Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WFLY-18073] Add the OWASP dependency-check plugin to the WildFly build. #17686

Merged
merged 35 commits into from Apr 2, 2024
Merged

[WFLY-18073] Add the OWASP dependency-check plugin to the WildFly build. #17686

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
71d0344
[WFLY-18073] Add the OWASP Dependency Check Plugin
darranl Feb 9, 2024
1d8884e
[WFLY-18073] Add a supression file and start by excluding ApacheDS as…
darranl Feb 9, 2024
d3dbd10
[WFLY-18073] Add CPE supressions for the Artemis integration artefact.
darranl Feb 9, 2024
939696e
Merge branch 'WFLY-19022' into WFLY-18073
darranl Feb 9, 2024
56195a1
[WFLY-18073] Supress the expressly to glassfish CPE mapping.
darranl Feb 9, 2024
e91589f
[WFLY-18073] Supress CVE-2023-44487 against grpc-api as it applies to…
darranl Feb 9, 2024
98721fe
[WDLY-18073] Supress CVE-2018-14335 as rejected by h2database.
darranl Feb 9, 2024
5688437
[WFLY-18073] Supress CVE-2023-35116 as FasterXML dispute that this is…
darranl Feb 9, 2024
de46a49
[WFLY-18073] This module is the Elytron security integration with Res…
darranl Feb 9, 2024
9f090a5
[WFLY-18073] Supressing CVE-2020-1732, we have compensated for this b…
darranl Feb 9, 2024
3dd1d53
[WFLY-18073] The EJB client is different to the IIOP client.
darranl Feb 9, 2024
f755360
[WFLY-18073] Supress CVE-2016-2141 when reported against jgroups-aws …
darranl Feb 9, 2024
34147d4
[WFLY-18073] Synchronise changes from main.
darranl Feb 14, 2024
241d14b
[WFLY-18073] Remove supression rule with no matches.
darranl Feb 14, 2024
eaf8d1b
[WFLY-18073] Supress CVE-2021-41973 for mina-core as this comes in vi…
darranl Feb 14, 2024
dfa23f1
[WFLY-18073] mvc-krazo is a separate project.
darranl Feb 14, 2024
0ea95f2
[WFLY-18073] Include nimbus-jose-jwt component upgrade.
darranl Feb 14, 2024
1b7eb4a
[WFLY-18073] The transformer-api is maintained in a separate project …
darranl Feb 14, 2024
798dac4
Merge remote-tracking branch 'upstream/main' into WFLY-18073
darranl Mar 4, 2024
5018221
[WFLY-19088] Upgrade Apache James Mime4j to 0.8.10
darranl Mar 4, 2024
e0f3eb6
Merge branch 'WFLY-19088' into WFLY-18073
darranl Mar 4, 2024
375cdb4
[WFLY-18073] Supress CVE-2024-25710 and CVE-2024-26308 as commons-com…
darranl Mar 4, 2024
6387d4d
[WFLY-18073] Supress the OTel CVEs as these are against other compone…
darranl Mar 4, 2024
cc31ca9
[WFLY-18073] Supress CPE cpe:2.3:a:linux_audit_project:linux_audit:2.…
darranl Mar 4, 2024
f33627e
[WFLY-18073] Set of Rest Easy supressions that relate to RestEasy ite…
darranl Mar 4, 2024
dcfd1f2
[WFLY-18073] Supress CVE-2016-6311 for Undertow as WildFly contains i…
darranl Mar 4, 2024
a94fc5f
[WFLY-18073] Exclude all WildFly Core components mapped to redhat:wil…
darranl Mar 4, 2024
ebf3246
[WFLY-18073] wildfly-plugins-core is not WildFly and not WildFly Core…
darranl Mar 4, 2024
ea06db8
[WFLY-18073] The Galleon Plugins transformer artifact should not matc…
darranl Mar 4, 2024
63c966f
[WFLY-18073] Avoid deployment transformer getting mapped to redhat:wi…
darranl Mar 4, 2024
cedb66a
[WFLY-18073] Avoid wildfly-galleon-plugins mapping to redhat:wildfly CPE
darranl Mar 4, 2024
e203bef
[WFLY-18073] Move the dependency-check plugin into it's own profile.
darranl Mar 4, 2024
7b3d618
[WFLY-18073] Correct the name of the suppression file.
darranl Mar 4, 2024
7d85cd5
[WFLY-18073] Ignore CVE-2021-20293 for two reasons:
darranl Mar 8, 2024
529d77d
[WFLY-18073] This CVE should not be matching against resteasy-spring,
darranl Mar 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
32 changes: 30 additions & 2 deletions pom.xml
View file
Open in desktop
Expand Up @@ -453,7 +453,7 @@
<version.org.apache.cxf>4.0.0</version.org.apache.cxf>
<version.org.apache.cxf.xjcplugins>4.0.0</version.org.apache.cxf.xjcplugins>
<version.org.apache.httpcomponents.httpasyncclient>4.1.5</version.org.apache.httpcomponents.httpasyncclient>
<version.org.apache.james.apache-mime4j>0.8.9</version.org.apache.james.apache-mime4j>
<version.org.apache.james.apache-mime4j>0.8.10</version.org.apache.james.apache-mime4j>
<version.org.apache.kafka>3.6.1</version.org.apache.kafka>
<version.org.apache.lucene>9.8.0</version.org.apache.lucene>
<version.org.apache.neethi>3.1.1</version.org.apache.neethi>
Expand Down Expand Up @@ -1355,7 +1355,6 @@
</execution>
</executions>
</plugin>

