Commit b40ae6a0 authored by femiadeyemi's avatar femiadeyemi
Browse files

update list of OWASP checks and upgrade spring boot

Motivation:

Some reported vulnerabilities of the dependencies by OWASP make
the pipeline broken.

Modification:

- upgrade spring boot starter parent version from 2.3.5.RELEASE
    to 2.3.12.RELEASE
- update list of OWASP check and supress some false positive
    alarms

Result:

Build pipeline succeeds.

Target: master
parent 96c990e3
Pipeline #84983 passed with stages
in 4 minutes and 51 seconds
......@@ -262,4 +262,46 @@
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-continuation@.*$</packageUrl>
<cve>CVE-2019-17638</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: accessors-smart-1.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/net\.minidev/accessors\-smart@.*$</packageUrl>
<cpe>cpe:/a:json-smart_project:json-smart-v1</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: accessors-smart-1.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/net\.minidev/accessors\-smart@.*$</packageUrl>
<cpe>cpe:/a:json_smart_project:json_smart</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: json-smart-2.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/net\.minidev/json\-smart@.*$</packageUrl>
<cve>CVE-2021-27568</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-core-5.2.14.RELEASE.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
<cve>CVE-2021-22118</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: websocket-client-9.4.39.v20210325.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.websocket/websocket\-client@.*$</packageUrl>
<cve>CVE-2021-28169</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: websocket-server-9.4.39.v20210325.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.websocket/websocket\-server@.*$</packageUrl>
<cve>CVE-2021-28169</cve>
</suppress>
</suppressions>
......@@ -5,7 +5,7 @@
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.5.RELEASE</version>
<version>2.3.12.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>de.helmholtz.marketplace</groupId>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment