Merge branch 'master' into feature/mini-full-objects

Evolveum · Oct 31, 2023 · eb97bcf · eb97bcf
2 parents 459db99 + f437d8b
commit eb97bcf
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 6 deletions.
diff --git a/config/false-positives.xml b/config/false-positives.xml
@@ -1,11 +1,46 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-  <!-- IMPORTANT: It may be bit weird, having first reason for suppresion, then the issue suppresed, but dependency-chek uses strict schema and they decided on that order of elements. When any of suppresion has notes and cve reordered, it will not load suppression file
+  <!-- IMPORTANT: It may be bit weird, having first reason for suppresion, then the issue suppresed,
+       but dependency-chek uses strict schema and they decided on that order of elements.
+       When any of suppresion has notes and cve reordered, it will not load suppression file
   -->
-
+  <suppress>
+      <notes>False Positive. Jetty is not part of production build of midPoint, it is used only for testing.</notes>
+      <cve>CVE-2023-36478</cve>
+      <cve>CVE-2023-44487</cve>
+      <cve>CVE-2023-40167</cve>
+      <cve>CVE-2023-36479</cve>
+      <cve>CVE-2023-41900</cve>
+  </suppress>
+  <suppress>
+      <notes>
+          False Positive. midPoint does not use crypto-js for any crypthographic functionality. crypto-js is transitive dependency
+          of pdfkit (whose functionality is also not used by midPoint), which is transitive dependency of AdminLTE
+      </notes>
+      <cve>CVE-2023-46233</cve>
+  </suppress>
+  <suppress>
+      <notes>
+          False Positive. CVE is disputed, since library is not used with untrusted data. Janino is not used with user supplied input.
+      </notes>
+      <cve>CVE-2023-33546</cve>
+  </suppress>
+  <suppress>
+      <notes>
+          False Positive. Jackson Databind in midPoint is not used to directly serialize untrusted graph of objects.
+      </notes>
+      <cve>CVE-2023-35116</cve>
+  </suppress>
+  <suppress>
+      <notes>
+          False Positive. Apache Ivy is transitive dependency via Groovy 4.0 All (intended for Groovy Scripting Support).
+          MidPoint and build system does not use Apache Ivy.
+      </notes>
+      <cve>CVE-2022-46751</cve>
+  </suppress>
   <suppress>
     <notes>
-      False Positive. CVE was withdrawn from NVD NIST, since investigation of original CVE showed it was not a security issue, but tooling still reports it as issue. 
+      False Positive. CVE was withdrawn from NVD NIST, since investigation of original CVE showed it was not a security issue, but tooling still reports it as issue.
     </notes>
     <cve>CVE-2021-23334</cve>
   </suppress>
@@ -23,7 +58,7 @@
   </suppress>
   <suppress>
     <notes>
-      False Positive. MidPoint binaries does not contain or use Berkeley DB Java Edition in deployment. It is only used in unit testing libraries.  
+      False Positive. MidPoint binaries does not contain or use Berkeley DB Java Edition in deployment. It is only used in unit testing libraries.
     </notes>
     <cve>CVE-2017-3604</cve>
     <cve>CVE-2017-3605</cve>
@@ -208,7 +243,7 @@
     </notes>
     <cve>CVE-2021-23937</cve>
   </suppress>
-  
+
   <!-- Busybox: Busybox is not used by midPoint, but is part of docker container. -->
   <suppress>
     <notes>
@@ -253,5 +288,5 @@
       False Positive. MidPoint and Wicket are not used to display HTML from untrusted sources.
     </notes>
     <cve>CVE-2020-11023</cve>
-  </suppress>  
+  </suppress>
 </suppressions>
diff --git a/dist/src/main/bin/ninja.sh b/dist/src/main/bin/ninja.sh
@@ -27,6 +27,8 @@ JAVA_OPTS="${JAVA_OPTS:- }"
 
 JAVA_def_Xms="1g"
 JAVA_def_Xmx="2g"
+JAVA_def_trustStore="keystore.jceks"
+JAVA_def_trustStoreType="jceks"
 ENV_MAP_PREFIX="MP_SET_"
 ENV_UNMAP_PREFIX="MP_UNSET_"
 
@@ -187,6 +189,8 @@ if $(echo "${JAVA_OPTS:-}" | grep -v -q "\-Xms[0-9]"); then
 fi
 
 if $(echo "${JAVA_OPTS:-}" | grep -v -q "\-Dmidpoint.home="); then JAVA_OPTS="${JAVA_OPTS:-} -Dmidpoint.home=\"${MIDPOINT_HOME}\""; fi
+if $(echo "${JAVA_OPTS:-}" | grep -v -q "\-Djavax.net.ssl.trustStore="); then JAVA_OPTS="${JAVA_OPTS:-} -Djavax.net.ssl.trustStore=\"${MIDPOINT_HOME}/${JAVA_def_trustStore}\""; fi
+if $(echo "${JAVA_OPTS:-}" | grep -v -q "\-Djavax.net.ssl.trustStoreType="); then JAVA_OPTS="${JAVA_OPTS:-} -Djavax.net.ssl.trustStoreType=${JAVA_def_trustStoreType}"; fi
 
 # clean up white spaces in case of key/value removal from the original JAVA_OPTS parameter set
 JAVA_OPTS="$(echo "${JAVA_OPTS:-}" | tr -s [[:space:]] " " | sed "s/^[[:space:]]//;s/[[:space:]]$//")"