Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(deps): Sanitize dependencies based on dependency:analyze-report results #7294

Merged
merged 2 commits into from
Jan 11, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions ant/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -214,8 +214,13 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<version>${project.parent.version}</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-jcs3-core</artifactId>
<!-- not visible in imports due to method chaining, but Check code uses classes from this library -->
<groupId>io.github.jeremylong</groupId>
<artifactId>open-vulnerability-clients</artifactId>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</dependency>
<dependency>
<groupId>io.github.jeremylong</groupId>
Expand Down
9 changes: 9 additions & 0 deletions cli/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,15 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</dependency>
<dependency>
<groupId>io.github.jeremylong</groupId>
<artifactId>jcs3-slf4j</artifactId>
</dependency>
<dependency>
<!-- not visible in imports due to method chaining, but App code uses classes from this library -->
<groupId>io.github.jeremylong</groupId>
<artifactId>open-vulnerability-clients</artifactId>
</dependency>
<dependency>
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
Expand Down
94 changes: 90 additions & 4 deletions core/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<dependency>
<groupId>io.github.jeremylong</groupId>
<artifactId>jcs3-slf4j</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>com.github.package-url</groupId>
Expand Down Expand Up @@ -340,14 +341,57 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<groupId>commons-validator</groupId>
<artifactId>commons-validator</artifactId>
</dependency>
<dependency><!--upgrade transitive dependency of commons-validator due to reported vulns-->
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
</dependency>
<dependency>
<groupId>org.eclipse.packager</groupId>
<artifactId>packager-rpm</artifactId>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents.core5</groupId>
<artifactId>httpcore5</artifactId>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents.client5</groupId>
<artifactId>httpclient5</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-annotations</artifactId>
</dependency>
<dependency>
<groupId>org.sonatype.goodies</groupId>
<artifactId>package-url-java</artifactId>
<version>1.1.1</version>
</dependency>
<dependency>
<groupId>joda-time</groupId>
<artifactId>joda-time</artifactId>
<version>2.10.4</version>
</dependency>
<dependency>
<groupId>org.sonatype.ossindex</groupId>
<artifactId>ossindex-service-api</artifactId>
<version>1.8.2</version>
</dependency>
<dependency>
<groupId>com.esotericsoftware</groupId>
<artifactId>minlog</artifactId>
<version>1.3.1</version>
</dependency>
<dependency>
<groupId>com.vaadin.external.google</groupId>
<artifactId>android-json</artifactId>
<version>0.0.20131108.vaadin1</version>
</dependency>
<dependency>
<groupId>xml-apis</groupId>
<artifactId>xml-apis</artifactId>
<version>1.3.03</version>
<scope>test</scope>
</dependency>
</dependencies>
<profiles>
<profile>
Expand Down Expand Up @@ -457,6 +501,48 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>${maven-dependency-plugin.version}</version>
<configuration>
<usedDependencies combine.children="append">
<!-- logback is our logging implementation during test and is test-scoped due to a lack of a
test-runtime scope - it should be considered 'used' in the context of dependency:analyze-report -->
<usedDependency>ch.qos.logback:logback-classic</usedDependency>
<!-- dependencies to be copied for use in unit/integration testcases are, due to
lack of a test-runtime scope, configured as test-scoped / optional and should be
considered used for dependency:analyze-report -->
<usedDependency>org.springframework:spring-webmvc</usedDependency>
<usedDependency>org.mortbay.jetty:jetty</usedDependency>
<usedDependency>net.sf.ehcache:ehcache-core</usedDependency>
<usedDependency>com.google.inject:guice</usedDependency>
<usedDependency>org.apache.struts:struts2-core</usedDependency>
<usedDependency>xalan:xalan</usedDependency>
<usedDependency>com.hazelcast:hazelcast</usedDependency>
<usedDependency>commons-fileupload:commons-fileupload</usedDependency>
<usedDependency>org.jslipc:jslipc</usedDependency>
<usedDependency>com.thoughtworks.xstream:xstream</usedDependency>
<usedDependency>org.dojotoolkit:dojo-war</usedDependency>
<usedDependency>org.apache.openjpa:openjpa</usedDependency>
<usedDependency>uk.ltd.getahead:dwr</usedDependency>
<usedDependency>org.glassfish.main.admingui:war</usedDependency>
<usedDependency>org.springframework.retry:spring-retry</usedDependency>
<usedDependency>io.github.faob-dev:aar</usedDependency>
<usedDependency>org.apache.maven.scm:maven-scm-provider-cvsexe</usedDependency>
<usedDependency>org.apache.axis2:axis2-spring</usedDependency>
<usedDependency>org.apache.geronimo.daytrader:daytrader-ear</usedDependency>
<usedDependency>org.springframework.security:spring-security-web</usedDependency>
<usedDependency>org.apache.axis2:axis2-adb</usedDependency>
</usedDependencies>
</configuration>
</plugin>
</plugins>
</pluginManagement>
</build>
<dependencies>
<!-- The following dependencies are only used during testing
and must not be converted to a properties based version number -->
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import io.github.jeremylong.openvulnerability.client.nvd.Config;
import io.github.jeremylong.openvulnerability.client.nvd.CpeMatch;
import org.apache.commons.collections.map.ReferenceMap;
import org.apache.commons.collections4.map.ReferenceMap;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.utils.*;
Expand All @@ -44,8 +44,8 @@
import java.util.stream.Collectors;
import org.anarres.jdiagnostics.DefaultQuery;

import static org.apache.commons.collections.map.AbstractReferenceMap.HARD;
import static org.apache.commons.collections.map.AbstractReferenceMap.SOFT;
import static org.apache.commons.collections4.map.AbstractReferenceMap.ReferenceStrength.HARD;
import static org.apache.commons.collections4.map.AbstractReferenceMap.ReferenceStrength.SOFT;
import org.owasp.dependencycheck.analyzer.exception.LambdaExceptionWrapper;
import org.owasp.dependencycheck.analyzer.exception.UnexpectedAnalysisException;
import io.github.jeremylong.openvulnerability.client.nvd.DefCveItem;
Expand Down
40 changes: 36 additions & 4 deletions maven/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,17 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
</plugin>
</plugins>
</reporting>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-resolver-provider</artifactId>
<version>${maven.api.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.owasp</groupId>
Expand All @@ -103,10 +114,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<artifactId>dependency-check-utils</artifactId>
<version>${project.parent.version}</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-jcs3-core</artifactId>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
Expand All @@ -131,6 +138,10 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<artifactId>maven-core</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-sink-api</artifactId>
</dependency>
<dependency>
<groupId>org.apache.maven.shared</groupId>
<artifactId>file-management</artifactId>
Expand Down Expand Up @@ -179,6 +190,27 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<artifactId>maven-artifact</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.maven.resolver</groupId>
<artifactId>maven-resolver-api</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.maven.shared</groupId>
<artifactId>maven-common-artifact-filters</artifactId>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
<dependency>
<groupId>io.github.jeremylong</groupId>
<artifactId>open-vulnerability-clients</artifactId>
</dependency>
<dependency>
<groupId>com.github.package-url</groupId>
<artifactId>packageurl-java</artifactId>
</dependency>
</dependencies>
<profiles>
<profile>
Expand Down
Loading
Loading