Commit 90b6d9ff authored by femiadeyemi's avatar femiadeyemi
Browse files

update list of OWASP checks and upgrade spring boot

Motivation:

Some reported vulnerabilities of the dependencies by OWASP make
the pipeline broken.

Modification:

- upgrade spring boot starter parent version from 2.3.5.RELEASE
    to 2.3.10.RELEASE
- upgrade hibernate-validator from 6.0.19.Final to 6.2.0.Final
- updgrade neo4j-java-driver-spring-boot-starter from 4.1.1.0
    to 4.2.4.0
- update list of OWASP check and supress some false positive
    alarms

Result:

Build pipeline succeeds.

Target: master
parent 92e4e164
Pipeline #73468 passed with stages
in 9 minutes and 48 seconds
......@@ -942,4 +942,67 @@
<sha1>50b2288fd134ea456695d9cc1ca037a88fe0d309</sha1>
<cve>CVE-2007-4723</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: hibernate-validator-7.0.0.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.hibernate\.validator/hibernate\-validator@.*$</packageUrl>
<cve>CVE-2020-10693</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: lang-tag-1.4.4.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.nimbusds/lang\-tag@.*$</packageUrl>
<cve>CVE-2020-29242</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: lang-tag-1.4.4.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.nimbusds/lang\-tag@.*$</packageUrl>
<cve>CVE-2020-29243</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: lang-tag-1.4.4.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.nimbusds/lang\-tag@.*$</packageUrl>
<cve>CVE-2020-29244</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: lang-tag-1.4.4.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.nimbusds/lang\-tag@.*$</packageUrl>
<cve>CVE-2020-29245</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: neo4j-java-driver-4.1.1.jar (shaded: io.netty:netty-transport:4.1.51.Final)
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty\-transport@.*$</packageUrl>
<cve>CVE-2021-21290</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: neo4j-java-driver-4.1.1.jar (shaded: io.netty:netty-transport:4.1.51.Final)
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty\-transport@.*$</packageUrl>
<cve>CVE-2021-21295</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: neo4j-java-driver-4.1.1.jar (shaded: io.netty:netty-transport:4.1.51.Final)
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty\-transport@.*$</packageUrl>
<cve>CVE-2021-21409</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: websocket-server-9.4.39.v20210325.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.websocket/websocket\-server@.*$</packageUrl>
<cve>CVE-2009-1890</cve>
</suppress>
</suppressions>
\ No newline at end of file
......@@ -6,7 +6,7 @@
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.5.RELEASE</version>
<version>2.3.10.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
......@@ -24,9 +24,11 @@
<oauth2-oidc-sdk.version>8.3</oauth2-oidc-sdk.version>
<sonar-maven-plugin.version>3.7.0.1746</sonar-maven-plugin.version>
<jacoco-maven-plugin.version>0.8.5</jacoco-maven-plugin.version>
<hibernate-validator.version>6.0.19.Final</hibernate-validator.version>
<dependency-check-maven.version>6.0.3</dependency-check-maven.version>
<hibernate-validator.version>6.2.0.Final</hibernate-validator.version>
<dependency-check-maven.version>6.1.6</dependency-check-maven.version>
<dependency-check-maven.cvss-threshold>8</dependency-check-maven.cvss-threshold>
<neo4j-java-driver-spring-boot-starter.version>4.2.4.0</neo4j-java-driver-spring-boot-starter.version>
<nimbus-jose-jwt.version>7.9</nimbus-jose-jwt.version>
<!--suppress UnresolvedMavenProperty -->
<sonar.token>${env.SONAR_AUTH_TOKEN}</sonar.token>
</properties>
......@@ -49,7 +51,7 @@
<dependency>
<groupId>org.neo4j.driver</groupId>
<artifactId>neo4j-java-driver-spring-boot-starter</artifactId>
<version>4.1.1.0</version>
<version>${neo4j-java-driver-spring-boot-starter.version}</version>
</dependency>
<dependency>
......@@ -91,7 +93,7 @@
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>7.9</version>
<version>${nimbus-jose-jwt.version}</version>
</dependency>
<dependency>
......@@ -186,7 +188,6 @@
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>${project.parent.version}</version>
<configuration>
<excludes>
<exclude>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment