Added mao's scanning actions from FINOS security scanning

[robmoffat]

No description provided.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: robmoffat / name: Rob Moffat (4bb4bd8, 4339b8d, 5e89474, 69f7716, 5c12d5c, 695441c, 85d112d, 1da9430, 8c0b44f, ea4c06d, a25fe81, cc1e01c, 3808ffe, a02555d, be7da57, 75d3fce, f026737, d6de9c9)
• ✅ login: web-flow / name: GitHub Web Flow (cc1e01c, f026737, d6de9c9)
• ✅ login: maoo / name: Maurizio Pillitu (d3a7ebb, a22c517)

[TheJuanAndOnly99]

/easycla

[jarias-lfx]

/easycla

[robmoffat]

@maoo @vaibhav-db

this basically works now, except that there is a new critical CVE for Spring Boot and so our white source / Dependency Checks are failing.

Once a new version gets published we can release. Please review + approve.

[maoo]

@robmoffat - apparently spring-web-5.3.26.jar is affected by CVE-2016-1000027 , which states:

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

If you don't use spring-web for deserialization of untrusted data (that is, data that is manually entered), I'd suggest to add this to allow-list.xml with a note that explains why the CVE can be safely ignored; see https://nvd.nist.gov/vuln/detail/cve-2016-1000027

[robmoffat]

@vaibhav-db let's review. Also took out white source for future PRs