New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WFLY-18073] Add the OWASP dependency-check plugin to the WildFly build. #17686
Merged
Merged
Changes from all commits
Commits
Show all changes
35 commits
Select commit
Hold shift + click to select a range
71d0344
[WFLY-18073] Add the OWASP Dependency Check Plugin
darranl 1d8884e
[WFLY-18073] Add a supression file and start by excluding ApacheDS as…
darranl d3dbd10
[WFLY-18073] Add CPE supressions for the Artemis integration artefact.
darranl 939696e
Merge branch 'WFLY-19022' into WFLY-18073
darranl 56195a1
[WFLY-18073] Supress the expressly to glassfish CPE mapping.
darranl e91589f
[WFLY-18073] Supress CVE-2023-44487 against grpc-api as it applies to…
darranl 98721fe
[WDLY-18073] Supress CVE-2018-14335 as rejected by h2database.
darranl 5688437
[WFLY-18073] Supress CVE-2023-35116 as FasterXML dispute that this is…
darranl de46a49
[WFLY-18073] This module is the Elytron security integration with Res…
darranl 9f090a5
[WFLY-18073] Supressing CVE-2020-1732, we have compensated for this b…
darranl 3dd1d53
[WFLY-18073] The EJB client is different to the IIOP client.
darranl f755360
[WFLY-18073] Supress CVE-2016-2141 when reported against jgroups-aws …
darranl 34147d4
[WFLY-18073] Synchronise changes from main.
darranl 241d14b
[WFLY-18073] Remove supression rule with no matches.
darranl eaf8d1b
[WFLY-18073] Supress CVE-2021-41973 for mina-core as this comes in vi…
darranl dfa23f1
[WFLY-18073] mvc-krazo is a separate project.
darranl 0ea95f2
[WFLY-18073] Include nimbus-jose-jwt component upgrade.
darranl 1b7eb4a
[WFLY-18073] The transformer-api is maintained in a separate project …
darranl 798dac4
Merge remote-tracking branch 'upstream/main' into WFLY-18073
darranl 5018221
[WFLY-19088] Upgrade Apache James Mime4j to 0.8.10
darranl e0f3eb6
Merge branch 'WFLY-19088' into WFLY-18073
darranl 375cdb4
[WFLY-18073] Supress CVE-2024-25710 and CVE-2024-26308 as commons-com…
darranl 6387d4d
[WFLY-18073] Supress the OTel CVEs as these are against other compone…
darranl cc31ca9
[WFLY-18073] Supress CPE cpe:2.3:a:linux_audit_project:linux_audit:2.…
darranl f33627e
[WFLY-18073] Set of Rest Easy supressions that relate to RestEasy ite…
darranl dcfd1f2
[WFLY-18073] Supress CVE-2016-6311 for Undertow as WildFly contains i…
darranl a94fc5f
[WFLY-18073] Exclude all WildFly Core components mapped to redhat:wil…
darranl ebf3246
[WFLY-18073] wildfly-plugins-core is not WildFly and not WildFly Core…
darranl ea06db8
[WFLY-18073] The Galleon Plugins transformer artifact should not matc…
darranl 63c966f
[WFLY-18073] Avoid deployment transformer getting mapped to redhat:wi…
darranl cedb66a
[WFLY-18073] Avoid wildfly-galleon-plugins mapping to redhat:wildfly CPE
darranl e203bef
[WFLY-18073] Move the dependency-check plugin into it's own profile.
darranl 7b3d618
[WFLY-18073] Correct the name of the suppression file.
