[MGNLEE-642] Remove suppressed vulnerability from dependency-check-report Created: 03/Jun/21  Updated: 14/Jun/21  Resolved: 14/Jun/21

Status: Closed
Project: Magnolia DX Core
Component/s: None
Affects Version/s: None
Fix Version/s: 6.2.10

Type: Improvement Priority: Neutral
Reporter: Federico Grilli Assignee: Mikaël Geljić
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

We should be suppressing the vulnerabilities reported that we know we are not affected by, e.g. at https://nexus.magnolia-cms.com/content/sites/magnolia.enterprise.sites/magnolia-dx-core/6.2.9/dependency-check-report.html



 Comments   
Comment by Mikaël Geljić [ 11/Jun/21 ]

First off: link in description points to the report for the dx-core parent POM. Not representative of our distributed webapps/bundles.

Admittedly confusing, that said:

  • I'll try to generalize application of the project suppressions to the whole reactor, so at least reports for different webapps are more consistent between each other
  • I'd suggest we increase our coverage too. dx-core-demo-webapp is a better candidate, may include unbundled modules, and is equally an artifact that we distribute, as plain DX Core is.
  • Once the first point is covered, I'll also check what it would take to let it run through the whole reactor. Some CVEs may not be in our product distribution, would still be a good idea to clear them & update; if that's too noisy still on parent pom, I'd consider skipping the plugin explicitly for these (effectively removing the misleading report).
Comment by Mikaël Geljić [ 11/Jun/21 ]

Good news, managed to pull project suppressions to whole dx-core reactor:

  • parent report is empty
  • dx-core: 1 dep (xstream)
  • dx-core-demo: 2 deps (+netty-transport)
  • dx-core-cloud: 4 deps (+postgresql +okhttp-logging-interceptor)
  • test-fixture & test-webapps: 2/3 deps (couple docker libs)

=> Overall, covering all modules seems very reasonable. Keeping pipeline unchanged in this ticket, should file follow-ups to address vulnerabilities above before broadening execution.

Generated at Mon Feb 12 05:31:56 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.