</plugins>
</build>

Expand Down Expand Up @@ -1404,6 +1403,35 @@
</modules>
</profile>

<profile>
<id>dependency-check</id>
<activation>
<property>
<name>dependency-check</name>
</property>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>9.0.9</version>
<configuration>
<nvdApiServerId>nvd</nvdApiServerId>
<suppressionFile>./sca-overrides/owasp-suppressions.xml</suppressionFile>
</configuration>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>

<!--
Name: jpda
Descr: Enable JPDA remote debuging
Expand Down
220 changes: 220 additions & 0 deletions sca-overrides/owasp-suppressions.xml
View file
Open in desktop
@@ -0,0 +1,220 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- CPE Supressions -->
<!-- Sometimes the mapping from GAV to CPE creates a bad match, this section supresses those matches. -->
<suppress>
<notes><![CDATA[
file name: expressly-5.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish\.expressly/expressly@.*$</packageUrl>
<cpe>cpe:/a:eclipse:glassfish</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: jakarta-client-resteasy-3.0.3.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly\.security\.jakarta/jakarta\-client\-resteasy@.*$</packageUrl>
<cpe>cpe:/a:redhat:resteasy</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: jboss-iiop-client-2.0.1.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jboss/jboss\-iiop\-client@.*$</packageUrl>
<cpe>cpe:/a:redhat:jboss-ejb-client</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: mvc-krazo-subsystem-0.8.2.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly/mvc\-krazo\-subsystem@.*$</packageUrl>
<cpe>cpe:/a:redhat:wildfly</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: mvc-krazo-galleon-shared-0.8.2.Final.pom
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly/mvc\-krazo\-galleon\-shared@.*$</packageUrl>
<cpe>cpe:/a:redhat:wildfly</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: transformer-7.0.0.Beta2.jar (shaded: org.wildfly.extras.batavia:transformer-api:1.0.12.Final)
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly\.extras\.batavia/transformer\-api@.*$</packageUrl>
<cpe>cpe:/a:redhat:wildfly</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: wildfly-elytron-audit-2.3.1.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly\.security/wildfly\-elytron\-audit@.*$</packageUrl>
<cpe>cpe:/a:linux_audit_project:linux_audit</cpe>
</suppress>
<suppress>
<notes><![CDATA[
Match all components from WildFly Core, these should use CPE redhat:wildfly-core
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly\.core/wildfly\-.*@.*$</packageUrl>
<cpe>cpe:/a:redhat:wildfly</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: wildfly-plugin-core-4.1.1.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly\.plugins/wildfly\-plugin\-core@.*$</packageUrl>
<cpe>cpe:/a:redhat:wildfly</cpe>
<cpe>cpe:/a:redhat:wildfly_core</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: transformer-7.0.0.Beta2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly\.galleon\-plugins/transformer@.*$</packageUrl>
<cpe>cpe:/a:redhat:wildfly</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: wildfly-ee-9-deployment-transformer-1.0.0.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly\.deployment/wildfly\-ee\-9\-deployment\-transformer@.*$</packageUrl>
<cpe>cpe:/a:redhat:wildfly</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: wildfly-galleon-plugins-7.0.0.Beta2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.wildfly\.galleon\-plugins/wildfly\-galleon\-plugins@.*$</packageUrl>
<cpe>cpe:/a:redhat:wildfly</cpe>
</suppress>

<!-- CVE Expressions -->

<!-- In this section specific CVEs are supressed where we have triaged we are not interested in them being reported. -->

<!-- If we specify an until in 12 months time, it will give us an opportunity to check again,
also if it no longer triggers after this date we can remove the supression. -->
<suppress until="2025-02-09">
<notes><![CDATA[
file name: apacheds-interceptors-admin-2.0.0.AM26.jar
]]></notes>
<!-- The regex was adjusted to match all apacheds artefacts, in most other cases we would use the rule as-proposed. -->
<packageUrl regex="true">^pkg:maven/org\.apache\.directory\.server/apacheds\-.*@.*$</packageUrl>
<cve>CVE-2010-1151</cve>
</suppress>
<suppress until="2025-02-14">
<notes><![CDATA[
file name: mina-core-2.1.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.mina/mina\-core@.*$</packageUrl>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this have a comment?

