This is an automated email from the ASF dual-hosted git repository. jgallimore pushed a commit to branch tomee-1.7.x in repository https://gitbox.apache.org/repos/asf/tomee.git
commit 0bf303f3fa7234d3bb241b6014060f96425a021b Author: rzo1 <rich...@zowalla.com> AuthorDate: Tue Dec 18 11:20:23 2018 +0100 TOMEE-2363 Introduces OWASP dependency check via two profiles "owasp-check" (will fail the build for CVE score > 8.0" and "owasp-report" --- owasp-dc-suppression.xml | 80 ++++++++++++++++++++++++++++++++++++++++++++++++ pom.xml | 52 +++++++++++++++++++++++++++++++ 2 files changed, 132 insertions(+) diff --git a/owasp-dc-suppression.xml b/owasp-dc-suppression.xml new file mode 100644 index 0000000..04b5050 --- /dev/null +++ b/owasp-dc-suppression.xml @@ -0,0 +1,80 @@ +<?xml version="1.0" encoding="UTF-8"?> +<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd"> + <suppress> + <notes><![CDATA[ + file name: self dependencies... + ]]></notes> + <gav regex="true">^org\.apache\.tomee:.*$</gav> + <cve>CVE-2018-8031</cve> + </suppress> + <suppress> + <notes><![CDATA[ + file name: self dependencies... + ]]></notes> + <gav regex="true">^org\.apache\.tomee:.*$</gav> + <cve>CVE-2010-1151</cve> + </suppress> + <suppress> + <notes><![CDATA[ + file name: false positive apache http server + ]]></notes> + <gav regex="true">^org\.apache\.tomee:.*$</gav> + <cpe>cpe:/a:apache:apache_http_server</cpe> + </suppress> + <suppress> + <notes><![CDATA[ + file name: false positive apache http server + ]]></notes> + <gav regex="true">^org\.apache\.tomee:.*$</gav> + <cpe>cpe:/a:apache:http_server</cpe> + </suppress> + <suppress> + <notes><![CDATA[ + file name: ziplock-*.jar + ]]></notes> + <gav regex="true">^org\.apache\.tomee:ziplock:.*$</gav> + <cpe>cpe:/a:zip_project:zip</cpe> + </suppress> + <suppress> + <notes><![CDATA[ + file name: eclipselink-*jar + ]]></notes> + <gav regex="true">^org\.eclipse\.persistence:eclipselink:.*$</gav> + <cpe>cpe:/a:git:git</cpe> + </suppress> + <suppress> + <notes><![CDATA[ + file name: eclipselink-*.jar + ]]></notes> + <gav regex="true">^org\.eclipse\.persistence:eclipselink:.*$</gav> + <cpe>cpe:/a:git_project:git</cpe> + </suppress> + <suppress> + <notes><![CDATA[ + file name: javax.persistence-*.jar + ]]></notes> + <gav regex="true">^org\.eclipse\.persistence:javax\.persistence:.*$</gav> + <cpe>cpe:/a:git_project:git</cpe> + </suppress> + <suppress> + <notes><![CDATA[ + file name: javax.persistence-*.jar + ]]></notes> + <gav regex="true">^org\.eclipse\.persistence:javax\.persistence:.*$</gav> + <cpe>cpe:/a:git:git</cpe> + </suppress> + <suppress> + <notes><![CDATA[ + file name: commonj.sdo-*.jar + ]]></notes> + <gav regex="true">^org\.eclipse\.persistence:commonj\.sdo:.*$</gav> + <cpe>cpe:/a:git:git</cpe> + </suppress> + <suppress> + <notes><![CDATA[ + file name: commonj.sdo-*.jar + ]]></notes> + <gav regex="true">^org\.eclipse\.persistence:commonj\.sdo:.*$</gav> + <cpe>cpe:/a:git_project:git</cpe> + </suppress> +</suppressions> \ No newline at end of file diff --git a/pom.xml b/pom.xml index 1eb5531..1714f61 100644 --- a/pom.xml +++ b/pom.xml @@ -342,6 +342,11 @@ <artifactId>maven-deploy-plugin</artifactId> <version>2.8.2</version> </plugin> + <plugin> + <groupId>org.owasp</groupId> + <artifactId>dependency-check-maven</artifactId> + <version>4.0.0</version> + </plugin> </plugins> </pluginManagement> @@ -701,6 +706,53 @@ </profile> <profile> + <id>owasp-report</id> + <build> + <plugins> + <plugin> + <groupId>org.owasp</groupId> + <artifactId>dependency-check-maven</artifactId> + <configuration> + <skipProvidedScope>true</skipProvidedScope> + <skipRuntimeScope>true</skipRuntimeScope> + <suppressionFiles>${maven.multiModuleProjectDirectory}/owasp-dc-suppression.xml</suppressionFiles> + </configuration> + <executions> + <execution> + <goals> + <goal>aggregate</goal> + </goals> + </execution> + </executions> + </plugin> + </plugins> + </build> + </profile> + <profile> + <id>owasp-check</id> + <build> + <plugins> + <plugin> + <groupId>org.owasp</groupId> + <artifactId>dependency-check-maven</artifactId> + <configuration> + <skipProvidedScope>true</skipProvidedScope> + <skipRuntimeScope>true</skipRuntimeScope> + <failBuildOnCVSS>8.0</failBuildOnCVSS> + <suppressionFiles>${maven.multiModuleProjectDirectory}/owasp-dc-suppression.xml</suppressionFiles> + </configuration> + <executions> + <execution> + <goals> + <goal>check</goal> + </goals> + </execution> + </executions> + </plugin> + </plugins> + </build> + </profile> + <profile> <id>rat</id> <modules> <module>itests</module>