This is an automated email from the ASF dual-hosted git repository.
andor pushed a commit to branch branch-3.5
in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/branch-3.5 by this push:
new 3b8e542 ZOOKEEPER-3262: Update dependencies flagged by OWASP report
3b8e542 is described below
commit 3b8e54292228f5cb465c50d89f16f229c8bd8e6c
Author: Enrico Olivelli <[email protected]>
AuthorDate: Thu Feb 7 07:14:25 2019 +0100
ZOOKEEPER-3262: Update dependencies flagged by OWASP report
- Upgrade Jetty to 9.4.14.v20181114
- Upgrade Jackson to 2.9.8
- Suppress a false positive about Netty
(https://github.com/jeremylong/DependencyCheck/issues/1653)
- Suppress false positives against ZooKeeper itself: CVE-2018-8012 and
CVE-2016-5017
Author: Enrico Olivelli <eolivelliapache.org>
Author: Enrico Olivelli <[email protected]>
Author: Enrico Olivelli <[email protected]>
Reviewers: [email protected]
Closes #805 from eolivelli/fix/owasp-35 and squashes the following commits:
811bfefe5 [Enrico Olivelli] Merge branch 'branch-3.5' into fix/owasp-35
e7089a0ab [Enrico Olivelli] ZOOKEEPER-3262: Update dependencies flagged by
OWASP report
---
build.xml | 4 ++--
owaspSuppressions.xml | 13 +++++++++++++
pom.xml | 4 ++--
3 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/build.xml b/build.xml
index 3f4691d..eb4edd8 100644
--- a/build.xml
+++ b/build.xml
@@ -54,8 +54,8 @@ xmlns:cs="antlib:com.puppycrawl.tools.checkstyle.ant">
<property name="javacc.version" value="5.0"/>
- <property name="jetty.version" value="9.4.10.v20180503"/>
- <property name="jackson.version" value="2.9.5"/>
+ <property name="jetty.version" value="9.4.14.v20181114"/>
+ <property name="jackson.version" value="2.9.8"/>
<property name="dependency-check-ant.version" value="4.0.2"/>
<property name="commons-io.version" value="2.6"/>
diff --git a/owaspSuppressions.xml b/owaspSuppressions.xml
index 0165b9a..93f0250 100644
--- a/owaspSuppressions.xml
+++ b/owaspSuppressions.xml
@@ -22,4 +22,17 @@
<!-- ZOOKEEPER-3217 -->
<cve>CVE-2018-8088</cve>
</suppress>
+ <suppress>
+ <!-- ZOOKEEPER-3262 -->
+ <cve>CVE-2018-8012</cve>
+ </suppress>
+ <suppress>
+ <!-- ZOOKEEPER-3262 -->
+ <cve>CVE-2016-5017</cve>
+ </suppress>
+ <suppress>
+ <!-- https://github.com/jeremylong/DependencyCheck/issues/1653
+ False positive on Netty 4.x-->
+ <cve>CVE-2018-12056</cve>
+ </suppress>
</suppressions>
diff --git a/pom.xml b/pom.xml
index c7d28d1..0f27304 100755
--- a/pom.xml
+++ b/pom.xml
@@ -270,9 +270,9 @@
<mockito.version>1.8.5</mockito.version>
<hamcrest.version>1.3</hamcrest.version>
<commons-cli.version>1.2</commons-cli.version>
+ <jetty.version>9.4.14.v20181114</jetty.version>
+ <jackson.version>2.9.8</jackson.version>
<netty.version>4.1.29.Final</netty.version>
- <jetty.version>9.4.10.v20180503</jetty.version>
- <jackson.version>2.9.5</jackson.version>
<json.version>1.1.1</json.version>
<jline.version>2.11</jline.version>
<kerby.version>1.1.0</kerby.version>
