Skip to content

Commit

Permalink
build(deps): Sanitize dependencies based on dependency:analyze-report…
Browse files Browse the repository at this point in the history 
… results (#7294)

Co-authored-by: Jeremy Long <[email protected]>
  • Loading branch information
@aikebah @jeremylong
aikebah and jeremylong authored Jan 11, 2025
1 parent 57db1ca commit 5a47091
Show file tree
Hide file tree
Showing 7 changed files with 232 additions and 32 deletions.
9 changes: 7 additions & 2 deletions ant/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -214,8 +214,13 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<version>${project.parent.version}</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-jcs3-core</artifactId>
<!-- not visible in imports due to method chaining, but Check code uses classes from this library -->
<groupId>io.github.jeremylong</groupId>
<artifactId>open-vulnerability-clients</artifactId>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</dependency>
<dependency>
<groupId>io.github.jeremylong</groupId>
Expand Down
9 changes: 9 additions & 0 deletions cli/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,15 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</dependency>
<dependency>
<groupId>io.github.jeremylong</groupId>
<artifactId>jcs3-slf4j</artifactId>
</dependency>
<dependency>
<!-- not visible in imports due to method chaining, but App code uses classes from this library -->
<groupId>io.github.jeremylong</groupId>
<artifactId>open-vulnerability-clients</artifactId>
</dependency>
<dependency>
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
Expand Down
94 changes: 90 additions & 4 deletions core/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<dependency>
<groupId>io.github.jeremylong</groupId>
<artifactId>jcs3-slf4j</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>com.github.package-url</groupId>
Expand Down Expand Up @@ -340,14 +341,57 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<groupId>commons-validator</groupId>
<artifactId>commons-validator</artifactId>
</dependency>
<dependency><!--upgrade transitive dependency of commons-validator due to reported vulns-->
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
</dependency>
<dependency>
<groupId>org.eclipse.packager</groupId>
<artifactId>packager-rpm</artifactId>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents.core5</groupId>
<artifactId>httpcore5</artifactId>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents.client5</groupId>
<artifactId>httpclient5</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-annotations</artifactId>
</dependency>
<dependency>
<groupId>org.sonatype.goodies</groupId>
<artifactId>package-url-java</artifactId>
<version>1.1.1</version>
</dependency>
<dependency>
<groupId>joda-time</groupId>
<artifactId>joda-time</artifactId>
<version>2.10.4</version>
</dependency>
<dependency>
<groupId>org.sonatype.ossindex</groupId>
<artifactId>ossindex-service-api</artifactId>
<version>1.8.2</version>
</dependency>
<dependency>
<groupId>com.esotericsoftware</groupId>
<artifactId>minlog</artifactId>
<version>1.3.1</version>
</dependency>
<dependency>
<groupId>com.vaadin.external.google</groupId>
<artifactId>android-json</artifactId>
<version>0.0.20131108.vaadin1</version>
</dependency>
<dependency>
<groupId>xml-apis</groupId>
<artifactId>xml-apis</artifactId>
<version>1.3.03</version>
<scope>test</scope>
</dependency>
</dependencies>
<profiles>
<profile>
Expand Down Expand Up @@ -457,6 +501,48 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>${maven-dependency-plugin.version}</version>
<configuration>
<usedDependencies combine.children="append">
<!-- logback is our logging implementation during test and is test-scoped due to a lack of a
test-runtime scope - it should be considered 'used' in the context of dependency:analyze-report -->
<usedDependency>ch.qos.logback:logback-classic</usedDependency>
<!-- dependencies to be copied for use in unit/integration testcases are, due to
lack of a test-runtime scope, configured as test-scoped / optional and should be
considered used for dependency:analyze-report -->
<usedDependency>org.springframework:spring-webmvc</usedDependency>
<usedDependency>org.mortbay.jetty:jetty</usedDependency>
<usedDependency>net.sf.ehcache:ehcache-core</usedDependency>
<usedDependency>com.google.inject:guice</usedDependency>
<usedDependency>org.apache.struts:struts2-core</usedDependency>
<usedDependency>xalan:xalan</usedDependency>
<usedDependency>com.hazelcast:hazelcast</usedDependency>
<usedDependency>commons-fileupload:commons-fileupload</usedDependency>
<usedDependency>org.jslipc:jslipc</usedDependency>
<usedDependency>com.thoughtworks.xstream:xstream</usedDependency>
<usedDependency>org.dojotoolkit:dojo-war</usedDependency>
<usedDependency>org.apache.openjpa:openjpa</usedDependency>
<usedDependency>uk.ltd.getahead:dwr</usedDependency>
<usedDependency>org.glassfish.main.admingui:war</usedDependency>
<usedDependency>org.springframework.retry:spring-retry</usedDependency>
<usedDependency>io.github.faob-dev:aar</usedDependency>
<usedDependency>org.apache.maven.scm:maven-scm-provider-cvsexe</usedDependency>
<usedDependency>org.apache.axis2:axis2-spring</usedDependency>
<usedDependency>org.apache.geronimo.daytrader:daytrader-ear</usedDependency>
<usedDependency>org.springframework.security:spring-security-web</usedDependency>
<usedDependency>org.apache.axis2:axis2-adb</usedDependency>
</usedDependencies>
</configuration>
</plugin>
</plugins>
</pluginManagement>
</build>
<dependencies>
<!-- The following dependencies are only used during testing
and must not be converted to a properties based version number -->
Expand Down
6 changes: 3 additions & 3 deletions core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import io.github.jeremylong.openvulnerability.client.nvd.Config;
import io.github.jeremylong.openvulnerability.client.nvd.CpeMatch;
import org.apache.commons.collections.map.ReferenceMap;
import org.apache.commons.collections4.map.ReferenceMap;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.utils.*;
Expand All @@ -44,8 +44,8 @@
import java.util.stream.Collectors;
import org.anarres.jdiagnostics.DefaultQuery;

import static org.apache.commons.collections.map.AbstractReferenceMap.HARD;
import static org.apache.commons.collections.map.AbstractReferenceMap.SOFT;
import static org.apache.commons.collections4.map.AbstractReferenceMap.ReferenceStrength.HARD;
import static org.apache.commons.collections4.map.AbstractReferenceMap.ReferenceStrength.SOFT;
import org.owasp.dependencycheck.analyzer.exception.LambdaExceptionWrapper;
import org.owasp.dependencycheck.analyzer.exception.UnexpectedAnalysisException;
import io.github.jeremylong.openvulnerability.client.nvd.DefCveItem;
Expand Down
40 changes: 36 additions & 4 deletions maven/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,17 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
</plugin>
</plugins>
</reporting>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-resolver-provider</artifactId>
<version>${maven.api.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.owasp</groupId>
Expand All @@ -103,10 +114,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<artifactId>dependency-check-utils</artifactId>
<version>${project.parent.version}</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-jcs3-core</artifactId>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
Expand All @@ -131,6 +138,10 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<artifactId>maven-core</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-sink-api</artifactId>
</dependency>
<dependency>
<groupId>org.apache.maven.shared</groupId>
<artifactId>file-management</artifactId>
Expand Down Expand Up @@ -179,6 +190,27 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<artifactId>maven-artifact</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.maven.resolver</groupId>
<artifactId>maven-resolver-api</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.maven.shared</groupId>
<artifactId>maven-common-artifact-filters</artifactId>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
<dependency>
<groupId>io.github.jeremylong</groupId>
<artifactId>open-vulnerability-clients</artifactId>
</dependency>
<dependency>
<groupId>com.github.package-url</groupId>
<artifactId>packageurl-java</artifactId>
</dependency>
</dependencies>
<profiles>
<profile>
Expand Down
Loading

0 comments on commit 5a47091

Please sign in to comment.