Commit 2d3bce58 authored by Carsten Heidmann's avatar Carsten Heidmann
Browse files

Introduce vulnerability scan

Motivation:

Since we are providing a service which is open to the public we should be aware of vulnerabilities in our code as well in our libraries. For our own code we already have Sonja which covers at least some of it, for the dependencies there is a Maven plugin.

Modifications:

Add the Maven Dependency-Check plugin (https://jeremylong.github.io/DependencyCheck/index.html) to the build.

Result:

The plugin binds to the verify stage of the Maven build and lets the build fail if there are vulnerabilities with a score greater than or equal to the configured CVSS value (currently 8)

Target: master

Request:

Acked-by: @femiadeyemi

Pull-request: !9
parent 1d53ec34
Pipeline #36640 passed with stages
in 12 minutes and 32 seconds
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress until="2020-09-30Z">
<notes><![CDATA[
file name: spring-security-core-5.3.2.RELEASE.jar
]]></notes>
<sha1>83fed9c3ee4a014b6a6cacfc7042eb325dca6766</sha1>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
</suppress>
<suppress until="2020-09-30Z">
<notes><![CDATA[
file name: spring-security-oauth2-core-5.3.2.RELEASE.jar
]]></notes>
<sha1>42e8581002bdeef63f9352a9b45bcdb98e3bc09f</sha1>
<cpe>cpe:/a:pivotal:spring_security_oauth</cpe>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:pivotal_software:spring_security_oauth</cpe>
</suppress>
<suppress until="2020-09-30Z">
<notes><![CDATA[
file name: tomcat-embed-core-9.0.35.jar
]]></notes>
<sha1>8a99064fce4b152a7dc9bea1798ba828a2cecf0f</sha1>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_software_foundation:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
</suppress>
<suppress until="2020-09-30Z">
<notes><![CDATA[
file name: spring-security-oauth2-jose-5.3.2.RELEASE.jar
]]></notes>
<sha1>e510e9b163651fff85670045e8be2c549c51b3b7</sha1>
<cpe>cpe:/a:pivotal:spring_security_oauth</cpe>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:pivotal_software:spring_security_oauth</cpe>
</suppress>
<suppress until="2020-09-30Z">
<notes><![CDATA[
file name: spring-security-web-5.3.2.RELEASE.jar
]]></notes>
<sha1>c2459ad6f4c56754d4938a71ffd2426dea46d4e1</sha1>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
</suppress>
<suppress until="2020-09-30Z">
<notes><![CDATA[
file name: tomcat-embed-websocket-9.0.35.jar
]]></notes>
<sha1>62ab2d7d7d029ea728ea8f8d3151ba93882b52ca</sha1>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_software_foundation:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
</suppress>
<suppress until="2020-09-30Z">
<notes><![CDATA[
file name: spring-security-config-5.3.2.RELEASE.jar
]]></notes>
<sha1>88b84564a3db5c39e2a8c171520022d2d1a67607</sha1>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
</suppress>
<suppress until="2020-09-30Z">
<notes><![CDATA[
file name: spring-security-oauth2-client-5.3.2.RELEASE.jar
]]></notes>
<sha1>a215800d7d52bee5fca23df7077d0e606eee5105</sha1>
<cpe>cpe:/a:pivotal:spring_security_oauth</cpe>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:pivotal_software:spring_security_oauth</cpe>
</suppress>
</suppressions>
\ No newline at end of file
......@@ -17,6 +17,8 @@
<properties>
<java.version>11</java.version>
<version.spring-webmvc>5.2.6.RELEASE</version.spring-webmvc>
<dependency-check-maven.version>5.3.2</dependency-check-maven.version>
<dependency-check-maven.cvss-threshold>8</dependency-check-maven.cvss-threshold>
<!--suppress UnresolvedMavenProperty -->
<sonar.token>${env.SONAR_AUTH_TOKEN}</sonar.token>
</properties>
......@@ -55,6 +57,22 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<configuration>
<failBuildOnCVSS>${dependency-check-maven.cvss-threshold}</failBuildOnCVSS>
<suppressionFile>dependency-check-suppressions.xml</suppressionFile>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
<pluginManagement>
<plugins>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment