This is an automated email from the ASF dual-hosted git repository. joshtynjala pushed a commit to branch security-updates in repository https://gitbox.apache.org/repos/asf/flex-blazeds.git
commit c7b937e41dc580d780c38f32f4d67bbe28b1edaa Author: Josh Tynjala <[email protected]> AuthorDate: Mon Jan 9 15:25:32 2023 -0800 owasp dependency check should be opt-in This allows the CI server or release manager to enable it as needed, but regular users should be allowed to build --- pom.xml | 70 +++++++++++++++++++++++++++++++++++------------------------------ 1 file changed, 38 insertions(+), 32 deletions(-) diff --git a/pom.xml b/pom.xml index 7d141bd..268b49a 100755 --- a/pom.xml +++ b/pom.xml @@ -80,38 +80,6 @@ <build> <plugins> - <!-- - Check the referenced dependencies for known vulnerabilities - and fail the build if there are critical ones in our classpath - --> - <plugin> - <groupId>org.owasp</groupId> - <artifactId>dependency-check-maven</artifactId> - <version>7.4.4</version> - <executions> - <execution> - <goals> - <goal>check</goal> - </goals> - </execution> - </executions> - <configuration> - <!-- Fail the build on any CVE, which is not considered minor --> - <failBuildOnCVSS>4</failBuildOnCVSS> - <excludes> - <!-- CVE-2015-1773 Affects Apache Flex < 4.10, but BlazeDS has nothing to do with the libraries of the Flex SDK --> - <exclude>org.apache.flex.blazeds:flex-messaging-common</exclude> - <exclude>org.apache.flex.blazeds:flex-messaging-core</exclude> - <exclude>org.apache.flex.blazeds:flex-messaging-proxy</exclude> - <exclude>org.apache.flex.blazeds:flex-messaging-remoting</exclude> - <exclude>org.apache.flex.blazeds:blazeds-spring-boot-starter</exclude> - <exclude>org.apache.flex.blazeds:flex-messaging-opt-tomcat-base</exclude> - <!-- TODO: Excluding this dependency, for which there's CVEs reported as it requires refactoring quite a bit. However this should be addressed before the next release --> - <exclude>commons-httpclient:commons-httpclient</exclude> - </excludes> - </configuration> - </plugin> - <plugin> <groupId>org.apache.rat</groupId> <artifactId>apache-rat-plugin</artifactId> @@ -379,6 +347,44 @@ <module>distribution</module> </modules> </profile> + <profile> + <id>with-owasp</id> + <build> + <plugins> + <!-- + Check the referenced dependencies for known vulnerabilities + and fail the build if there are critical ones in our classpath + --> + <plugin> + <groupId>org.owasp</groupId> + <artifactId>dependency-check-maven</artifactId> + <version>7.4.4</version> + <executions> + <execution> + <goals> + <goal>check</goal> + </goals> + </execution> + </executions> + <configuration> + <!-- Fail the build on any CVE, which is not considered minor --> + <failBuildOnCVSS>4</failBuildOnCVSS> + <excludes> + <!-- CVE-2015-1773 Affects Apache Flex < 4.10, but BlazeDS has nothing to do with the libraries of the Flex SDK --> + <exclude>org.apache.flex.blazeds:flex-messaging-common</exclude> + <exclude>org.apache.flex.blazeds:flex-messaging-core</exclude> + <exclude>org.apache.flex.blazeds:flex-messaging-proxy</exclude> + <exclude>org.apache.flex.blazeds:flex-messaging-remoting</exclude> + <exclude>org.apache.flex.blazeds:blazeds-spring-boot-starter</exclude> + <exclude>org.apache.flex.blazeds:flex-messaging-opt-tomcat-base</exclude> + <!-- TODO: Excluding this dependency, for which there's CVEs reported as it requires refactoring quite a bit. However this should be addressed before the next release --> + <exclude>commons-httpclient:commons-httpclient</exclude> + </excludes> + </configuration> + </plugin> + </plugins> + </build> + </profile> </profiles> </project>
