[Project] Updated initial dependency-check suppressions

2021-12-22 13:32:46 +01:00 · 2021-12-22 13:32:46 +01:00 · fa57bf213f
parent 7384fa6d85
commit fa57bf213f
2 changed files with 28 additions and 14 deletions
--- a/pom.xml
+++ b/pom.xml
@ -146,6 +146,9 @@
        <tomcat7ServerId>NOT_SET</tomcat7ServerId>
        <gpg.keyname>NOT_SET</gpg.keyname>

+        <!--suppress UnresolvedMavenProperty -->
+        <dependency-check-suppressions-file>${maven.multiModuleProjectDirectory}/src/dependency-check/suppressions.xml</dependency-check-suppressions-file>
+
    </properties>

    <modules>
@ -476,6 +479,7 @@
                    <configuration>
                        <failBuildOnCVSS>8</failBuildOnCVSS>
                        <yarnAuditAnalyzerEnabled>false</yarnAuditAnalyzerEnabled>
+                        <suppressionFiles>${dependency-check-suppressions-file}</suppressionFiles>
                    </configuration>
                    <executions>
                        <execution>
@ -679,20 +683,6 @@
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>versions-maven-plugin</artifactId>
            </plugin>
-            <!--
-                <plugin>
-                <groupId>org.owasp</groupId>
-                <artifactId>dependency-check-maven</artifactId>
-                <version>1.4.5</version>
-                <executions>
-                <execution>
-                <goals>
-                <goal>check</goal>
-                </goals>
-                </execution>
-                </executions>
-                </plugin>
-            -->
        </plugins>

    </build>
@ -800,6 +790,22 @@
                    </reportSet>
                </reportSets>
            </plugin>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <configuration>
+                    <failBuildOnCVSS>8</failBuildOnCVSS>
+                    <yarnAuditAnalyzerEnabled>false</yarnAuditAnalyzerEnabled>
+                    <suppressionFiles>${dependency-check-suppressions-file}</suppressionFiles>
+                </configuration>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>aggregate</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
        </plugins>
    </reporting>

--- a/src/dependency-check/suppressions.xml
+++ b/src/dependency-check/suppressions.xml
@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress>
+        <notes><![CDATA[file name: li.strolch.persistence.postgresql-1.8.0-SNAPSHOT.jar]]></notes>
+        <packageUrl regex="true">^pkg:maven/li\.strolch/li\.strolch\.persistence\.postgresql@.*$</packageUrl>
+        <cpe>cpe:/a:postgresql:postgresql</cpe>
+    </suppress>
+</suppressions>