Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Chore/update dependencies #582

Merged
merged 6 commits into from
Oct 11, 2023
Merged

Chore/update dependencies #582

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
03f3821
chore(dependencies): Add minio dependency to root pom dependency mana…
ds-jhartmann Oct 11, 2023
2261e25
chore(dependencies): Remove manual graalvm update since the vulnerabi…
ds-jhartmann Oct 11, 2023
c917e91
chore(dependencies): Suppress CVE CVE-2023-22006: This vulnerability …
ds-jhartmann Oct 11, 2023
9668d76
chore(dependencies): Manually update EDC dependency jetty websocket
ds-jhartmann Oct 11, 2023
6440ad5
chore(dependencies): Update DEPENDENCIES
ds-jhartmann Oct 11, 2023
8da4aa9
chore(dependencies): Remove outdated suppressions
ds-jhartmann Oct 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 7 additions & 21 deletions .config/owasp-suppressions.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
Transitive dependency of OkHttp. CVE is only relevant for Gradle builds, not relevant for IRS.
]]></notes>
<gav regex="true">org\.jetbrains\.kotlin:.*</gav>
<vulnerabilityName>CVE-2022-24329</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
Vulnerability method not in IRS codebase (Files.createTempDir from guava).
]]></notes>
<gav regex="true">com\.google\.guava:guava.*</gav>
<vulnerabilityName>CVE-2020-8908</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
Vulnerability method not in IRS codebase (Files.createTempDir from guava).
]]></notes>
<gav regex="true">com\.google\.guava:guava.*</gav>
<vulnerabilityName>CVE-2023-2976</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
Vulnerability is a false positive.
Expand All @@ -42,4 +21,11 @@
<gav regex="true">org\.eclipse\.jetty\.toolchain:jetty\-jakarta\-websocket\-api.*</gav>
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code. This is not exploitable in IRS.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal\-sdk@.*$</packageUrl>
<vulnerabilityName>CVE-2023-22006</vulnerabilityName>
</suppress>
</suppressions>
24 changes: 2 additions & 22 deletions DEPENDENCIES
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -278,40 +278,24 @@ maven/mavencentral/org.eclipse.edc/validator-spi/0.1.3, Apache-2.0, approved, te
maven/mavencentral/org.eclipse.edc/web-spi/0.1.3, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.jetty.toolchain/jetty-jakarta-servlet-api/5.0.2, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.toolchain/jetty-jakarta-websocket-api/2.0.0, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-client/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-client/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-common/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-common/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-server/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-server/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-client/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-client/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-common/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-common/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-server/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-server/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.websocket/websocket-servlet/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.websocket/websocket-servlet/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-alpn-client/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-alpn-client/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-annotations/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-annotations/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-client/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-client/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-http/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-io/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-jndi/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-jndi/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-plus/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-plus/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-security/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-security/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-server/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-server/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-servlet/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-servlet/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-util/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-webapp/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-webapp/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-xml/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.tractusx.irs/irs-api/0.0.2-SNAPSHOT, Apache-2.0, approved, automotive.tractusx
Expand Down Expand Up @@ -346,12 +330,8 @@ maven/mavencentral/org.glassfish.jersey.media/jersey-media-multipart/3.1.2, EPL-
maven/mavencentral/org.glassfish.jersey.media/jersey-media-multipart/3.1.3, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey
maven/mavencentral/org.glassfish/jakarta.json/2.0.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jsonp
maven/mavencentral/org.graalvm.js/js/21.2.0, UPL-1.0 AND (MPL-2.0 AND LicenseRef-MIT-style) AND (BSD-3-Clause AND UPL-1.0) AND (GPL-2.0-only WITH Classpath-exception-2.0 AND UPL-1.0) AND (UPL-1.0 AND LicenseRef-Permission-Notice), approved, #10176
maven/mavencentral/org.graalvm.polyglot/polyglot/23.1.0, UPL-1.0, approved, #10918
maven/mavencentral/org.graalvm.regex/regex/21.2.0, UPL-1.0 AND (Unicode-TOU AND UPL-1.0), approved, #10181
maven/mavencentral/org.graalvm.sdk/collections/23.1.0, UPL-1.0, approved, #10920
maven/mavencentral/org.graalvm.sdk/graal-sdk/23.1.0, UPL-1.0, approved, #10914
maven/mavencentral/org.graalvm.sdk/nativeimage/23.1.0, UPL-1.0, approved, #10921
maven/mavencentral/org.graalvm.sdk/word/23.1.0, UPL-1.0, approved, #10917
maven/mavencentral/org.graalvm.sdk/graal-sdk/21.2.0, UPL-1.0, approved, clearlydefined
maven/mavencentral/org.graalvm.truffle/truffle-api/21.2.0, UPL-1.0, approved, #10219
maven/mavencentral/org.hamcrest/hamcrest-core/2.2, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/org.hamcrest/hamcrest/2.2, BSD-3-Clause, approved, clearlydefined
Expand Down Expand Up @@ -403,6 +383,7 @@ maven/mavencentral/org.opentest4j/opentest4j/1.2.0, Apache-2.0, approved, clearl
maven/mavencentral/org.ow2.asm/asm-commons/9.5, BSD-3-Clause, approved, #7553
maven/mavencentral/org.ow2.asm/asm-tree/9.5, BSD-3-Clause, approved, #7555
maven/mavencentral/org.ow2.asm/asm/9.3, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/org.ow2.asm/asm/9.5, BSD-3-Clause, approved, #7554
maven/mavencentral/org.projectlombok/lombok/1.18.30, MIT AND LicenseRef-Public-Domain, approved, CQ23907
maven/mavencentral/org.rnorth.duct-tape/duct-tape/1.0.8, MIT, approved, clearlydefined
maven/mavencentral/org.scala-lang.modules/scala-java8-compat_2.13/1.0.0, Apache-2.0, approved, clearlydefined
Expand Down Expand Up @@ -465,7 +446,6 @@ maven/mavencentral/org.typelevel/spire-macros_2.13/0.17.0, MIT, approved, clearl
maven/mavencentral/org.unbescape/unbescape/1.1.6.RELEASE, Apache-2.0, approved, CQ18904
maven/mavencentral/org.webjars/swagger-ui/5.2.0, Apache-2.0, approved, #10221
maven/mavencentral/org.wiremock/wiremock-standalone/3.2.0, MIT AND Apache-2.0, approved, #10919
maven/mavencentral/org.xerial.snappy/snappy-java/1.1.10.1, Apache-2.0 AND (Apache-2.0 AND BSD-3-Clause), approved, #9098
maven/mavencentral/org.xerial.snappy/snappy-java/1.1.10.5, Apache-2.0 AND (Apache-2.0 AND BSD-3-Clause), approved, #9098
maven/mavencentral/org.xmlunit/xmlunit-core/2.9.1, Apache-2.0, approved, #6272
maven/mavencentral/org.yaml/snakeyaml/1.33, Apache-2.0, approved, clearlydefined
Expand Down
15 changes: 1 addition & 14 deletions irs-api/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,19 +45,10 @@
<dependency>
<groupId>io.minio</groupId>
<artifactId>minio</artifactId>
<version>${minio.version}</version>
<exclusions>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- Update snappy-java manually to avoid vulnerability CVE-2023-43642; can be removed after Minio updates their dependency -->
<dependency>
<groupId>org.xerial.snappy</groupId>
<artifactId>snappy-java</artifactId>
<version>1.1.10.5</version>
</dependency>
<dependency>
<groupId>com.squareup.okhttp3</groupId>
Expand Down Expand Up @@ -170,16 +161,12 @@
</exclusion>
</exclusions>
</dependency>
<!-- Update jsoup manually to avoid a vulnerability; can be removed after jsonschemafriend updates their dependency -->
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>${jsoup.version}</version>
</dependency>
<dependency>
<groupId>org.graalvm.sdk</groupId>
<artifactId>graal-sdk</artifactId>
<version>${graal-sdk.version}</version>
</dependency>