darranl 7d85cd5
[WFLY-18073] Ignore CVE-2021-20293 for two reasons:
darranl 529d77d
[WFLY-18073] This CVE should not be matching against resteasy-spring,
darranl File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,220 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> | ||
<!-- CPE Supressions --> | ||
<!-- Sometimes the mapping from GAV to CPE creates a bad match, this section supresses those matches. --> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: expressly-5.0.0.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.glassfish\.expressly/expressly@.*$</packageUrl> | ||
<cpe>cpe:/a:eclipse:glassfish</cpe> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: jakarta-client-resteasy-3.0.3.Final.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.wildfly\.security\.jakarta/jakarta\-client\-resteasy@.*$</packageUrl> | ||
<cpe>cpe:/a:redhat:resteasy</cpe> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: jboss-iiop-client-2.0.1.Final.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.jboss/jboss\-iiop\-client@.*$</packageUrl> | ||
<cpe>cpe:/a:redhat:jboss-ejb-client</cpe> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: mvc-krazo-subsystem-0.8.2.Final.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.wildfly/mvc\-krazo\-subsystem@.*$</packageUrl> | ||
<cpe>cpe:/a:redhat:wildfly</cpe> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: mvc-krazo-galleon-shared-0.8.2.Final.pom | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.wildfly/mvc\-krazo\-galleon\-shared@.*$</packageUrl> | ||
<cpe>cpe:/a:redhat:wildfly</cpe> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: transformer-7.0.0.Beta2.jar (shaded: org.wildfly.extras.batavia:transformer-api:1.0.12.Final) | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.wildfly\.extras\.batavia/transformer\-api@.*$</packageUrl> | ||
<cpe>cpe:/a:redhat:wildfly</cpe> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: wildfly-elytron-audit-2.3.1.Final.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.wildfly\.security/wildfly\-elytron\-audit@.*$</packageUrl> | ||
<cpe>cpe:/a:linux_audit_project:linux_audit</cpe> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
Match all components from WildFly Core, these should use CPE redhat:wildfly-core | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.wildfly\.core/wildfly\-.*@.*$</packageUrl> | ||
<cpe>cpe:/a:redhat:wildfly</cpe> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: wildfly-plugin-core-4.1.1.Final.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.wildfly\.plugins/wildfly\-plugin\-core@.*$</packageUrl> | ||
<cpe>cpe:/a:redhat:wildfly</cpe> | ||
<cpe>cpe:/a:redhat:wildfly_core</cpe> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: transformer-7.0.0.Beta2.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.wildfly\.galleon\-plugins/transformer@.*$</packageUrl> | ||
<cpe>cpe:/a:redhat:wildfly</cpe> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: wildfly-ee-9-deployment-transformer-1.0.0.Final.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.wildfly\.deployment/wildfly\-ee\-9\-deployment\-transformer@.*$</packageUrl> | ||
<cpe>cpe:/a:redhat:wildfly</cpe> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: wildfly-galleon-plugins-7.0.0.Beta2.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.wildfly\.galleon\-plugins/wildfly\-galleon\-plugins@.*$</packageUrl> | ||
<cpe>cpe:/a:redhat:wildfly</cpe> | ||
</suppress> | ||
|
||
<!-- CVE Expressions --> | ||
|
||
<!-- In this section specific CVEs are supressed where we have triaged we are not interested in them being reported. --> | ||
|
||
<!-- If we specify an until in 12 months time, it will give us an opportunity to check again, | ||
also if it no longer triggers after this date we can remove the supression. --> | ||
<suppress until="2025-02-09"> | ||
<notes><![CDATA[ | ||
file name: apacheds-interceptors-admin-2.0.0.AM26.jar | ||
]]></notes> | ||
<!-- The regex was adjusted to match all apacheds artefacts, in most other cases we would use the rule as-proposed. --> | ||
<packageUrl regex="true">^pkg:maven/org\.apache\.directory\.server/apacheds\-.*@.*$</packageUrl> | ||
<cve>CVE-2010-1151</cve> | ||
</suppress> | ||
<suppress until="2025-02-14"> | ||
<notes><![CDATA[ | ||
file name: mina-core-2.1.3.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.apache\.mina/mina\-core@.*$</packageUrl> | ||
<cve>CVE-2021-41973</cve> | ||
</suppress> | ||
<suppress until="2025-02-09"> | ||
<notes><![CDATA[ | ||
file name: grpc-api-1.58.0.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-api@.*$</packageUrl> | ||
<cve>CVE-2023-44487</cve> <!-- This CVE specifically affects grpc-go not grpc-api --> | ||
</suppress> | ||
<suppress until="2025-02-09"> | ||