<cve>CVE-2021-41973</cve>
</suppress>
<suppress until="2025-02-09">
<notes><![CDATA[
file name: grpc-api-1.58.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-api@.*$</packageUrl>
<cve>CVE-2023-44487</cve> <!-- This CVE specifically affects grpc-go not grpc-api -->
</suppress>
<suppress until="2025-02-09">
<notes><![CDATA[
file name: h2-2.2.224.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
<!-- Disputed by h2database https://github.com/h2database/h2database/issues/1294 -->
<vulnerabilityName>CVE-2018-14335</vulnerabilityName>
</suppress>
<suppress until="2025-02-09">
<notes><![CDATA[
file name: jackson-databind-2.15.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<!-- Disputed by FasterXML that this is a vulnerability https://github.com/FasterXML/jackson-databind/issues/3972 -->
<cve>CVE-2023-35116</cve>
</suppress>
<suppress until="2025-02-09">
<notes><![CDATA[
file name: jakarta.security.enterprise-3.0.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish\.soteria/jakarta\.security\.enterprise@.*$</packageUrl>
<vulnerabilityName>CVE-2020-1732</vulnerabilityName>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this have a comment?

</suppress>
<suppress until="2025-02-09">
<notes><![CDATA[
file name: jgroups-aws-3.0.0.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jgroups\.aws/jgroups\-aws@.*$</packageUrl>
<cve>CVE-2016-2141</cve>
</suppress>
<suppress until="2025-03-04">
<notes><![CDATA[
file name: commons-compress-1.24.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.commons/commons\-compress@.*$</packageUrl>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this have a comment?

Perhaps "Not used in a WildFly installation"

<cve>CVE-2024-25710</cve>
<cve>CVE-2024-26308</cve>
</suppress>
<suppress until="2025-03-04">
<notes><![CDATA[
file name: opentelemetry-proto-0.20.0-alpha.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.opentelemetry\.proto/opentelemetry\-proto@.*$</packageUrl>
<cve>CVE-2023-43810</cve> <!-- CVE within the Python library. -->
<cve>CVE-2023-45142</cve> <!-- CVE within the Go library. -->
<cve>CVE-2023-47108</cve> <!-- CVE within the Go library. -->
</suppress>
<suppress until="2025-03-04">
<notes><![CDATA[
file name: resteasy-spring-3.0.4.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy\.spring/resteasy\-spring@.*$</packageUrl>
<cve>CVE-2016-9606</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
<cve>CVE-2014-3490</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
<cve>CVE-2020-1695</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
<cve>CVE-2020-10688</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
<cve>CVE-2023-0482</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
<cve>CVE-2020-25633</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
<cve>CVE-2021-20289</cve> <!-- CVE within Rest Easy not RestEasy Spring -->
</suppress>
<suppress>
<notes><![CDATA[
file name: resteasy-tracing-api-2.0.1.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy/resteasy\-tracing\-api@.*$</packageUrl>
<cve>CVE-2016-9606</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
<cve>CVE-2020-10688</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
<cve>CVE-2023-0482</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
<cve>CVE-2020-25633</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
<cve>CVE-2021-20289</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
<cve>CVE-2011-5245</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
<cve>CVE-2012-0818</cve> <!-- CVE within Rest Easy not RestEasy Tracing API -->
</suppress>
<suppress until="2025-03-04">
<notes><![CDATA[
file name: undertow-core-2.3.12.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.undertow/undertow\-core@.*$</packageUrl>
<vulnerabilityName>CVE-2016-6311</vulnerabilityName>
</suppress>
<suppress until="2025-03-08">
<notes><![CDATA[
file name: resteasy-spring-3.0.4.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy\.spring/resteasy\-spring@.*$</packageUrl>
<cve>CVE-2021-20293</cve>
</suppress>
<suppress until="2025-03-08">
<notes><![CDATA[
file name: resteasy-tracing-api-2.0.1.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy/resteasy\-tracing\-api@.*$</packageUrl>
<cve>CVE-2021-20293</cve>
</suppress>
<suppress until="2025-03-15">
<notes><![CDATA[
file name: resteasy-spring-3.1.2.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jboss\.resteasy\.spring/resteasy\-spring@.*$</packageUrl>
<cve>CVE-2018-1051</cve>
</suppress>
</suppressions>