Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OF-2725: Update dependency-check, and deal with the results #2331

Merged
merged 13 commits into from
Nov 13, 2023
Merged

OF-2725: Update dependency-check, and deal with the results #2331

merged 13 commits into from
Nov 13, 2023

Conversation

Fishbowler
Copy link
Member

OF-2725 updates dependency-check-maven to 8.4.2, then adds suppressions for known false positives

OF-2726 updates dom4j to 2.1.4

OF-2727 updates mysql-connector-j to 8.2.0

Notes:

  • Remaining CVEs are all against org.mortbay.jasper/[email protected] which is a dependency of Jetty 10. I've suppressed the obvious/easy ones, but suspect we're vulnerable to zero.
  • There might be other out of date dependencies that weren't flagged. I've not looked.

@Fishbowler
OF-2725: Update dependency-check to 8.4.2
0875531
@Fishbowler
OF-2725: Add suppression for a false positive CVE for Jetty
25c0cea
@Fishbowler
OF-2725: Add a suppression for a retracted CVE for dom4j
c17ad69
@Fishbowler
OF-2726: Update dom4j from 2.1.3 to 2.1.4
7a9be76
@Fishbowler
OF-2727: Update mysql-connector-j from 8.0.32 to 8.2.0
38837ee
@Fishbowler
OF-2725: Add suppression for false positives on jetty-servlet-api
d9e4efc
@Fishbowler
OF-2725: Add suppression for a default hostname validation check in N…
5f6d8eb 
…etty that Openfire doesn't use

Hostname validation is implemented separately in Openfire
https://github.com/igniterealtime/Openfire/blob/7a53b23e565cdf06a541af82560a6c49d6c9d2ae/xmppserver/src/main/java/org/jivesoftware/openfire/net/SASLAuthentication.java#L485-L497
https://github.com/igniterealtime/Openfire/blob/7a53b23e565cdf06a541af82560a6c49d6c9d2ae/xmppserver/src/main/java/org/jivesoftware/openfire/nio/NettyOutboundConnectionHandler.java#L120-L126
@Fishbowler
OF-2725: Suppress CVE related to to Tomcat clustering
c75b2fe
@Fishbowler
OF-2725: Suppress Rapid Reset false positive
e575a64
@Fishbowler
OF-2725: Suppress CVE related to Tomcat persisted sessions
83a9f98
@Fishbowler
OF-2725: Suppress CVE related to a Tomcat shipped example app
e385831
@Fishbowler
OF-2725: Suppress CVE related to ROOT webapp in Tomcat
7be3eea
@Fishbowler
OF-2727: Update the tests to mysql-connector-j too
36a4340
@guusdk guusdk self-requested a review November 13, 2023 17:39
@guusdk guusdk merged commit 4e7d866 into igniterealtime:main Nov 13, 2023
16 checks passed
@Fishbowler Fishbowler deleted the OF-2725_update-dependency-check branch November 13, 2023 21:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guusdk guusdk guusdk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Fishbowler @guusdk