Address OWASP findings (#6414)

codice · Jan 12, 2021 · ed92cb0 · ed92cb0
1 parent ac38f84
commit ed92cb0
Show file tree

Hide file tree

Showing 12 changed files with 27 additions and 37 deletions.
diff --git a/catalog/transformer/catalog-transformer-pptx/pom.xml b/catalog/transformer/catalog-transformer-pptx/pom.xml
@@ -109,11 +109,6 @@
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
         </dependency>
-        <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
-            <version>${log4j.version}</version>
-        </dependency>
     </dependencies>
 
     <build>

diff --git a/catalog/ui/search-ui/simple/pom.xml b/catalog/ui/search-ui/simple/pom.xml
@@ -28,16 +28,6 @@
         <maven.build.timestamp.format>yyyyMMddHHmm</maven.build.timestamp.format>
     </properties>
     <dependencies>
-        <dependency>
-            <groupId>commons-lang</groupId>
-            <artifactId>commons-lang</artifactId>
-            <version>${commons-lang.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.jetty</groupId>
-            <artifactId>jetty-servlets</artifactId>
-            <version>${jetty.version}</version>
-        </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
@@ -151,8 +141,6 @@
                         </_wab>
                         <Bundle-SymbolicName>${project.artifactId}</Bundle-SymbolicName>
                         <Embed-Dependency>
-                            commons-lang,
-                            jetty-servlets,
                             jsoup
                         </Embed-Dependency>
                         <Export-Package />

diff --git a/dependency-check-maven-config.xml b/dependency-check-maven-config.xml
@@ -150,6 +150,23 @@
         <cve>CVE-2020-11980</cve>
     </suppress>
 
+    <suppress>
+        <notes>
+            Zookeeper is the only thing still using Log4J, and it has suppressions for both the
+            following CVEs.
+
+            CVE-2019-17571  https://issues.apache.org/jira/browse/ZOOKEEPER-3677 (Zookeeper not affected)
+            CVE-2020-9488   https://issues.apache.org/jira/browse/ZOOKEEPER-3817 (DDF not affected,
+                            doesn't configure Zookeeper with an SMTPAppender)
+
+            Once Zookeeper migrates to Log4J2, we can remove this suppression. See
+            https://issues.apache.org/jira/browse/ZOOKEEPER-2342
+        </notes>
+        <packageUrl regex="true">^pkg:maven/log4j/log4j@.*$</packageUrl>
+        <cve>CVE-2019-17571</cve>
+        <cve>CVE-2020-9488</cve>
+    </suppress>
+
     <suppress>
         <notes>
             httpd vulnerabilities do not apply to CXF

diff --git a/features/pom.xml b/features/pom.xml
@@ -90,7 +90,7 @@
         <cxf.geronimo.jta.version>1.1.1</cxf.geronimo.jta.version>
         <!-- CXF Guava version must match DDF Guava version to avoid OSGi uses constraint violations -->
         <cxf.guava.version>${guava.version}</cxf.guava.version>
-        <cxf.hazelcast.version>3.12.7</cxf.hazelcast.version>
+        <cxf.hazelcast.version>${hazelcast.version}</cxf.hazelcast.version>
         <cxf.hibernate.validator.version>6.1.4.Final</cxf.hibernate.validator.version>
         <cxf.httpcomponents.asyncclient.version>4.1.4</cxf.httpcomponents.asyncclient.version>
         <cxf.httpcomponents.client.version>4.5.12</cxf.httpcomponents.client.version>

diff --git a/platform/admin/core/admin-core-appservice/pom.xml b/platform/admin/core/admin-core-appservice/pom.xml
@@ -41,7 +41,6 @@
         <dependency>
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-http</artifactId>
-            <version>${jetty.version}</version>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>

diff --git a/platform/admin/core/admin-core-jolokia/pom.xml b/platform/admin/core/admin-core-jolokia/pom.xml
@@ -42,7 +42,7 @@
         <dependency>
             <groupId>org.jolokia</groupId>
             <artifactId>jolokia-osgi</artifactId>
-            <version>1.2.3</version>
+            <version>1.6.2</version>
         </dependency>
     </dependencies>
     <build>

diff --git a/platform/error/platform-error-impl/pom.xml b/platform/error/platform-error-impl/pom.xml
@@ -48,7 +48,6 @@
         <dependency>
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-util</artifactId>
-            <version>${jetty.version}</version>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>

diff --git a/platform/platform-paxweb-jettyconfig/pom.xml b/platform/platform-paxweb-jettyconfig/pom.xml
@@ -35,7 +35,6 @@
         <dependency>
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-xml</artifactId>
-            <version>${jetty.version}</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -80,7 +79,6 @@
         <dependency>
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-security</artifactId>
-            <version>${jetty.version}</version>
         </dependency>
         <dependency>
             <groupId>ddf.platform</groupId>

diff --git a/platform/pom.xml b/platform/pom.xml
@@ -182,16 +182,6 @@
                 <artifactId>spring-core</artifactId>
                 <version>${spring.version}</version>
             </dependency>
-            <dependency>
-                <groupId>org.eclipse.jetty</groupId>
-                <artifactId>jetty-server</artifactId>
-                <version>${jetty.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.eclipse.jetty</groupId>
-                <artifactId>jetty-servlet</artifactId>
-                <version>${jetty.version}</version>
-            </dependency>
             <dependency>
                 <groupId>xerces</groupId>
                 <artifactId>xercesImpl</artifactId>

diff --git a/platform/security/filter/security-filter-csrf/pom.xml b/platform/security/filter/security-filter-csrf/pom.xml
@@ -54,7 +54,6 @@
         <dependency>
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-http</artifactId>
-            <version>${jetty.version}</version>
         </dependency>
     </dependencies>
     <build>

diff --git a/platform/security/servlet/security-servlet-web-socket-api/pom.xml b/platform/security/servlet/security-servlet-web-socket-api/pom.xml
@@ -44,7 +44,6 @@
         <dependency>
             <groupId>org.eclipse.jetty.websocket</groupId>
             <artifactId>websocket-servlet</artifactId>
-            <version>${jetty.version}</version>
         </dependency>
     </dependencies>
     <build>

diff --git a/pom.xml b/pom.xml
@@ -239,7 +239,6 @@
         <jwnl.version>1.3.3</jwnl.version>
         <karaf.version>4.2.9</karaf.version>
         <la4j.version>0.6.0</la4j.version>
-        <log4j.version>1.2.17</log4j.version>
         <apache-log4j.version>2.11.2</apache-log4j.version>
         <logback.classic.version>1.2.3</logback.classic.version>
         <logback.version>1.2.3</logback.version>
@@ -280,7 +279,7 @@
         <quartz.version>2.3.2</quartz.version>
         <require-css.version>0.1.10</require-css.version>
         <sardine.version>5.7</sardine.version>
-        <hazelcast.version>3.12.3</hazelcast.version>
+        <hazelcast.version>3.12.10</hazelcast.version>
         <saxon.version>9.6.0-4</saxon.version>
         <servicemix.bundles.poi.version>${poi.version}_1</servicemix.bundles.poi.version>
         <servicemix.bundles.jaxb.version>${jaxb.version}_2</servicemix.bundles.jaxb.version>
@@ -423,6 +422,13 @@
                 <scope>import</scope>
                 <type>pom</type>
             </dependency>
+            <dependency>
+                <groupId>org.eclipse.jetty</groupId>
+                <artifactId>jetty-bom</artifactId>
+                <version>${jetty.version}</version>
+                <scope>import</scope>
+                <type>pom</type>
+            </dependency>
             <!-- END: BOMs -->
 
             <dependency>