jlengrand/helidon
1
0
Fork 0
mirror of https://github.com/jlengrand/helidon.git synced 2026-03-10 00:11:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add owasp dependency-check-maven plugin (#2472)

Browse Source 
* Add owasp dependency-check-maven plugin and script
This commit is contained in:
Joe DiPol
2020-10-21 13:47:02 -07:00
committed by GitHub
parent 4204ce51ae
commit 62b4b562d5
9 changed files with 247 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/tests/pom.xml
View File

@@ -35,6 +35,7 @@
<maven.sources.skip>true</maven.sources.skip>
<maven.javadoc.skip>true</maven.javadoc.skip>
<spotbugs.skip>true</spotbugs.skip>
<dependency-check.skip>true</dependency-check.skip>
</properties>
<modules>

1
etc/copyright-exclude.txt
View File

@@ -46,3 +46,4 @@ archetype-resources/pom.xml
src/main/java/org/jboss/weld/bean/proxy/ProxyFactory.java
etc/THIRD_PARTY_LICENSES.xml
etc/HELIDON_THIRD_PARTY_LICENSES.xml
etc/dependency-check-suppression.xml

138
etc/dependency-check-suppression.xml Normal file
View File

@@ -0,0 +1,138 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- For information see https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
<!-- Applies to Oracle HTTP Server -->
<suppress>
<notes><![CDATA[
file name: helidon-microprofile-server-2.1.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.helidon\.microprofile\.server/helidon\-microprofile\-server@.*$</packageUrl>
<cpe>cpe:/a:oracle:http_server</cpe>
</suppress>
<!-- Applies to Processing:Processing -->
<suppress>
<notes><![CDATA[
file name: jsonp-jaxrs-1.1.6.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.glassfish/jsonp\-jaxrs@.*$</packageUrl>
<cpe>cpe:/a:processing:processing</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: jakarta.json-api-1.1.6.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/jakarta\.json/jakarta\.json\-api@.*$</packageUrl>
<cpe>cpe:/a:processing:processing</cpe>
</suppress>
<!-- We use snakeyaml for reading local configuration, so this CVE
does not apply to our use case. For more information:
https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion
https://bitbucket.org/asomov/snakeyaml/wiki/Changes
-->
<suppress>
<notes><![CDATA[
file name: snakeyaml-1.24.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
<cve>CVE-2017-18640</cve>
</suppress>
<!-- weld-probe-core contains META-INF/client/probe.js which has some javascript
CVEs. This javascript appears to be for developement and is never served
by Helidon. So we exclude these CVEs
-->
<suppress>
<notes><![CDATA[
file name: weld-probe-core-3.1.4.Final.jar: probe.js
]]></notes>
<packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
<cve>CVE-2015-9251</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: weld-probe-core-3.1.4.Final.jar: probe.js
]]></notes>
<packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
<cve>CVE-2018-14040</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: weld-probe-core-3.1.4.Final.jar: probe.js
]]></notes>
<packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
<cve>CVE-2018-14041</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: weld-probe-core-3.1.4.Final.jar: probe.js
]]></notes>
<packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
<cve>CVE-2018-14042</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: weld-probe-core-3.1.4.Final.jar: probe.js
]]></notes>
<packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
<cve>CVE-2019-11358</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: weld-probe-core-3.1.4.Final.jar: probe.js
]]></notes>
<packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
<cve>CVE-2019-8331</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: weld-probe-core-3.1.4.Final.jar: probe.js
]]></notes>
<packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
<cve>CVE-2020-11022</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: weld-probe-core-3.1.4.Final.jar: probe.js
]]></notes>
<packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
<cve>CVE-2020-11023</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: weld-probe-core-3.1.4.Final.jar: probe.js
]]></notes>
<packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>
<vulnerabilityName>reDOS - regular expression denial of service</vulnerabilityName>
</suppress>
<!-- End of Weld/javascript related supressions -->
<!-- This CVE is against the etcd server. We ship a Java client -->
<suppress>
<notes><![CDATA[
file name: etcd4j-2.17.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mousio/etcd4j@.*$</packageUrl>
<cpe>cpe:/a:etcd:etcd</cpe>
</suppress>
<!-- This CVE is against the Java Websocket project. Not the Jakarta WebSocket API.
See https://github.com/TooTallNate/Java-WebSocket/security/advisories/GHSA-gw55-jm4h-x339
-->
<suppress>
<notes><![CDATA[
file name: jakarta.websocket-api-1.1.2.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/jakarta\.websocket/jakarta\.websocket\-api@.*$</packageUrl>
<cpe>cpe:/a:java-websocket_project:java-websocket</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: javax.websocket-api-1.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/javax\.websocket/javax\.websocket\-api@.*$</packageUrl>
<cpe>cpe:/a:java-websocket_project:java-websocket</cpe>
</suppress>
</suppressions>

