mirror of
https://github.com/cryptomator/cryptomator.git
synced 2026-05-20 19:51:27 +00:00
Add OWASP Dependency-Check Maven Plugin
* only active if profile dependency check is active * added suppresion.xml for false positives * added tmp fix for jwt lib
This commit is contained in:
Armin Schrenk
33
main/pom.xml
33
main/pom.xml
@@ -230,6 +230,13 @@
|
||||
<version>${javafx.version}</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
|
||||
<!-- TODO: temporary fix for XXE attack, can be removed once java-jwt is updated -->
|
||||
<dependency>
|
||||
<groupId>com.fasterxml.jackson.core</groupId>
|
||||
<artifactId>jackson-databind</artifactId>
|
||||
<version>2.10.5.1</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
</dependencyManagement>
|
||||
|
||||
@@ -332,6 +339,32 @@
|
||||
</dependency>
|
||||
</dependencies>
|
||||
</profile>
|
||||
<profile>
|
||||
<id>dependency-check</id>
|
||||
<build>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-maven</artifactId>
|
||||
<version>6.0.3</version>
|
||||
<configuration>
|
||||
<cveValidForHours>24</cveValidForHours>
|
||||
<failBuildOnCVSS>0</failBuildOnCVSS>
|
||||
<skipTestScope>true</skipTestScope>
|
||||
<detail>true</detail>
|
||||
<suppressionFile>suppression.xml</suppressionFile>
|
||||
</configuration>
|
||||
<executions>
|
||||
<execution>
|
||||
<goals>
|
||||
<goal>check</goal>
|
||||
</goals>
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
</profile>
|
||||
</profiles>
|
||||
|
||||
<build>
|
||||
|
||||
19
main/suppression.xml
Normal file
19
main/suppression.xml
Normal file
@@ -0,0 +1,19 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!-- This file lists false positives found by org.owasp:dependency-check-maven build plugin -->
|
||||
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
|
||||
<suppress>
|
||||
<notes><![CDATA[ Upstream fix backported from 2.11.0 to 2.10.5.1, see https://github.com/FasterXML/jackson-databind/issues/2589#issuecomment-714833837. ]]></notes>
|
||||
<gav>com.fasterxml.jackson.core:jackson-databind:2.10.5.1</gav>
|
||||
<cve>CVE-2020-25649</cve>
|
||||
</suppress>
|
||||
<suppress>
|
||||
<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for fuse-nio-adapter. For more info, see suppression.xml of https://github.com/cryptomator/fuse-nio-adapter ]]></notes>
|
||||
<gav regex="true">^org\.cryptomator:fuse-nio-adapter:.*$</gav>
|
||||
<cvssBelow>9</cvssBelow>
|
||||
</suppress>
|
||||
<suppress>
|
||||
<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for jnr-fuse (dependency of fuse-nio-adapter). ]]></notes>
|
||||
<gav regex="true">^com\.github\.serceman:jnr-fuse:.*$</gav>
|
||||
<cvssBelow>9</cvssBelow>
|
||||
</suppress>
|
||||
</suppressions>
|
||||
Reference in New Issue
Block a user