Bump jetty-server from 10.0.2 to 10.0.3 (#38)

* Bump jetty-server from 10.0.2 to 10.0.3 Bumps [jetty-server](https://github.com/eclipse/jetty.project) from 10.0.2 to 10.0.3. - [Release notes](https://github.com/eclipse/jetty.project/releases) - [Commits](jetty/jetty.project@jetty-10.0.2...jetty-10.0.3) --- updated-dependencies: - dependency-name: org.eclipse.jetty:jetty-server dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * adjust suppressions to not trigger for jetty-servlet-api Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sebastian Stenzel <sebastian.stenzel@gmail.com>
cryptomator · Jun 24, 2021 · 99594ed · 99594ed
1 parent a9bda98
commit 99594ed
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 34 deletions.
diff --git a/pom.xml b/pom.xml
@@ -20,7 +20,7 @@
 		<!-- dependencies -->
 		<webdavservlet.version>1.2.0</webdavservlet.version>
 		<dagger.version>2.32</dagger.version>
-		<jetty.version>10.0.2</jetty.version>
+		<jetty.version>10.0.3</jetty.version>
 		<guava.version>30.1-jre</guava.version>
 		<slf4j.version>1.7.30</slf4j.version>
 

diff --git a/suppression.xml b/suppression.xml
@@ -2,40 +2,15 @@
 <!-- This file lists false positives found by org.owasp:dependency-check-maven build plugin -->
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 	<suppress>
-		<notes><![CDATA[ Affects jetty < 6.1.22 ]]></notes>
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
-		<cve>CVE-2009-5045</cve>
-	</suppress>
-	<suppress>
-		<notes><![CDATA[ Affects jetty < 6.1.22 ]]></notes>
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
-		<cve>CVE-2009-5046</cve>
-	</suppress>
+		<notes><![CDATA[
+		Suppress all for this javax.servlet api package:
+		There are lots of false positives, simply because its version number is way beyond the remaining
+		org.eclipse.jetty jar files. Note, that our actual Jetty version is different.
 
-	<suppress>
-		<notes><![CDATA[ Affects jetty-server 9.x ]]></notes>
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
-		<cve>CVE-2017-9735</cve>
-	</suppress>
-	<suppress>
-		<notes><![CDATA[ Affects jetty-server 9.x ]]></notes>
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
-		<cve>CVE-2017-7656</cve>
-	</suppress>
-	<suppress>
-		<notes><![CDATA[ Affects jetty-server 9.x ]]></notes>
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
-		<cve>CVE-2017-7657</cve>
-	</suppress>
-	<suppress>
-		<notes><![CDATA[ Affects jetty-server 9.x ]]></notes>
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
-		<cve>CVE-2017-7658</cve>
-	</suppress>
-
-	<suppress>
-		<notes><![CDATA[ Fixed since jetty-server 10.0.0.beta2 ]]></notes>
+		As long as we don't suppress anything in org.eclipse.jetty:jetty-server or :jetty-servlet,
+		vulnerabilities will still trigger if we actually use an outdated Jetty version.
+		]]></notes>
 		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
-		<cve>CVE-2020-27216</cve>
+		<cpe regex="true">.*</cpe>
 	</suppress>
 </suppressions>