52
etc/scripts/owasp-dependency-check.sh Executable file
View File

@@ -0,0 +1,52 @@
#!/bin/bash -e
#
# Copyright (c) 2020 Oracle and/or its affiliates.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
set -o pipefail || true # trace ERR through pipes
set -o errtrace || true # trace ERR through commands and functions
set -o errexit || true # exit the script if any statement returns a non-true return value
on_error(){
CODE="${?}" && \
set +x && \
printf "[ERROR] Error(code=%s) occurred at %s:%s command: %s\n" \
"${CODE}" "${BASH_SOURCE}" "${LINENO}" "${BASH_COMMAND}"
}
trap on_error ERR
# Path to this script
if [ -h "${0}" ] ; then
readonly SCRIPT_PATH="$(readlink "${0}")"
else
readonly SCRIPT_PATH="${0}"
fi
# Path to the root of the workspace
readonly WS_DIR=$(cd $(dirname -- "${SCRIPT_PATH}") ; cd ../.. ; pwd -P)
readonly RESULT_FILE=$(mktemp -t XXXdependency-check-result)
source ${WS_DIR}/etc/scripts/pipeline-env.sh
die(){ cat ${RESULT_FILE} ; echo "Dependency report in ${WS_DIR}/target" ; echo "${1}" ; exit 1 ;}
mvn ${MAVEN_ARGS} -Dorg.slf4j.simpleLogger.defaultLogLevel=WARN org.owasp:dependency-check-maven:aggregate \
-f ${WS_DIR}/pom.xml \
-Dtop.parent.basedir="${WS_DIR}" \
> ${RESULT_FILE} || die "Error running the Maven command"
grep -i "One or more dependencies were identified with known vulnerabilities" ${RESULT_FILE} \
&& die "CVE SCAN ERROR" || echo "CVE SCAN OK"

1
examples/pom.xml
View File

@@ -35,6 +35,7 @@
<maven.sources.skip>true</maven.sources.skip>
<maven.javadoc.skip>true</maven.javadoc.skip>
<spotbugs.skip>true</spotbugs.skip>
<dependency-check.skip>true</dependency-check.skip>
</properties>
<modules>

1
microprofile/tests/pom.xml
View File

@@ -36,6 +36,7 @@
<maven.sources.skip>true</maven.sources.skip>
<maven.javadoc.skip>true</maven.javadoc.skip>
<spotbugs.skip>true</spotbugs.skip>
<dependency-check.skip>true</dependency-check.skip>
</properties>
<modules>

51
pom.xml
View File

@@ -45,6 +45,7 @@
<spotbugs.skip>false</spotbugs.skip>
<spotbugs.threshold>Medium</spotbugs.threshold>
<dependency-check.skip>false</dependency-check.skip>
<checkstyle.skip>false</checkstyle.skip>
<!--
!Version statement! - begin
@@ -112,6 +113,7 @@
<version.plugin.shade>3.0.0</version.plugin.shade>
<version.plugin.source>3.0.1</version.plugin.source>
<version.plugin.spotbugs>3.1.12</version.plugin.spotbugs>
<version.plugin.dependency-check>6.0.2</version.plugin.dependency-check>
<version.plugin.surefire>3.0.0-M5</version.plugin.surefire>
<version.plugin.toolchains>1.1</version.plugin.toolchains>
<version.plugin.version-plugin>2.3</version.plugin.version-plugin>
@@ -491,13 +493,44 @@
<xmlOutput>true</xmlOutput>
</configuration>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${version.plugin.dependency-check}</version>
<configuration>
<skip>${dependency-check.skip}</skip>
<skipTestScope>true</skipTestScope>
<failBuildOnAnyVulnerability>false</failBuildOnAnyVulnerability>
<assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
<excludes>
<!-- Exclude stuff we do not deploy -->
<exclude>io.helidon.tracing:helidon-tracing-tests</exclude>
<exclude>io.helidon.config.tests*</exclude>
<exclude>io.helidon.test*</exclude>
<exclude>io.helidon.examples*</exclude>
<exclude>io.helidon.microprofile.tests*</exclude>
<!-- This should be excluded by above, but for some reason it persists -->
<exclude>org.testng:testng</exclude>
</excludes>
<formats>
<format>HTML</format>
<format>CSV</format>
</formats>
<suppressionFiles>
<!--suppress UnresolvedMavenProperty -->
<suppressionFile>${top.parent.basedir}/etc/dependency-check-suppression.xml</suppressionFile>
</suppressionFiles>
</configuration>
</plugin>
<plugin>
<groupId>org.xolstice.maven.plugins</groupId>
<artifactId>protobuf-maven-plugin</artifactId>
<version>${version.plugin.protobuf}</version>
<configuration>
<!--suppress UnresolvedMavenProperty -->
<protocArtifact>com.google.protobuf:protoc:3.5.1-1:exe:${os.detected.classifier}</protocArtifact>
<pluginId>grpc-java</pluginId>
<!--suppress UnresolvedMavenProperty -->
<pluginArtifact>
io.grpc:protoc-gen-grpc-java:${version.lib.grpc}:exe:${os.detected.classifier}
</pluginArtifact>
@@ -1146,6 +1179,24 @@ helidon-parent,helidon-dependencies,helidon-bom,helidon-se,helidon-mp,io.grpc,he
</plugins>
</build>
</profile>
<profile>
<id>dependency-check</id>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile>
<id>checkstyle</id>
<build>

1
tests/pom.xml
View File

@@ -38,6 +38,7 @@
<maven.javadoc.skip>true</maven.javadoc.skip>
<spotbugs.skip>true</spotbugs.skip>
<checkstyle.skip>true</checkstyle.skip>
<dependency-check.skip>true</dependency-check.skip>
</properties>
<modules>

1
tracing/tests/pom.xml
View File

@@ -37,5 +37,6 @@
<maven.sources.skip>true</maven.sources.skip>
<maven.javadoc.skip>true</maven.javadoc.skip>
<spotbugs.skip>true</spotbugs.skip>
<dependency-check.skip>true</dependency-check.skip>
</properties>
</project>