<dependency>
<groupId>org.eclipse.tractusx.irs</groupId>
Expand Down
15 changes: 4 additions & 11 deletions irs-common/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,17 +60,10 @@
<dependency>
<groupId>io.minio</groupId>
<artifactId>minio</artifactId>
<version>${minio.version}</version>
<exclusions>
<exclusion>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.xerial.snappy</groupId>
<artifactId>snappy-java</artifactId>
</dependency>
<dependency>
<groupId>com.squareup.okio</groupId>
Expand Down
17 changes: 4 additions & 13 deletions irs-edc-client/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,23 +133,14 @@
<groupId>org.eclipse.edc</groupId>
</exclusion>
<exclusion>
<artifactId>jetty-xml</artifactId>
<groupId>org.eclipse.jetty</groupId>
</exclusion>
<exclusion>
<artifactId>jetty-http</artifactId>
<groupId>org.eclipse.jetty</groupId>
<artifactId>websocket-jakarta-server</artifactId>
<groupId>org.eclipse.jetty.websocket</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<artifactId>jetty-http</artifactId>
<groupId>org.eclipse.jetty</groupId>
<version>11.0.16</version>
</dependency>
<dependency>
<artifactId>jetty-xml</artifactId>
<groupId>org.eclipse.jetty</groupId>
<groupId>org.eclipse.jetty.websocket</groupId>
<artifactId>websocket-jakarta-server</artifactId>
<version>11.0.16</version>
</dependency>
<dependency>
Expand Down
15 changes: 4 additions & 11 deletions irs-policy-store/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,17 +37,10 @@
<dependency>
<groupId>io.minio</groupId>
<artifactId>minio</artifactId>
<version>${minio.version}</version>
<exclusions>
<exclusion>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.xerial.snappy</groupId>
<artifactId>snappy-java</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
Expand Down
22 changes: 22 additions & 0 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@
<maven-assembly-plugin.version>3.3.0</maven-assembly-plugin.version>
<maven-gpg-plugin.version>3.1.0</maven-gpg-plugin.version>
<license-tool-plugin.version>0.0.1-SNAPSHOT</license-tool-plugin.version>
<snappy-java.version>1.1.10.5</snappy-java.version>
</properties>

<dependencyManagement>
Expand All @@ -98,6 +99,27 @@
<artifactId>micrometer-registry-prometheus</artifactId>
<version>${micrometer.version}</version>
</dependency>
<dependency>
<groupId>io.minio</groupId>
<artifactId>minio</artifactId>
<version>${minio.version}</version>
<exclusions>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
</exclusion>
<exclusion>
<artifactId>snappy-java</artifactId>
<groupId>org.xerial.snappy</groupId>
</exclusion>
</exclusions>
</dependency>
<!-- Update snappy-java manually to avoid vulnerability CVE-2023-43642; can be removed after Minio updates their dependency -->
<dependency>
<groupId>org.xerial.snappy</groupId>
<artifactId>snappy-java</artifactId>
<version>${snappy-java.version}</version>
</dependency>
</dependencies>
</dependencyManagement>

Expand Down