Dependency updates to eliminate vulnerabilities discovered by dependency-check (!36) · Merge requests · adi-ia / uw-spring-security · GitLab

Snippets Groups Projects

On April 1, 2025, new DockerHub pull rate limits go into effect. See how this could impact your GitLabCI jobs: https://kb.wisc.edu/shared-tools/news.php?id=13738

Merged bhill6@wisc.edu requested to merge dependency_updates into main 2 years ago

Eliminated all CRITICAL and HIGH except for CVE-2016-1000027 (which more or less forbids the use of Spring since 2016 -- it's moderately controversial.

@road

Activity

bhill6@wisc.edu requested review from @bjsousa, @ERIC.SCHOVILLE, @lyle, and @NUWAN.KUMARASIRI 2 years ago

requested review from @bjsousa, @ERIC.SCHOVILLE, @lyle, and @NUWAN.KUMARASIRI
bhill6@wisc.edu assigned to @bhill6 2 years ago

assigned to @bhill6
bhill6@wisc.edu added 1 commit 2 years ago
added 1 commit

0e176e85 - Version number updates since I forgot that this thing has 5 pom files.

Compare with previous version
Lyle Hanson @lyle started a thread on the diff 2 years ago

Resolved 2 years ago by bhill6@wisc.edu
Last reply by bhill6@wisc.edu 2 years ago

bhill6@wisc.edu @bhill6 · 2 years ago

Author Owner

dependency-check-report.html latest dependency check report after updates.

bhill6@wisc.edu added 1 commit 2 years ago

added 1 commit

9de23040 - One more dependency update

Compare with previous version

bhill6@wisc.edu added 1 commit 2 years ago

added 1 commit

79eec30f - Removing log4j dependencies from test and substituting logback as the slf4j...

Compare with previous version

bhill6@wisc.edu added 1 commit 2 years ago

added 1 commit

771a1889 - fix for CWE-93 issue in sample code raised by SAST

Compare with previous version

bhill6@wisc.edu added 1 commit 2 years ago

added 1 commit

00866503 - another fix for CWE-93 issue in sample code raised by SAST

Compare with previous version

Lyle Hanson @lyle started a thread on the diff 2 years ago

Resolved 2 years ago by bhill6@wisc.edu

Lyle Hanson @lyle started a thread on an old version of the diff 2 years ago

Resolved 2 years ago by bhill6@wisc.edu

bhill6@wisc.edu added 1 commit 2 years ago

added 1 commit

8db88ca0 - reorganized gitlab-ci for scanning

Compare with previous version

bhill6@wisc.edu resolved all threads 2 years ago

resolved all threads

bhill6@wisc.edu @bhill6 · 2 years ago

Author Owner

Interesting. It seems that adding the Security/SAST-IaC.latest.gitlab-ci.yml scans caused it to scan the dependency-check-report.html files and treat them like code (triggering a slew of new CRITICALS).

Since we don't really need the maven OWASP scans with the gitlab ones available, I'm going to remove that from the pom file to avoid this stranger error that it caused.

bhill6@wisc.edu added 1 commit 2 years ago

added 1 commit

9e8b8594 - removing maven-dependency-check plugin to avoid false positives from gitlab scans

Compare with previous version

Lyle Hanson @lyle started a thread on an old version of the diff 2 years ago

Resolved 2 years ago by bhill6@wisc.edu

Lyle Hanson @lyle started a thread on an old version of the diff 2 years ago

Resolved 2 years ago by bhill6@wisc.edu

bhill6@wisc.edu added 1 commit 2 years ago

added 1 commit

7a0bacde - changes from code review

Compare with previous version

bhill6@wisc.edu added 1 commit 2 years ago

added 1 commit

0b83cff8 - removed unused cvs-suppressions file

Compare with previous version

Lyle Hanson @lyle started a thread on the diff 2 years ago

Resolved 2 years ago by bhill6@wisc.edu

Please register or sign in to reply