOR3lG1kVREkHhBp3smJ4wdLmf+TuoJOxuroW3NI6zN6L9B1W33MAV1+F
W99mNIgUclBaYtCPObjx3lTqT5KxqJyk52y4nv5u4f7stzzNY+Hww0ncS0JXBIoDWryRN07JVlVTc9Xo74OQpV7F6ndk5CO7iVVEwDihVqxYYVtKrOc5bckIgHJIpnhl3MxfpWIuJZyWAMdo0Io1AOXMJFI0hm3VzrOiYG2BmsLEAz0Zd9DWzZmyHd/tLt+bOUmDthuzun3C8dryjqCDdzF5tqcPRr40f1AElcvl6lgmJkC5d1kWYS8bZ3HOVL0z0TcKiz70tBjAML4opVgsoeB2nIJyXfeKJfRxGo52j4ds+xwWmN9t1/7t8sDALX7vvqjdd31cChgi40YhZdXUSyiPGkAjPalUL43+/v6/e3p6btC4PHB5XsZ9sMqxZJAWbGIxwJz6gfkAWl5jcUYUbU1+3D60uIp0PPwiNR/wZAW3HERRh5Sy4C3LEhdoiAn368b6xhdoxKLRVn5nXmDpfZZFg7J00f5QgRYJlkV5GWyJVnk2yRpUKBaLFZ6QOYMFaAdW0x08xcXDr5E9E8V3wAmFD7NseO3pMf8uh1xuJYuzQuGjMJreT4rJc4/XrvZk6aZ0yZ47WPkm47M55mxnET23IrW1tRU8DUBFBlf2faYzcptGuefETRix9+NXDNhLHJmpPTenAON1xMyQRbZevaV5ooanwrbsdSz6kPF8kaEz7o9CqOEAvPO59yuFccBR4a/MjGnfNDp5M2IzgQnpd8QB41NBoxRvarWyVrgRe77Ad4vhHzX6H41S8l2eitO9ZR+/+dNDZ3lqbsW+VN/52x12YxlY04xbZd5IqUSbCd8BSiLby13AlTWwSnx6tvKNY10LzCmhm7E3kTiFYqAp/a/4lZCSUYIX6Frffmb86K6nxqJknDoZVD1Q48S0ajc1FBTXU8mFzVs/G77OmgdK0XLLZ7nNnGHuXvmn/w9yYrwzUvIefzAI8S83C2sS1J4rmAAAAABJRU5ErkJggg=="
/>
+ <script type="text/javascript">
+ /*! jQuery [email protected] jquery.com | jquery.org/license */
[... 23494 lines stripped ...]
Propchange: ofbiz/trunk/tools/security/dependency-check-report.html
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: ofbiz/trunk/tools/security/dependency-check-report.html
------------------------------------------------------------------------------
svn:keywords = Date Rev Author URL Id
Propchange: ofbiz/trunk/tools/security/dependency-check-report.html
------------------------------------------------------------------------------
svn:mime-type = text/html
Added: ofbiz/trunk/tools/security/suppress.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/suppress.xml?rev=1718162&view=auto
==============================================================================
--- ofbiz/trunk/tools/security/suppress.xml (added)
+++ ofbiz/trunk/tools/security/suppress.xml Sun Dec 6 11:26:00 2015
@@ -0,0 +1,179 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions
xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression";>
+
+ <!-- to check the comments yourself, simply comment out the block/s you
are interested in and use Dependency Check to get the related CVE/s -->
+
+ <suppress><!-- OFBiz uses a more recent Tomcat version -->
+ <notes><![CDATA[
+ file name: annotations-api-3.0.jar
+ ]]></notes>
+ <sha1>87925e57a90c75bd60e2fe4c3fdbcef592c00e48</sha1>
+ <cpe>cpe:/a:apache:tomcat:3.0</cpe>
+ </suppress>
+
+ <suppress><!-- OFBiz uses a more recent Tomcat version -->
+ <notes><![CDATA[
+ file name: annotations-api-3.0.jar
+ ]]></notes>
+ <sha1>87925e57a90c75bd60e2fe4c3fdbcef592c00e48</sha1>
+ <cpe>cpe:/a:apache:tomcat:7.0.54</cpe>
+ </suppress>
+
+ <suppress><!-- This concerns Wordpress only-->
+ <notes><![CDATA[
+ file name: fontbox-1.8.5.jar
+ ]]></notes>
+ <sha1>17d32ff4cf06bfaa1ca48a1100108728d72228f0</sha1>
+ <cpe>cpe:/a:font_project:font:1.8.5</cpe>
+ </suppress>
+
+ <suppress><!-- This concerns Wordpress only-->
+ <notes><![CDATA[
+ file name: fontbox-1.8.5.jar
+ ]]></notes>
+ <sha1>17d32ff4cf06bfaa1ca48a1100108728d72228f0</sha1>
+ <cve>CVE-2015-7683</cve>
+ </suppress>
+
+ <suppress><!-- OFBiz uses a more recent Tomcat version -->
+ <notes><![CDATA[
+ file name: el-api-2.2.jar
+ ]]></notes>
+ <sha1>cdaf8fc6a6757f9a9795044cd51fd7c36fa7bc0e</sha1>
+ <cpe>cpe:/a:apache:tomcat:7.0.54</cpe>
+ </suppress>
+
+ <suppress><!-- The classes OFBiz uses are not concerned (no UI) -->
+ <notes><![CDATA[
+ file name: geronimo-j2ee-connector_1.5_spec-2.0.0.jar
+ ]]></notes>
+ <sha1>1da837af8f5bf839ab48352f3dbfd6c4ecedc232</sha1>
+ <cpe>cpe:/a:apache:geronimo:2.0</cpe>
+ </suppress>
+
+ <suppress><!-- OFBiz uses a more recent Tomcat version -->
+ <notes><![CDATA[
+ file name: jsp-api-2.2.jar
+ ]]></notes>
+ <sha1>f563c9d8a674a6de032cea14f5175b128e9d6b3a</sha1>
+ <cpe>cpe:/a:apache:tomcat:7.0.54</cpe>
+ </suppress>
+
+ <suppress><!-- OFBiz uses a more recent Tomcat version -->
+ <notes><![CDATA[
+ file name: servlet-api-3.0.jar
+ ]]></notes>
+ <sha1>0752bd9e92cc3c425b9553e84504111ed03f34bb</sha1>
+ <cpe>cpe:/a:apache:tomcat:3.0</cpe>
+ </suppress>
+
+ <suppress><!-- OFBiz uses a more recent Tomcat version -->
+ <notes><![CDATA[
+ file name: servlet-api-3.0.jar
+ ]]></notes>
+ <sha1>0752bd9e92cc3c425b9553e84504111ed03f34bb</sha1>
+ <cpe>cpe:/a:apache:tomcat:7.0.54</cpe>
+ </suppress>
+
+ <suppress><!-- OFBiz only uses
com.sun.mail.smtp.SMTPAddressFailedException: not concerned -->
+ <notes><![CDATA[
+ file name: mail-1.5.1.jar
+ ]]></notes>
+ <sha1>9724dd44f1abbba99c9858aa05fc91d53f59e7a5</sha1>
+ <cpe>cpe:/a:sun:javamail:1.5.1</cpe>
+ </suppress>
+
+ <suppress><!-- Waiting for update but covered, see OFBIZ-6568 -->
+ <notes><![CDATA[
+ file name: groovy-all-2.2.1.jar
+ ]]></notes>
+ <sha1>28213a88c48651a254a21bc807712cb5b8be0baa</sha1>
+ <cpe>cpe:/a:apache:groovy:2.2.1</cpe>
+ </suppress>
+
+ <suppress><!-- This concerns the UI/XSS and init script in whole Geronimo,
OFBiz only uses this class => not concerned. Moreover IBM no longer supports
Geronimo so I don't see the point of upgrading as long as it works-->
+ <notes><![CDATA[
+ file name: geronimo-jaxr_1.0_spec-1.0.jar
+ ]]></notes>
+ <sha1>f6a3b80feb6badbe12c21c8a51ede7fcd6e91e5f</sha1>
+ <cpe>cpe:/a:apache:geronimo:1.0</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: geronimo-jms_1.1_spec-1.1.1.jar
+ ]]></notes>
+ <sha1>c872b46c601d8dc03633288b81269f9e42762cea</sha1>
+ <cpe>cpe:/a:apache:geronimo:1.1.1</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: geronimo-saaj_1.3_spec-1.1.jar
+ ]]></notes>
+ <sha1>be6e6fc49ca84631f7c47a04d5438e193db54d7c</sha1>
+ <cpe>cpe:/a:apache:geronimo:1.1</cpe>
+ </suppress>
+
+ <suppress><!-- This concerns the init script in whole Geronimo, OFBiz only
uses this class => not concerned. Moreover IBM no longer supports Geronimo so I
don't see the point of upgrading as long as it works-->
+ <notes><![CDATA[
+ file name: geronimo-transaction-3.1.1.jar
+ ]]></notes>
+ <sha1>1cfdfcff3cd6a805be401946ab14213b0bad9cb4</sha1>
+ <cpe>cpe:/a:apache:geronimo:3.1.1</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: geronimo-jaxrpc_1.1_spec-1.0.jar
+ ]]></notes>
+ <sha1>c581838de2339f61f1965db0ff912ff2ac1c4b30</sha1>
+ <cpe>cpe:/a:apache:geronimo:1.0</cpe>
+</suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: geronimo-jta_1.1_spec-1.1.1.jar
+ ]]></notes>
+ <sha1>aabab3165b8ea936b9360abbf448459c0d04a5a4</sha1>
+ <cpe>cpe:/a:apache:geronimo:1.1.1</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: geronimo-activation_1.0.2_spec-1.0.jar
+ ]]></notes>
+ <sha1>6dc4b0c7d3358ae4752cf9cc0f97f98358ea7656</sha1>
+ <cpe>cpe:/a:apache:geronimo:1.0</cpe>
+ </suppress>
+
+ <!-- About Tomcat 7.0.65 vulnerabilities (start with
tomcat-7.0.65-jasper.jar): I put not suppress (there are - too much - tons of
them) because none of CVE-2009-2696 CVE-2007-5461 CVE-2002-0493 concern OFBIZ .
+ And CVE-2013-2185 is disputed by the Tomcat team, see OFBIZ-6752
for details -->
+
+ <!-- About Axis 1.6.3 (start with axis2-kernel-1.6.3.jar):1.6.3 is the
higher version anyway, so we can't do more here -->
+
+ <suppress><!-- This has been handled with r1557462 for OFBIZ-5409 . Anyway
nowaydays modern browsers protect from that-->
+ <notes><![CDATA[
+ file name: package.json
+ ]]></notes>
+ <sha1>cfe99f497ed35573d7dfc291068d742399a0eee0</sha1>
+ <cpe>cpe:/a:jquery:jquery:1.10.0</cpe>
+ </suppress>
+
+ <!-- I tried to update commons-httpclient-3.1 to httpclient-4.5.1 +
httpcore-4.4.3 but commons-httpclient-3.1 is needed by Axis2-1.6.3 .
+ The passport component also uses commons-httpclient-3.1. It should
should be updated to use httpclient-4.5.1 + httpcore-4.4.3 (while keeping
commons-httpclient-3.1 for Axis2-1.6.3)
+ See pending OFBIZ-6755 -->
+
+ <!-- all cpe:/a:apache:axis:1.4 can be neglected because they are related
to Birt which with latest version (4.5.0) still uses Axis 1.4. So are neglected
all cpe:/a:eclipse:birt: -->
+
+ <suppress><!-- Not an issue for OFBiz. See
http://seclists.org/oss-sec/2014/q2/508: "This flaw only affects Apache
Zookeeper used in conjunction with [redhat] Fuse Fabric". -->
+ <notes><![CDATA[
+ file name: zookeeper-3.4.6.jar
+ ]]></notes>
+ <sha1>01b2502e29da1ebaade2357cd1de35a855fa3755</sha1>
+ <cpe>cpe:/a:apache:zookeeper:3.4.6</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: zookeeper-3.4.6.jar
+ ]]></notes>
+ <sha1>01b2502e29da1ebaade2357cd1de35a855fa3755</sha1>
+ <cve>CVE-2014-0085</cve>
+ </suppress>
+
+</suppressions>
Propchange: ofbiz/trunk/tools/security/suppress.xml
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: ofbiz/trunk/tools/security/suppress.xml
------------------------------------------------------------------------------
svn:keywords = Date Rev Author URL Id
Propchange: ofbiz/trunk/tools/security/suppress.xml
------------------------------------------------------------------------------
svn:mime-type = text/xml
