Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependencies #6277

Merged
merged 20 commits into from Jul 17, 2020
Merged

Update dependencies #6277

Show file tree
Hide file tree
Changes from 17 commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
dc86b60
dom4j 2.1.3
gschueler Jul 14, 2020
5556a99
remove not-yet-commons-ssl
gschueler Jul 14, 2020
1aa92c5
bouncycastle 1.66
gschueler Jul 14, 2020
78fcd71
ant 1.9.15
gschueler Jul 14, 2020
3afafac
minio 6.0.13, test okhttp3:mockwebserver:3.11.0
gschueler Jul 14, 2020
5782b57
quartz 2.3.2
gschueler Jul 14, 2020
1b6015b
mysql-connector-java:8.0.21 fix CVE-2018-3258
gschueler Jul 14, 2020
6e44674
postgresql:42.2.13
gschueler Jul 14, 2020
d9efc19
libpam4j:1.11
gschueler Jul 14, 2020
1a8e0c3
runtime h2:1.4.200
gschueler Jul 14, 2020
d443c06
fix: replace not-so-commons-ssl code with httpclient impl
gschueler Jul 15, 2020
af17032
convert tests to spock
gschueler Jul 15, 2020
9f65693
Revert "runtime h2:1.4.200"
gschueler Jul 15, 2020
a76b7ef
Add explicit bouncycastle deps
gschueler Jul 15, 2020
76ab756
Add dependency check
gschueler Jul 15, 2020
0a0b2b4
update circle config
gschueler Jul 15, 2020
1cb730f
Update testbuild.groovy
gschueler Jul 15, 2020
66fa8f4
Remove protobuf
gschueler Jul 16, 2020
030c8c7
update to hibernate 5.4.18 for CVE-2019-14900
gschueler Jul 16, 2020
772db12
Merge branch 'main' into update/dependencies
gschueler Jul 17, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
13 changes: 13 additions & 0 deletions .circleci/config.yml
View file
Open in desktop
Expand Up @@ -204,6 +204,19 @@ jobs:
- store_test_results:
path: test/selenium/test_out/junit

test-deps:
<<: *defaults
machine: true
steps:
- checkout
- restore-gradle-cache
- run: ./gradlew --no-daemon dependencyCheckAggregate --stacktrace --info
- store_test_results:
path: build/owasp-reports
- store_artifacts:
path: build/owasp-reports
prefix: owasp-reports

snapshot-publish:
<<: *defaults
executor: gradle-docker
Expand Down
4 changes: 4 additions & 0 deletions .travis.yml
View file
Open in desktop
Expand Up @@ -139,6 +139,10 @@ jobs:
- script_block 'docker.pull' pull_rundeck
- script_block 'selenium' 'bash test/ci-test-docker-selenium.sh'

- env: JOB='OWASP Dependency Check'
script:
- script_block 'owasp' './gradlew dependencyCheckAggregate'

# # Stage: snapshot release publishes snapshot artifacts to external repositories
- stage: snapshot release
script:
Expand Down
9 changes: 9 additions & 0 deletions build.gradle
View file
Open in desktop
Expand Up @@ -44,6 +44,7 @@ buildscript {
classpath 'com.google.gradle:osdetector-gradle-plugin:1.4.0'
classpath 'com.jfrog.bintray.gradle:gradle-bintray-plugin:1.8.4'
classpath group: 'org.yaml', name: 'snakeyaml', version: '1.26'
classpath 'org.owasp:dependency-check-gradle:5.3.2'
}
}

Expand All @@ -58,6 +59,14 @@ apply plugin: 'nexus-workflow'
apply plugin: 'eclipse';
apply plugin: 'idea'
apply plugin: 'com.google.osdetector'
apply plugin: 'org.owasp.dependencycheck'

dependencyCheck {
suppressionFile='cve-suppress.xml'
formats=['HTML','JUNIT']
outputDirectory='build/owasp-reports/junit'
failBuildOnCVSS=8
}

/*
* Project configuration:
Expand Down
6 changes: 3 additions & 3 deletions core/build.gradle
View file
Open in desktop
Expand Up @@ -63,16 +63,16 @@ dependencies {
exclude group:'com.google.code.findbugs', module: 'jsr305'
}

compile 'org.apache.ant:ant:1.9.13',
compile 'org.apache.ant:ant:1.9.15',
'org.slf4j:slf4j-api:1.7.30',
'commons-codec:commons-codec:1.11',
'commons-beanutils:commons-beanutils:1.9.4',
'commons-collections:commons-collections:3.2.2',
'commons-lang:commons-lang:2.6',
'org.dom4j:dom4j:2.1.1',
'org.dom4j:dom4j:2.1.3',
'jaxen:jaxen:1.1.6',
'commons-cli:commons-cli:1.0',
'org.apache.ant:ant-jsch:1.9.13',
'org.apache.ant:ant-jsch:1.9.15',
'com.jcraft:jsch:0.1.55',
'com.jcraft:jsch.agentproxy.jsch:0.0.9',
'com.jcraft:jsch.agentproxy.sshagent:0.0.9',
Expand Down
186 changes: 186 additions & 0 deletions cve-suppress.xml
View file
Open in desktop
@@ -0,0 +1,186 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
file name: rundeck-ansible-plugin-3.1.0.jar
]]></notes>
<!-- <packageUrl regex="true">^pkg:maven/com\.github\.Batix/rundeck\-ansible\-plugin@.*$</packageUrl>-->
<cve>CVE-2020-11009</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: rundeck-oracle-dialect-1.0.0.jar
]]></notes>
<!-- <packageUrl regex="true">^pkg:maven/org\.rundeck\.hibernate/rundeck\-oracle\-dialect@.*$</packageUrl>-->
<cve>CVE-2019-6804</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: asset-pipeline-grails-3.0.10.jar
]]></notes>
<cpe>cpe:/a:grails:grails</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: ant-1.9.13.jar
]]></notes>
<sha1>7aff87f91ffda6916751e39bb5688f0a53710ec4</sha1>
<cpe>cpe:/a:apache:ant</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: ant-1.9.7.jar
]]></notes>
<sha1>3b2a10512ee6537d3852c9b693a0284dcab5de68</sha1>
<cpe>cpe:/a:apache:ant</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: ant-antlr-1.9.13.jar
]]></notes>
<sha1>d5b701718c6de5620fa78e0aedb64cdcae1336cf</sha1>
<cpe>cpe:/a:apache:ant</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: ant-junit-1.9.13.jar
]]></notes>
<sha1>618f3aac074fabfea4712db2635409a592da9ecd</sha1>
<cpe>cpe:/a:apache:ant</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: ant-launcher-1.9.13.jar
]]></notes>
<sha1>24cf1a899bb4b69373dc4cd000bb52a9f46c459d</sha1>
<cpe>cpe:/a:apache:ant</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: ant-launcher-1.9.7.jar
]]></notes>
<sha1>224857a490283e72da13ffe3082dea62c558ec76</sha1>
<cpe>cpe:/a:apache:ant</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: bcpg-jdk15on-1.66.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcpg\-jdk15on@.*$</packageUrl>
<cpe>cpe:/a:openpgp:openpgp</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: bcpg-jdk15on-1.66.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcpg\-jdk15on@.*$</packageUrl>
<cpe>cpe:/a:openpgp:openpgp</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: bcpg-jdk15on-1.66.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcpg\-jdk15on@.*$</packageUrl>
<cve>CVE-2001-0265</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: bcpg-jdk15on-1.66.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcpg\-jdk15on@.*$</packageUrl>
<cve>CVE-2001-0381</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: commons-beanutils-1.8.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/commons\-beanutils/commons\-beanutils@.*$</packageUrl>
<cpe>cpe:/a:apache:commons_beanutils</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: commons-beanutils-1.8.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/commons\-beanutils/commons\-beanutils@.*$</packageUrl>
<vulnerabilityName>CVE-2014-0114</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: commons-beanutils-1.8.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/commons\-beanutils/commons\-beanutils@.*$</packageUrl>
<vulnerabilityName>CVE-2019-10086</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: protobuf-java-2.5.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf\-java@.*$</packageUrl>
<vulnerabilityName>CVE-2015-5237</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
file name: minio-6.0.13.jar
not related to minio-java
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.minio/minio@.*$</packageUrl>
<cve>CVE-2018-1000538</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: minio-6.0.13.jar
not related to minio-java
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.minio/minio@.*$</packageUrl>
<cve>CVE-2020-11012</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: rundeck-object-store-plugin-3.3.1-SNAPSHOT.jar: minio-6.0.10.jar
]]></notes>
<sha1>cb7a02912350946087f19b0e4fb24d8ee83db66c</sha1>
<cve>CVE-2018-1000538</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: rundeck-object-store-plugin-3.3.1-SNAPSHOT.jar: minio-6.0.10.jar
]]></notes>
<sha1>cb7a02912350946087f19b0e4fb24d8ee83db66c</sha1>
<cve>CVE-2020-11012</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: tomcat-embed-logging-log4j-8.5.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed\-logging\-log4j@.*$</packageUrl>
<cpe>cpe:/a:apache:tomcat</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: tomcat-embed-logging-log4j-8.5.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed\-logging\-log4j@.*$</packageUrl>
<cpe>cpe:/a:apache_software_foundation:tomcat</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: tomcat-embed-logging-log4j-8.5.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed\-logging\-log4j@.*$</packageUrl>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-security-web-5.1.8.RELEASE.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-web@.*$</packageUrl>
<cve>CVE-2018-1258</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-security-core-5.1.8.RELEASE.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-core@.*$</packageUrl>
<cve>CVE-2018-1258</cve>
</suppress>
</suppressions>
5 changes: 0 additions & 5 deletions locallib/README.md
View file
Open in desktop

This file was deleted.

Binary file removed locallib/not-yet-commons-ssl-0.3.17.jar
View file
Open in desktop
Binary file not shown.