[BUILD-444] Update dependency check plugin to the latest version Created: 26/Mar/21  Updated: 09/Sep/21  Resolved: 08/Sep/21

Status: Closed
Project: Build
Component/s: Poms
Affects Version/s: None
Fix Version/s: POMs 42

Type: Task Priority: Neutral
Reporter: Federico Grilli Assignee: Federico Grilli
Resolution: Done Votes: 0
Labels: artt
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoR:
Empty

 Description   

By now we're using a slightly dated version of the owasp dependency-check plugin. In their updates they usually remove false positives as well.
https://github.com/jeremylong/DependencyCheck/releases

Would be great to try the update without suppressions and see which ones remain. 

After updating the plugin from version 5.3.1 to version 6.3.1 some suppressions turned out to be outdated, while new ones surfaced which the previous version did not detect.
Details for additions in suppression files notes.

Dismissed suppressions

Removed Added
okhttp-3.6.0.jar vorbis-java-tika-0.8.jar (False positive: CVE-2017-6888)
daisydiff-1.2-magnolia.jar vaadin-compatibility-ckeditor-1.3.9.jar (False positives: CVE-2021-37695, CVE-2014-5191)
tagsoup-1.2.1.jar ckeditor-0.1.2.jar (False positives: CVE-2021-37695, CVE-2014-5191)
flatbuffers-java-1.10.0.jar  
xstream-1.4.15.jar  
xz-1.8.jar  
commons-io-2.6.jar  
mxparser-1.2.1.jar  

Mismatch suppressions

Removed Added
sentiment-analysis-parser-0.1.jar xz-1.9.jar (CVE-2015-4035)
org.codehaus.groovy:groovy-*.jar  
cdi-api-2.0.SP1.jar  
neko-htmlunit-2.27.jar  
jackson-mapper-asl-1.9.13-atlassian-4.jar  
failureaccess-1.0.1.jar  
guava-1.0.0-beta7.jar  
preflight-2.0.19.jar  
xmpbox-2.0.19.jar  
kie-dmn-*-7.33.0.Final.jar  
drools-canonical-model-7.33.0.Final.jar  
pmml-*-1.4.11.jar  
kie-soup-project-datamodel-commons-7.33.0.Final.jar  
magnolia-cache-core-5.9.4.jar  
magnolia-advanced-cache-*-2.3.4.jar  

 


Generated at Sun Feb 11 23:41:58 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.