Merge remote-tracking branch 'origin/master'

config/false-positives.xml

@@ -0,0 +1,218 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <!-- IMPORTANT: It may be bit weird, having first reason for suppresion, then the issue suppresed, but dependency-chek uses strict schema and they decided on that order of elements. When any of suppresion has notes and cve reordered, it will not load suppression file
+  -->
+
+  <suppress>
+    <notes>
+      False Positive. midPoint uses Spring Security, but does not use Spring WebFlux, so it is unaffected.
+    </notes>
+    <cve>CVE-2023-34034</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. H2 is not recommended for production use, only for demo testing use-cases.
+    </notes>
+    <cve>CVE-2021-42392</cve>
+    <cve>CVE-2022-23221</cve>
+    <cve>CVE-2018-14335</cve>
+    <cve>CVE-2022-45868</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint and its dependencies does not use affected functionality of SnakeYaml.
+    </notes>
+    <cve>CVE-2022-1471</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not use Spring Security in a way neccessary to cause described vulnerability.
+    </notes>
+    <cve>CVE-2022-31692</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not run as ActiveMQ Artemis server, only client.
+    </notes>
+    <cve>CVE-2022-23913</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not use OpenSSL for SSL and crypthography.
+    </notes>
+    <cve>CVE-2023-0217</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not use OpenSSL for SSL and crypthography.
+    </notes>
+    <cve>CVE-2023-0401</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not use OpenSSL for SSL and crypthography.
+    </notes>
+    <cve>CVE-2023-0464</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not use OpenSSL for SSL and crypthography.
+    </notes>
+    <cve>CVE-2023-0216</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not use OpenSSL for SSL and crypthography.
+    </notes>
+    <cve>CVE-2022-3996</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not use OpenSSL for SSL and crypthography.
+    </notes>
+    <cve>CVE-2022-4450</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not use OpenSSL for SSL and crypthography.
+    </notes>
+    <cve>CVE-2023-0286</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not use WYSIWYG editors from AdminLTE.
+    </notes>
+    <cve>CVE-2022-24729</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not use affected functionality (BeanDeserializer) during JSON / YAML parsing.
+    </notes>
+    <cve>CVE-2022-42004</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not use affected functionality (BeanDeserializer) during JSON / YAML parsing.
+    </notes>
+    <cve>CVE-2022-42003</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not use Moment.js on server-side.
+    </notes>
+    <cve>CVE-2022-31129</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not use Moment.js on server-side.
+    </notes>
+    <cve>CVE-2022-24785</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      Updated Netty Library in upcoming 4.4.5 release.
+    </notes>
+    <cve>CVE-2022-41881</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not use affected functionality of library.
+    </notes>
+    <cve>CVE-2022-3171</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not use affected functionality of library.
+    </notes>
+    <cve>CVE-2022-3509</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint does not use affected functionality of library.
+    </notes>
+    <cve>CVE-2022-3510</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      Minor. MidPoint integrator and/or MidPoint Administrator is only person able to edit JDBC URL.
+    </notes>
+    <cve>CVE-2022-26520</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      Updated Spring Framework in upcoming midPoint 4.4.5 release.
+    </notes>
+    <cve>CVE-2023-20860</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      Minor. Fixed use of dependency to be not affected by this issue. Fix is available in upcoming midPoint 4.4.5 release.
+    </notes>
+    <cve>CVE-2022-40152</cve>
+  </suppress>
+  <!-- Wicket: Midpoint uses Wicket 9.5 or newer since midPoint 4.4.1 -->
+  <suppress>
+    <notes>
+      False Positive. MidPoint uses Wicket 9.5 in midPoint 4.4.1 and newer versions in other releases.
+    </notes>
+    <cve>CVE-2017-15719</cve>
+  </suppress>
+    <suppress>
+    <notes>
+      False Positive. MidPoint uses Wicket 9.5 in midPoint 4.4.1 and newer versions in other releases. MidPoint does not use WYSIWYG editor.
+    </notes>
+    <cve>CVE-2018-1325</cve>
+  </suppress>
+    <suppress>
+    <notes>
+      False Positive. MidPoint uses Wicket 9.5 in midPoint 4.4.1 and newer versions in other releases.
+    </notes>
+    <cve>CVE-2021-23937</cve>
+  </suppress>
+
+  <!-- Busybox: Busybox is not used by midPoint, but is part of docker container. -->
+  <suppress>
+    <notes>
+      False Positive. busybox is bundled in docker container, but midPoint does not use it during normal run.
+    </notes>
+    <cve>CVE-2022-28391</cve>
+  </suppress>
+    <suppress>
+    <notes>
+      False Positive. busybox is bundled in docker container, but midPoint does not use it during normal run.
+    </notes>
+    <cve>CVE-2022-30065</cve>
+  </suppress>
+
+  <!-- Bootstrap: MidPoint uses newer unaffected version of bootstrap. -->
+  <suppress>
+    <notes>
+      False Positive. MidPoint 4.4.1 uses AdminLTE 2.4.18, which contains Bootstrap 3.4.1 which is not affected.
+    </notes>
+    <cve>CVE-2016-10735</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint 4.4.1 uses AdminLTE 2.4.18, which contains Bootstrap 3.4.1 which is not affected.
+    </notes>
+    <cve>CVE-2018-20676</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint 4.4.1 uses AdminLTE 2.4.18, which contains Bootstrap 3.4.1 which is not affected.
+    </notes>
+    <cve>CVE-2019-8331</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint 4.4.1 uses AdminLTE 2.4.18, which contains Bootstrap 3.4.1 which is not affected.
+    </notes>
+    <cve>CVE-2018-20677</cve>
+  </suppress>
+  <suppress>
+    <notes>
+      False Positive. MidPoint and Wicket are not used to display HTML from untrusted sources.
+    </notes>
+    <cve>CVE-2020-11023</cve>
+  </suppress>  
+</suppressions>

