Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps):[#xxx] fix OWASP dependency errors #729

Merged
merged 15 commits into from
Jan 26, 2024
Merged

chore(deps):[#xxx] fix OWASP dependency errors #729

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
de0c9b0
chore(deps):[#xxx] update logback.version to 1.4.14 because of CVE-20…
dsmf Jan 22, 2024
a5ea055
chore(deps):[#xxx] correct scope for logback dependency
dsmf Jan 22, 2024
c07d38a
chore(deps):[#xxx] remove unused maven property graal-sdk.version
dsmf Jan 22, 2024
d88a890
chore(deps):[#xxx] add owasp suppression for CVE-2024-20932
dsmf Jan 22, 2024
03b903b
chore(deps):[#xxx] Update CHANGELOG.md
dsmf Jan 22, 2024
8cf2d36
Merge remote-tracking branch 'origin/main' into chore/update-dependen…
dsmf Jan 22, 2024
d290dbe
chore(deps):[#xxx] Undo unintended autoformatting in CHANGELOG.md
dsmf Jan 23, 2024
e02d3c1
Merge remote-tracking branch 'origin/main' into chore/update-dependen…
dsmf Jan 23, 2024
5441109
chore(deps):[#xxx] Update DEPENDENCIES file
dsmf Jan 23, 2024
b8a96fc
chore(deps):[#xxx] add suppression for CVE-2023-51074 because only us…
dsmf Jan 25, 2024
4d87e64
Merge remote-tracking branch 'origin/main' into chore/update-dependen…
dsmf Jan 26, 2024
4dceefb
chore(deps):[#xxx] fix suppression for CVE-2023-51074 because only us…
dsmf Jan 26, 2024
2b375d9
chore(deps):[#xxx] fix spring-core-6.0.14.jar: CVE-2024-22233(7.5) by…
dsmf Jan 26, 2024
8bada17
chore(deps):[#xxx] update DEPENDENCIES file
dsmf Jan 26, 2024
2042dd3
chore(deps):[#xxx] correct CHANGELOG.md
dsmf Jan 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .config/owasp-suppressions.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,11 @@
<packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal\-sdk@.*$</packageUrl>
<vulnerabilityName>CVE-2023-22006</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). This is not exploitable in IRS.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal\-sdk@.*$</packageUrl>
<vulnerabilityName>CVE-2024-20932</vulnerabilityName>
</suppress>
</suppressions>
5 changes: 4 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]

### Changed

- Updated license header to "Copyright (c) 2021,2024 Contributors to the Eclipse Foundation"
- Changed lookupGlobalAssetIds to lookupShellsByBPN, which provides full object.
- Suppressed CVE-2024-20932 from graal-sdk-21.2.0.jar because this is not applicable for IRS.

### Fixed
- Fixed CVE-2023-6378 by custom dependency management entry for logback (1.4.14).

## [4.4.0] - 2024-01-15
### Added
Expand Down
4 changes: 2 additions & 2 deletions DEPENDENCIES
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
maven/mavencentral/ch.qos.logback/logback-classic/1.4.11, EPL-1.0 OR LGPL-2.1-only, approved, #3435
maven/mavencentral/ch.qos.logback/logback-core/1.4.11, EPL-1.0 OR LGPL-2.1-only, approved, #3373
maven/mavencentral/ch.qos.logback/logback-classic/1.4.14, EPL-1.0 OR LGPL-2.1-only, approved, #3435
maven/mavencentral/ch.qos.logback/logback-core/1.4.14, EPL-1.0 OR LGPL-2.1-only, approved, #3373
maven/mavencentral/com.aayushatharva.brotli4j/brotli4j/1.11.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.aayushatharva.brotli4j/native-linux-aarch64/1.11.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.aayushatharva.brotli4j/native-linux-x86_64/1.11.0, Apache-2.0, approved, clearlydefined
Expand Down
14 changes: 14 additions & 0 deletions irs-parent-spring-boot/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@
<name>IRS Spring Boot Parent</name>
<description>Parent module for Spring Boot modules.</description>

<properties>
<logback.version>1.4.14</logback.version>
</properties>

<dependencyManagement>
<dependencies>
<dependency>
Expand All @@ -24,6 +28,16 @@
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>${logback.version}</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
<version>${logback.version}</version>
</dependency>
</dependencies>
</dependencyManagement>

Expand Down
1 change: 0 additions & 1 deletion pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,6 @@
<okio-jvm.version>3.5.0</okio-jvm.version>
<bc-jdk18on.version>1.76</bc-jdk18on.version>
<wiremock-standalone.version>3.2.0</wiremock-standalone.version>
<graal-sdk.version>23.1.0</graal-sdk.version>
<jsoup.version>1.16.1</jsoup.version>
<jsonschemafriend.version>0.12.0</jsonschemafriend.version>
<commons-io.version>2.14.0</commons-io.version>
Expand Down