This is an automated email from the ASF dual-hosted git repository.
krisden pushed a commit to branch branch_9x
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/branch_9x by this push:
new 52d1b91bcc8 SOLR-16581: Upgrade OWASP dependency check to 7.4.1 (#1226)
52d1b91bcc8 is described below
commit 52d1b91bcc83a0797d47bbe05e28d7fd99f81d86
Author: Kevin Risden <[email protected]>
AuthorDate: Fri Dec 9 13:37:34 2022 -0500
SOLR-16581: Upgrade OWASP dependency check to 7.4.1 (#1226)
---
build.gradle | 2 +-
gradle/validation/owasp-dependency-check.gradle | 4 ++--
.../owasp-dependency-check/exclusions.xml | 21 +++++++++++++++++++++
solr/CHANGES.txt | 2 ++
4 files changed, 26 insertions(+), 3 deletions(-)
diff --git a/build.gradle b/build.gradle
index 5ec14ae6ee2..40b6de24a86 100644
--- a/build.gradle
+++ b/build.gradle
@@ -21,7 +21,7 @@ import java.time.format.DateTimeFormatter
plugins {
id "base"
id "com.palantir.consistent-versions" version "2.11.0"
- id "org.owasp.dependencycheck" version "7.2.0"
+ id "org.owasp.dependencycheck" version "7.4.1"
id 'ca.cutterslade.analyze' version "1.9.0"
id 'de.thetaphi.forbiddenapis' version '3.4' apply false
id "de.undercouch.download" version "5.2.0" apply false
diff --git a/gradle/validation/owasp-dependency-check.gradle
b/gradle/validation/owasp-dependency-check.gradle
index d58fd8bfd10..6d76e9cb7ff 100644
--- a/gradle/validation/owasp-dependency-check.gradle
+++ b/gradle/validation/owasp-dependency-check.gradle
@@ -25,9 +25,9 @@ def resources = scriptResources(buildscript)
configure(rootProject) {
dependencyCheck {
failBuildOnCVSS = propertyOrDefault("validation.owasp.threshold", 7) as
Integer
- formats = ['HTML', 'JSON']
+ formats = ['ALL']
skipProjects = [':solr:solr-ref-guide']
- skipConfigurations = ['unifiedClasspath']
+ skipConfigurations = ['unifiedClasspath', 'permitUnusedDeclared']
suppressionFile = file("${resources}/exclusions.xml")
}
diff --git a/gradle/validation/owasp-dependency-check/exclusions.xml
b/gradle/validation/owasp-dependency-check/exclusions.xml
index 261f52ddf2c..7043d611ebb 100644
--- a/gradle/validation/owasp-dependency-check/exclusions.xml
+++ b/gradle/validation/owasp-dependency-check/exclusions.xml
@@ -51,4 +51,25 @@
<packageUrl
regex="true">^pkg:maven/org\.carrot2\.shaded/carrot2\-guava@.*$</packageUrl>
<cpe>cpe:/a:google:guava</cpe>
</suppress>
+ <suppress>
+ <notes><![CDATA[Apache Calcite Avatica has separate releases from Apache
Calcite]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.calcite\.avatica/.*@.*$</packageUrl>
+ <cpe>cpe:/a:apache:calcite</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[jetty-servlet-api has separate releases from Jetty
itself]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-servlet\-api@.*$</packageUrl>
+ <cpe>cpe:/a:eclipse:jetty</cpe>
+ <cpe>cpe:/a:jetty:jetty</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[hadoop-shaded-guava-1.1.1.jar is not Apache Hadoop
1.1.1]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-guava@.*$</packageUrl>
+ <cpe>cpe:/a:apache:hadoop:1.1.1</cpe>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[hadoop-client-runtime-3.*.jar is not Apache Hadoop
1.1.1]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-client\-runtime@3.*$</packageUrl>
+ <cpe>cpe:/a:apache:hadoop:1.1.1</cpe>
+ </suppress>
</suppressions>
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 4a1e494d702..8c0ccf92a9a 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -116,6 +116,8 @@ Build
* SOLR-16578: Upgrade to errorprone 2.16 (Kevin Risden)
+* SOLR-16581: Upgrade OWASP dependency check to 7.4.1 (Kevin Risden)
+
Other Changes
---------------------
* SOLR-16545: Upgrade Carrot2 to 4.5.0 (Dawid Weiss)