pom.xml

@@ -2019,6 +2019,16 @@
                     <artifactId>git-commit-id-plugin</artifactId>
                     <version>4.9.10</version>
                 </plugin>
+                <plugin>
+                    <groupId>org.owasp</groupId>
+                    <artifactId>dependency-check-maven</artifactId>
+                    <version>8.2.1</version>
+                    <configuration>
+                      <suppressionFile>config/false-positives.xml</suppressionFile>
+                      <formats>HTML,JENKINS,XML,JSON</formats>
+                      <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+                    </configuration>
+                </plugin>
             </plugins>
         </pluginManagement>
     </build>

tools/jenkins/midpoint-security-pipeline

@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2010-2022 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+
+def verbose = params.VERBOSE ?: '0'
+
+podTemplate(
+        nodeSelector: params.NODE_SELECTOR,
+        activeDeadlineSeconds: 900,
+        idleMinutes: 1,
+        workspaceVolume: dynamicPVC(requestsSize: "10Gi"),
+        containers: [
+                containerTemplate(name: 'jnlp',
+                        image: 'jenkins/inbound-agent:4.13-2-alpine',
+                        runAsUser: '0',
+                        resourceRequestCpu: '1',
+                        resourceLimitCpu: '1',
+                        resourceRequestMemory: '1Gi',
+                        resourceLimitMemory: '1Gi'),
+                containerTemplate(name: 'maven',
+                        image: params.BUILDER_IMAGE ?: 'maven:3.8.5-openjdk-17',
+                        runAsUser: '0',
+                        ttyEnabled: true,
+                        command: 'cat',
+                        resourceRequestCpu: params.BUILDER_CPU ?: '4',
+                        resourceLimitCpu: params.BUILDER_CPU ?: '4',
+                        resourceRequestMemory: '4Gi',
+                        resourceLimitMemory: '4Gi')
+        ]
+) {
+    node(POD_LABEL) {
+        try {
+            stage("checkout") {
+                sh """#!/bin/bash -ex
+                    if [ "${verbose}" -ge 1 ]
+                    then
+                        df -h
+                    fi
+                """
+                git branch: params.BRANCH ?: 'master',
+                        url: 'https://github.com/Evolveum/midpoint.git'
+            }
+            stage("analyze") {
+                container('maven') {
+                    sh """#!/bin/bash -ex
+                        if [ "${verbose}" -ge 1 ]
+                        then
+                            id
+                            env | sort
+                            mvn --version
+                        fi
+
+                        mvn org.owasp:dependency-check-maven:aggregate
+                    """
+                    dependencyCheckPublisher pattern: 'target/dependency-check-report.xml'
+                }
+            }
+
+            currentBuild.result = 'SUCCESS'
+        } catch (Exception e) {
+            currentBuild.result = 'FAILURE' // error below will not set result for mailer!
+            error "Marking build as FAILURE because of: ${e}"
+        } finally {
+            try {
+                // Very basic mails, later we can use https://plugins.jenkins.io/email-ext/
+                step([$class: 'Mailer',
+                    notifyEveryUnstableBuild: true,
+                    recipients: env.DEFAULT_MAIL_RECIPIENT,
+                    sendToIndividuals: false])
+
+                sh """#!/bin/bash -ex
+                    if [ "${verbose}" -ge 1 ]
+                    then
+                        df -h
+                    fi
+                """
+            } catch (Exception e) {
+                println 'Could not send email: ' + e
+            }
+        }
+    }
+}