~exprez135/cryptomator-libre

b0fce66d77e177729798b7631069e81685e4494e — Armin Schrenk 7 months ago bf47ba0
Add OWASP Dependency-Check Maven Plugin
* only active if profile dependency check is active
* added suppresion.xml for false positives
* added tmp fix for jwt lib
2 files changed, 52 insertions(+), 0 deletions(-)

M main/pom.xml
A main/suppression.xml
M main/pom.xml => main/pom.xml +33 -0
@@ 230,6 230,13 @@
				<version>${javafx.version}</version>
				<scope>test</scope>
			</dependency>

			<!-- TODO: temporary fix for XXE attack, can be removed once java-jwt is updated -->
			<dependency>
				<groupId>com.fasterxml.jackson.core</groupId>
				<artifactId>jackson-databind</artifactId>
				<version>2.10.5.1</version>
			</dependency>
		</dependencies>
	</dependencyManagement>



@@ 332,6 339,32 @@
				</dependency>
			</dependencies>
		</profile>
		<profile>
			<id>dependency-check</id>
			<build>
				<plugins>
					<plugin>
						<groupId>org.owasp</groupId>
						<artifactId>dependency-check-maven</artifactId>
						<version>6.0.3</version>
						<configuration>
							<cveValidForHours>24</cveValidForHours>
							<failBuildOnCVSS>0</failBuildOnCVSS>
							<skipTestScope>true</skipTestScope>
							<detail>true</detail>
							<suppressionFile>suppression.xml</suppressionFile>
						</configuration>
						<executions>
							<execution>
								<goals>
									<goal>check</goal>
								</goals>
							</execution>
						</executions>
					</plugin>
				</plugins>
			</build>
		</profile>
	</profiles>

	<build>

A main/suppression.xml => main/suppression.xml +19 -0
@@ 0,0 1,19 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- This file lists false positives found by org.owasp:dependency-check-maven build plugin -->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
	<suppress>
		<notes><![CDATA[ Upstream fix backported from 2.11.0 to 2.10.5.1, see https://github.com/FasterXML/jackson-databind/issues/2589#issuecomment-714833837. ]]></notes>
		<gav>com.fasterxml.jackson.core:jackson-databind:2.10.5.1</gav>
		<cve>CVE-2020-25649</cve>
	</suppress>
	<suppress>
		<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for fuse-nio-adapter. For more info, see suppression.xml of https://github.com/cryptomator/fuse-nio-adapter ]]></notes>
		<gav regex="true">^org\.cryptomator:fuse-nio-adapter:.*$</gav>
		<cvssBelow>9</cvssBelow>
	</suppress>
	<suppress>
		<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for jnr-fuse (dependency of fuse-nio-adapter). ]]></notes>
		<gav regex="true">^com\.github\.serceman:jnr-fuse:.*$</gav>
		<cvssBelow>9</cvssBelow>
	</suppress>
</suppressions>
\ No newline at end of file