<notes><![CDATA[ | ||
file name: h2-2.2.224.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl> | ||
<!-- Disputed by h2database https://github.com/h2database/h2database/issues/1294 --> | ||
<vulnerabilityName>CVE-2018-14335</vulnerabilityName> | ||
</suppress> | ||
<suppress until="2025-02-09"> | ||
<notes><![CDATA[ | ||
file name: jackson-databind-2.15.3.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl> | ||
<!-- Disputed by FasterXML that this is a vulnerability https://github.com/FasterXML/jackson-databind/issues/3972 --> | ||
<cve>CVE-2023-35116</cve> | ||
</suppress> | ||
<suppress until="2025-02-09"> | ||
<notes><![CDATA[ | ||
file name: jakarta.security.enterprise-3.0.3.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.glassfish\.soteria/jakarta\.security\.enterprise@.*$</packageUrl> | ||
<vulnerabilityName>CVE-2020-1732</vulnerabilityName> | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should this have a comment? |
||
</suppress> | ||
<suppress until="2025-02-09"> | ||
<notes><![CDATA[ | ||
file name: jgroups-aws-3.0.0.Final.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.jgroups\.aws/jgroups\-aws@.*$</packageUrl> | ||
<cve>CVE-2016-2141</cve> | ||
</suppress> | ||
<suppress until="2025-03-04"> | ||
<notes><![CDATA[ | ||
file name: commons-compress-1.24.0.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.apache\.commons/commons\-compress@.*$</packageUrl> | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should this have a comment? Perhaps "Not used in a WildFly installation" |
||
<cve>CVE-2024-25710</cve> | ||
<cve>CVE-2024-26308</cve> | ||
</suppress> | ||
<suppress until="2025-03-04"> | ||
<notes><![CDATA[ | ||
file name: opentelemetry-proto-0.20.0-alpha.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/io\.opentelemetry\.proto/opentelemetry\-proto@.*$</packageUrl> | ||
<cve>CVE-2023-43810</cve> <!-- CVE within the Python library. --> | ||
<cve>CVE-2023-45142</cve> <!-- CVE within the Go library. --> | ||
<cve>CVE-2023-47108</cve> <!-- CVE within the Go library. --> | ||
</suppress> | ||
<suppress until="2025-03-04"> | ||
<notes><![CDATA[ | ||
file name: resteasy-spring-3.0.4.Final.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy\.spring/resteasy\-spring@.*$</packageUrl> | ||
<cve>CVE-2016-9606</cve> <!-- CVE within Rest Easy not RestEasy Spring --> | ||
<cve>CVE-2014-3490</cve> <!-- CVE within Rest Easy not RestEasy Spring --> | ||
<cve>CVE-2020-1695</cve> <!-- CVE within Rest Easy not RestEasy Spring --> | ||
<cve>CVE-2020-10688</cve> <!-- CVE within Rest Easy not RestEasy Spring --> | ||
<cve>CVE-2023-0482</cve> <!-- CVE within Rest Easy not RestEasy Spring --> | ||
<cve>CVE-2020-25633</cve> <!-- CVE within Rest Easy not RestEasy Spring --> | ||
<cve>CVE-2021-20289</cve> <!-- CVE within Rest Easy not RestEasy Spring --> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: resteasy-tracing-api-2.0.1.Final.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy/resteasy\-tracing\-api@.*$</packageUrl> | ||
<cve>CVE-2016-9606</cve> <!-- CVE within Rest Easy not RestEasy Tracing API --> | ||
<cve>CVE-2020-10688</cve> <!-- CVE within Rest Easy not RestEasy Tracing API --> | ||
<cve>CVE-2023-0482</cve> <!-- CVE within Rest Easy not RestEasy Tracing API --> | ||
<cve>CVE-2020-25633</cve> <!-- CVE within Rest Easy not RestEasy Tracing API --> | ||
<cve>CVE-2021-20289</cve> <!-- CVE within Rest Easy not RestEasy Tracing API --> | ||
<cve>CVE-2011-5245</cve> <!-- CVE within Rest Easy not RestEasy Tracing API --> | ||
<cve>CVE-2012-0818</cve> <!-- CVE within Rest Easy not RestEasy Tracing API --> | ||
</suppress> | ||
<suppress until="2025-03-04"> | ||
<notes><![CDATA[ | ||
file name: undertow-core-2.3.12.Final.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/io\.undertow/undertow\-core@.*$</packageUrl> | ||
<vulnerabilityName>CVE-2016-6311</vulnerabilityName> | ||
</suppress> | ||
<suppress until="2025-03-08"> | ||
<notes><![CDATA[ | ||
file name: resteasy-spring-3.0.4.Final.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy\.spring/resteasy\-spring@.*$</packageUrl> | ||
<cve>CVE-2021-20293</cve> | ||
</suppress> | ||
<suppress until="2025-03-08"> | ||
<notes><![CDATA[ | ||
file name: resteasy-tracing-api-2.0.1.Final.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy/resteasy\-tracing\-api@.*$</packageUrl> | ||
<cve>CVE-2021-20293</cve> | ||
</suppress> | ||
<suppress until="2025-03-15"> | ||
<notes><![CDATA[ | ||
file name: resteasy-spring-3.1.2.Final.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy\.spring/resteasy\-spring@.*$</packageUrl> | ||
<cve>CVE-2018-1051</cve> | ||
</suppress> | ||
</suppressions> |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this have a comment?