svn commit: r1859623 - in /turbine/core/trunk: pom.xml suppression-owasp-fp.xml

Tue, 21 May 2019 05:03:56 -0700 

Author: gk
Date: Tue May 21 12:03:47 2019
New Revision: 1859623

URL: http://svn.apache.org/viewvc?rev=1859623&view=rev
Log:
- suppress warning for jython-standalone as optional dependency.

Modified:
    turbine/core/trunk/pom.xml
    turbine/core/trunk/suppression-owasp-fp.xml

Modified: turbine/core/trunk/pom.xml
URL: 
http://svn.apache.org/viewvc/turbine/core/trunk/pom.xml?rev=1859623&r1=1859622&r2=1859623&view=diff
==============================================================================
--- turbine/core/trunk/pom.xml (original)
+++ turbine/core/trunk/pom.xml Tue May 21 12:03:47 2019
@@ -1051,12 +1051,13 @@
       <classifier>tests</classifier>
       <scope>test</scope>
     </dependency>
-    <!-- suppress oswasp warning until v1.1.2 is released, which fixes 
https://github.com/quartz-scheduler/quartz/issues/316 -->
+    <!-- suppress owasp warning until v1.1.2 is released, which fixes 
https://github.com/quartz-scheduler/quartz/issues/316 -->
     <dependency>
       <groupId>org.apache.fulcrum</groupId>
       <artifactId>fulcrum-quartz</artifactId>
       <version>1.1.1</version>
     </dependency>
+    <!-- suppress owasp CVE-2018-11771, CVE-2018-1324, as jython-standalone is 
optional.-->
     <dependency>
       <groupId>org.python</groupId>
       <artifactId>jython-standalone</artifactId>

Modified: turbine/core/trunk/suppression-owasp-fp.xml
URL: 
http://svn.apache.org/viewvc/turbine/core/trunk/suppression-owasp-fp.xml?rev=1859623&r1=1859622&r2=1859623&view=diff
==============================================================================
--- turbine/core/trunk/suppression-owasp-fp.xml (original)
+++ turbine/core/trunk/suppression-owasp-fp.xml Tue May 21 12:03:47 2019
@@ -44,4 +44,17 @@
      <sha1>5af35056b4d257e4b64b9e8069c0746e8b08629f</sha1>
      <cve>CVE-2017-5645</cve>
   </suppress>
+  <!--  jython-standalone is only optional, but check this
+  
jython-standalone-2.7.1.jar\META-INF/maven/org.apache.commons/commons-compress/pom.xml
 (pkg:maven/org.apache.commons/[email protected], 
cpe:2.3:a:apache:commons-compress:1.14:*:*:*:*:*:*:*) : CVE-2018-11771, 
CVE-2018-1324.
+  jython-standalone-2.7.1.jar bundles dependencies of the project inside the 
JAR itself, unshaded.
+    -->
+  <suppress>
+   <notes><![CDATA[
+   file name: jython-standalone-2.7.1.jar (shaded: 
org.apache.commons:commons-compress:1.14)
+   ]]></notes>
+   <gav regex="true">^org\.apache\.commons:commons-compress:.*$</gav>
+   <cpe>cpe:/a:apache:commons-compress</cpe>
+   </suppress>
+
+
 </suppressions>
\ No newline at end of file

Reply via email to