From b0fce66d77e177729798b7631069e81685e4494e Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Mon, 14 Dec 2020 17:02:35 +0100
Subject: [PATCH] Add OWASP Dependency-Check Maven Plugin * only active if
 profile dependency check is active * added suppresion.xml for false positives
 * added tmp fix for jwt lib

---
 main/pom.xml         | 33 +++++++++++++++++++++++++++++++++
 main/suppression.xml | 19 +++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 main/suppression.xml

diff --git a/main/pom.xml b/main/pom.xml
index e2bd75511..ada05802b 100644
--- a/main/pom.xml
+++ b/main/pom.xml
@@ -230,6 +230,13 @@
 				<version>${javafx.version}</version>
 				<scope>test</scope>
 			</dependency>
+
+			<!-- TODO: temporary fix for XXE attack, can be removed once java-jwt is updated -->
+			<dependency>
+				<groupId>com.fasterxml.jackson.core</groupId>
+				<artifactId>jackson-databind</artifactId>
+				<version>2.10.5.1</version>
+			</dependency>
 		</dependencies>
 	</dependencyManagement>
 
@@ -332,6 +339,32 @@
 				</dependency>
 			</dependencies>
 		</profile>
+		<profile>
+			<id>dependency-check</id>
+			<build>
+				<plugins>
+					<plugin>
+						<groupId>org.owasp</groupId>
+						<artifactId>dependency-check-maven</artifactId>
+						<version>6.0.3</version>
+						<configuration>
+							<cveValidForHours>24</cveValidForHours>
+							<failBuildOnCVSS>0</failBuildOnCVSS>
+							<skipTestScope>true</skipTestScope>
+							<detail>true</detail>
+							<suppressionFile>suppression.xml</suppressionFile>
+						</configuration>
+						<executions>
+							<execution>
+								<goals>
+									<goal>check</goal>
+								</goals>
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
 	</profiles>
 
 	<build>
diff --git a/main/suppression.xml b/main/suppression.xml
new file mode 100644
index 000000000..6fe12f417
--- /dev/null
+++ b/main/suppression.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file lists false positives found by org.owasp:dependency-check-maven build plugin -->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
+	<suppress>
+		<notes><![CDATA[ Upstream fix backported from 2.11.0 to 2.10.5.1, see https://github.com/FasterXML/jackson-databind/issues/2589#issuecomment-714833837. ]]></notes>
+		<gav>com.fasterxml.jackson.core:jackson-databind:2.10.5.1</gav>
+		<cve>CVE-2020-25649</cve>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for fuse-nio-adapter. For more info, see suppression.xml of https://github.com/cryptomator/fuse-nio-adapter ]]></notes>
+		<gav regex="true">^org\.cryptomator:fuse-nio-adapter:.*$</gav>
+		<cvssBelow>9</cvssBelow>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for jnr-fuse (dependency of fuse-nio-adapter). ]]></notes>
+		<gav regex="true">^com\.github\.serceman:jnr-fuse:.*$</gav>
+		<cvssBelow>9</cvssBelow>
+	</suppress>
+</suppressions>
\ No newline at end of file