Repository: knox Updated Branches: refs/heads/master 80dc25512 -> 8b128c2f1
KNOX-1421 - Enable OWASP Dependency Check Signed-off-by: Kevin Risden <kris...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/8b128c2f Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/8b128c2f Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/8b128c2f Branch: refs/heads/master Commit: 8b128c2f1090507d863f0ffc1923ad30b2264cae Parents: 80dc255 Author: Kevin Risden <kris...@apache.org> Authored: Wed Oct 3 10:48:03 2018 -0400 Committer: Kevin Risden <kris...@apache.org> Committed: Wed Oct 31 11:42:45 2018 -0400 ---------------------------------------------------------------------- .../dependency-check/suppressions.xml | 58 ++++++++++++++++++++ gateway-test-release/pom.xml | 4 ++ pom.xml | 42 +++++++++++++- 3 files changed, 102 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/8b128c2f/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml ---------------------------------------------------------------------- diff --git a/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml b/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml new file mode 100644 index 0000000..059a747 --- /dev/null +++ b/build-tools/src/main/resources/build-tools/dependency-check/suppressions.xml @@ -0,0 +1,58 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to you under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd"> + <suppress> + <notes><![CDATA[file name: curator-.*.jar]]></notes> + <gav regex="true">^org\.apache\.curator:curator-.*:.*$</gav> + <cpe>cpe:/a:apache:zookeeper</cpe> + </suppress> + <suppress> + <notes><![CDATA[file name: gateway-.*.jar]]></notes> + <gav regex="true">^org\.apache\.knox:gateway-.*:.*$</gav> + <cpe>cpe:/a:apache:ambari</cpe> + <cpe>cpe:/a:apache:apache_http_server</cpe> + <cpe>cpe:/a:apache:apache_test</cpe> + <cpe>cpe:/a:apache:hadoop</cpe> + <cpe>cpe:/a:apache:hive</cpe> + <cpe>cpe:/a:apache:http_server</cpe> + <cpe>cpe:/a:apache:nifi</cpe> + <cpe>cpe:/a:apache:shiro</cpe> + <cpe>cpe:/a:apache:storm</cpe> + </suppress> + <suppress> + <notes><![CDATA[file name: hadoop-examples-.*.jar]]></notes> + <gav regex="true">^org\.apache\.knox:hadoop-examples:.*$</gav> + <cpe>cpe:/a:apache:hadoop</cpe> + </suppress> + <suppress> + <notes><![CDATA[file name: zookeeper.*.jar]]></notes> + <gav regex="true">^org\.apache\.zookeeper:zookeeper:.*$</gav> + <cve>CVE-2014-0085</cve> + <cve>CVE-2018-8012</cve> + </suppress> + <suppress> + <notes><![CDATA[file name: groovy-.*.jar]]></notes> + <gav regex="true">^org\.codehaus\.groovy:groovy-.*:.*$</gav> + <cve>CVE-2016-6497</cve> + </suppress> + <suppress> + <notes><![CDATA[file name: xz-.*.jar]]></notes> + <gav regex="true">^org\.tukaani:xz:.*$</gav> + <cve>CVE-2015-4035</cve> + </suppress> +</suppressions> http://git-wip-us.apache.org/repos/asf/knox/blob/8b128c2f/gateway-test-release/pom.xml ---------------------------------------------------------------------- diff --git a/gateway-test-release/pom.xml b/gateway-test-release/pom.xml index 087d45c..c115226 100644 --- a/gateway-test-release/pom.xml +++ b/gateway-test-release/pom.xml @@ -177,6 +177,10 @@ <groupId>com.google.code.findbugs</groupId> <artifactId>jsr305</artifactId> </exclusion> + <exclusion> + <groupId>jdk.tools</groupId> + <artifactId>jdk.tools</artifactId> + </exclusion> </exclusions> <scope>test</scope> </dependency> http://git-wip-us.apache.org/repos/asf/knox/blob/8b128c2f/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index e7f9b08..7c90a61 100644 --- a/pom.xml +++ b/pom.xml @@ -24,7 +24,7 @@ <artifactId>apache</artifactId> <version>21</version> </parent> - + <groupId>org.apache.knox</groupId> <artifactId>gateway</artifactId> <version>1.2.0-SNAPSHOT</version> @@ -153,6 +153,7 @@ <cors-filter.version>2.6</cors-filter.version> <curator.version>4.0.1</curator.version> <curator-test.version>2.12.0</curator-test.version> + <dependency-check-maven.version>3.3.2</dependency-check-maven.version> <easymock.version>4.0.1</easymock.version> <eclipselink.version>2.7.3</eclipselink.version> <ehcache.version>2.6.11</ehcache.version> @@ -206,7 +207,7 @@ <zip4j.version>1.3.2</zip4j.version> <zookeeper.version>3.4.10</zookeeper.version> </properties> - + <profiles> <profile> <id>package</id> @@ -254,6 +255,37 @@ <failsafe.group>org.apache.knox.test.category.VerifyTest</failsafe.group> </properties> </profile> + <profile> + <id>owasp</id> + <build> + <plugins> + <plugin> + <groupId>org.owasp</groupId> + <artifactId>dependency-check-maven</artifactId> + <version>${dependency-check-maven.version}</version> + <configuration> + <suppressionFiles> + <suppressionFile>build-tools/dependency-check/suppressions.xml</suppressionFile> + </suppressionFiles> + </configuration> + <executions> + <execution> + <goals> + <goal>aggregate</goal> + </goals> + </execution> + </executions> + <dependencies> + <dependency> + <groupId>org.apache.knox</groupId> + <artifactId>build-tools</artifactId> + <version>1.0.0</version> + </dependency> + </dependencies> + </plugin> + </plugins> + </build> + </profile> </profiles> <build> @@ -1033,6 +1065,12 @@ <groupId>org.apache.hadoop</groupId> <artifactId>hadoop-mapreduce-client-core</artifactId> <version>${hadoop.version}</version> + <exclusions> + <exclusion> + <groupId>jdk.tools</groupId> + <artifactId>jdk.tools</artifactId> + </exclusion> + </exclusions> </dependency> <dependency>