From 79eec30ffcc49e57078f5ebbc14928844d42665f Mon Sep 17 00:00:00 2001
From: bhill6 <brian.hill@wisc.edu>
Date: Tue, 11 Oct 2022 08:47:36 -0500
Subject: [PATCH] Removing log4j dependencies from test and substituting
logback as the slf4j provider, adding gitlab security scanning configurations
---
.gitlab-ci.yml | 17 +++++++++++++++++
cve-supressions.xml | 11 +++++++++++
pom.xml | 13 ++++++++-----
uw-spring-security-config/pom.xml | 4 ++--
uw-spring-security-core/pom.xml | 4 ++--
uw-spring-security-sample-war/pom.xml | 11 +++++------
uw-spring-security-web/pom.xml | 4 ++--
7 files changed, 47 insertions(+), 17 deletions(-)
create mode 100644 cve-supressions.xml
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3f02397..a850086 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,3 +1,9 @@
+include:
+ # Security scanning
+ - template: Security/SAST.gitlab-ci.yml
+ - template: Security/Secret-Detection.gitlab-ci.yml
+ - template: Security/Dependency-Scanning.gitlab-ci.yml
+
image: maven:3-amazoncorretto-8
variables:
@@ -20,10 +26,21 @@ default:
- aws
- docker
+stages:
+ - test # GitLab security scanning jobs use the 'test' stage
+ - deploy
+
test:
stage: test
script:
- mvn clean $MAVEN_CLI_OPTS verify
+ artifacts:
+ paths:
+ - uw-spring-security-config/target/dependency-check-report.html
+ - uw-spring-security-core/target/dependency-check-report.html
+ - uw-spring-security-sample-war/target/dependency-check-report.html
+ - uw-spring-security-web/target/dependency-check-report.html
+ expire_in: 1 year
deploy:
stage: deploy
diff --git a/cve-supressions.xml b/cve-supressions.xml
new file mode 100644
index 0000000..c658566
--- /dev/null
+++ b/cve-supressions.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Documentation: https://jeremylong.github.io/DependencyCheck/general/suppression.html
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+ <suppress>
+ <notes><![CDATA[Long discussion about this CVE by Spring: https://github.com/spring-projects/spring-framework/issues/24434]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.springframework/spring.*$</packageUrl>
+ <cve>CVE-2016-1000027</cve>
+ </suppress>
+</suppressions>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index f1bf89b..10be8f2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -36,7 +36,7 @@
<revision>3.0.4</revision>
<adi.development.version>2.0.1</adi.development.version>
<jackson.version>2.14.0-rc1</jackson.version>
- <slf4j.version>1.7.7</slf4j.version>
+ <slf4j.version>2.0.3</slf4j.version>
<spring.framework.version>5.3.23</spring.framework.version>
<spring.security.version>5.7.3</spring.security.version>
</properties>
@@ -138,7 +138,7 @@
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
- <version>4.12</version>
+ <version>4.13.1</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
@@ -161,9 +161,9 @@
<version>${slf4j.version}</version>
</dependency>
<dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- <version>${slf4j.version}</version>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-classic</artifactId>
+ <version>1.3.4</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
@@ -274,6 +274,9 @@
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>7.0.4</version>
+ <configuration>
+ <suppressionFile>cve-supressions.xml</suppressionFile>
+ </configuration>
<executions>
<execution>
<goals>
diff --git a/uw-spring-security-config/pom.xml b/uw-spring-security-config/pom.xml
index b00aff4..4f6831f 100644
--- a/uw-spring-security-config/pom.xml
+++ b/uw-spring-security-config/pom.xml
@@ -46,8 +46,8 @@
<scope>test</scope>
</dependency>
<dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-classic</artifactId>
<scope>test</scope>
</dependency>
<dependency>
diff --git a/uw-spring-security-core/pom.xml b/uw-spring-security-core/pom.xml
index 5db51c1..54451d8 100644
--- a/uw-spring-security-core/pom.xml
+++ b/uw-spring-security-core/pom.xml
@@ -59,8 +59,8 @@
<scope>test</scope>
</dependency>
<dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-classic</artifactId>
<scope>test</scope>
</dependency>
<dependency>
diff --git a/uw-spring-security-sample-war/pom.xml b/uw-spring-security-sample-war/pom.xml
index 3ed1489..1c95220 100644
--- a/uw-spring-security-sample-war/pom.xml
+++ b/uw-spring-security-sample-war/pom.xml
@@ -50,16 +50,15 @@
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
</dependency>
-
<dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>jcl-over-slf4j</artifactId>
- <scope>runtime</scope>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-classic</artifactId>
+ <scope>test</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- <scope>runtime</scope>
+ <artifactId>jcl-over-slf4j</artifactId>
+ <scope>test</scope>
</dependency>
</dependencies>
<build>
diff --git a/uw-spring-security-web/pom.xml b/uw-spring-security-web/pom.xml
index 7101c13..4373f93 100644
--- a/uw-spring-security-web/pom.xml
+++ b/uw-spring-security-web/pom.xml
@@ -38,8 +38,8 @@
<scope>test</scope>
</dependency>
<dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-classic</artifactId>
<scope>test</scope>
</dependency>
<dependency>
--
GitLab