Fix OWASP Vulnerabilities

corona-warn-app · Mar 28, 2023 · b891518 · b891518
1 parent 991ef79
commit b891518
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 1 deletion.
diff --git a/owasp/suppressions.xml b/owasp/suppressions.xml
@@ -25,6 +25,7 @@
     <suppress>
         <notes>This CVE is only affecting Keycloak Server not the Lib. (https://bugzilla.redhat.com/show_bug.cgi?id=2141404)</notes>
         <cve>CVE-2022-3916</cve>
+        <cve>CVE-2023-0105</cve>
     </suppress>
 
     <suppress>
@@ -33,4 +34,20 @@
         <cve>CVE-2022-31692</cve>
     </suppress>
 
+    <suppress>
+        <notes>H2 is only used for testing. No newer version available.</notes>
+        <cve>CVE-2022-45868</cve>
+        <cve>CVE-2018-14335</cve>
+    </suppress>
+
+    <suppress>
+        <notes>False positive. Wrong lib matched</notes>
+        <cve>CVE-2022-45688</cve>
+    </suppress>
+
+    <suppress>
+        <notes>False positive. CVE is up to 30.0 Project uses 31.1</notes>
+        <cve>CVE-2020-8908</cve>
+    </suppress>
+
 </suppressions>
diff --git a/pom.xml b/pom.xml
@@ -62,6 +62,35 @@
                 <version>2.7.10</version><!-- Also update version of Spring Boot in Spring Boot Plugin -->
                 <type>pom</type>
                 <scope>import</scope>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.yaml</groupId>
+                        <artifactId>snakeyaml</artifactId>
+                    </exclusion>
+                    <exclusion>
+                        <groupId>org.springframework.vault</groupId>
+                        <artifactId>spring-vault-core</artifactId>
+                    </exclusion>
+                    <exclusion>
+                        <groupId>commons-fileupload</groupId>
+                        <artifactId>commons-fileupload</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
+            <dependency>
+                <groupId>org.yaml</groupId>
+                <artifactId>snakeyaml</artifactId>
+                <version>2.0</version>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework.vault</groupId>
+                <artifactId>spring-vault-core</artifactId>
+                <version>3.0.2</version>
+            </dependency>
+            <dependency>
+                <groupId>commons-fileupload</groupId>
+                <artifactId>commons-fileupload</artifactId>
+                <version>1.5</version>
             </dependency>
             <dependency>
                 <groupId>org.springframework.cloud</groupId>
@@ -384,10 +413,11 @@
                 <plugin>
                     <groupId>org.owasp</groupId>
                     <artifactId>dependency-check-maven</artifactId>
-                    <version>7.3.1</version>
+                    <version>8.2.1</version>
                     <configuration>
                         <suppressionFile>./owasp/suppressions.xml</suppressionFile>
                         <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
+                        <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
                     </configuration>
                 </plugin>