shiro-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bdem...@apache.org
Subject [4/5] shiro git commit: SHIRO-576 Added OWASP dependency check plugin
Date Fri, 21 Oct 2016 14:23:50 GMT
SHIRO-576 Added OWASP dependency check plugin

NOTE: this plugin config will return false positives, usage will require human interpretation
(and should NOT be used to fail builds)


Project: http://git-wip-us.apache.org/repos/asf/shiro/repo
Commit: http://git-wip-us.apache.org/repos/asf/shiro/commit/d0005501
Tree: http://git-wip-us.apache.org/repos/asf/shiro/tree/d0005501
Diff: http://git-wip-us.apache.org/repos/asf/shiro/diff/d0005501

Branch: refs/heads/master
Commit: d00055013310a28de4de4546caf44326b0e1f1a9
Parents: 67d340e
Author: Brian Demers <bdemers@apache.org>
Authored: Thu Oct 20 11:18:27 2016 -0400
Committer: Brian Demers <bdemers@apache.org>
Committed: Thu Oct 20 18:01:46 2016 -0400

----------------------------------------------------------------------
 pom.xml                   | 51 ++++++++++++++++++++++++++++++++++++++++++
 src/owasp-suppression.xml | 22 ++++++++++++++++++
 2 files changed, 73 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/shiro/blob/d0005501/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index d466e22..49b791d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -436,6 +436,11 @@
                         </requestLog>
                     </configuration>
                 </plugin>
+                <plugin>
+                    <groupId>org.owasp</groupId>
+                    <artifactId>dependency-check-maven</artifactId>
+                    <version>1.4.3</version>
+                </plugin>
             </plugins>
         </pluginManagement>
         <plugins>
@@ -1351,5 +1356,51 @@
                 </site>
             </distributionManagement>
         </profile>
+        <profile>
+            <!--  NOTE: this plugin config will return false positives, usage will require
+                  human interpretation (and should NOT be used to fail builds)
+            -->
+            <id>owasp</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <inherited>false</inherited>
+                        <configuration>
+                            <suppressionFile>${root.dir}/src/owasp-suppression.xml</suppressionFile>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>aggregate</goal>
+                                </goals>
+                                <inherited>false</inherited>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+            <reporting>
+                <plugins>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <inherited>false</inherited>
+                        <configuration>
+                            <suppressionFile>${root.dir}/src/owasp-suppression.xml</suppressionFile>
+                            <name>OWASP Dependency Check</name>
+                        </configuration>
+                        <reportSets>
+                            <reportSet>
+                                <reports>
+                                    <report>aggregate</report>
+                                </reports>
+                            </reportSet>
+                        </reportSets>
+                    </plugin>
+                </plugins>
+            </reporting>
+        </profile>
     </profiles>
 </project>

http://git-wip-us.apache.org/repos/asf/shiro/blob/d0005501/src/owasp-suppression.xml
----------------------------------------------------------------------
diff --git a/src/owasp-suppression.xml b/src/owasp-suppression.xml
new file mode 100644
index 0000000..1fb0ec4
--- /dev/null
+++ b/src/owasp-suppression.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+
+    <suppress>
+        <notes><![CDATA[ file name: tomcat-embed-core-8.5.5.jar ]]></notes>
+        <sha1>d55e12a418ff99ecd723a118c2a28bb91079972d</sha1>
+        <cpe>cpe:/a:apache:tomcat:8.5.5</cpe>
+    </suppress>
+
+    <suppress>
+        <notes><![CDATA[ file name: tomcat-embed-websocket-8.5.5.jar ]]></notes>
+        <sha1>fd99cd1cd4c824abdf03466f0509f067747f0d1a</sha1>
+        <cpe>cpe:/a:apache:tomcat:8.5.5</cpe>
+    </suppress>
+
+    <suppress>
+        <notes><![CDATA[ file name: opensaml-1.1.jar ]]></notes>
+        <sha1>21ec22368b6baa211a29887e162aa4cf9a8f3c60</sha1>
+        <cpe>cpe:/a:internet2:opensaml:1.1</cpe>
+    </suppress>
+
+</suppressions>
\ No newline at end of file


Mime
View raw message