FC-274 - Upgrade maven plugins and dependencies
diff --git a/README.md b/README.md
index 94ee004..b2a19c8 100644
--- a/README.md
+++ b/README.md
@@ -202,10 +202,14 @@
```
This sample requires Java 8 and Maven 3 to be setup within the execution env.
-
+
+#### 2. Load the default security policy for Fortress REST.
+
+ ```
mvn install -Dload.file=src/main/resources/FortressRestServerPolicy.xml
+ ```
-#### 2. Optional, load a sample security policy for ARBAC.
+#### 3. Optional, load a sample security policy for ARBAC.
```maven
mvn install -Dload.file=src/main/resources/FortressRestArbacSamplePolicy.xml
```
@@ -214,7 +218,7 @@
* *-Dload.file* automatically loads the [directory-fortress-rest security policy](src/main/resources/FortressRestServerPolicy.xml) data into ldap.
* This load needs to happen just once for the default test cases to work and may be dropped from future `mvn` commands.
-#### 3. Deploy to Tomcat:
+#### 4. Deploy to Tomcat:
a. If using autodeploy feature, verify the Tomcat auto-deploy options are set correctly in the [pom.xml](pom.xml) file:
```xml
diff --git a/pom.xml b/pom.xml
index 38f51c0..5260deb 100755
--- a/pom.xml
+++ b/pom.xml
@@ -104,7 +104,7 @@
<java.version>1.8</java.version>
<!-- Dependencies version -->
<fortress.realm.version>2.0.4</fortress.realm.version>
- <cxf.version>3.2.6</cxf.version>
+ <cxf.version>3.3.4</cxf.version>
<httpclient.version>3.1</httpclient.version>
<java.version>1.8</java.version>
<javadoc.version>2.9.1</javadoc.version>
@@ -112,9 +112,9 @@
<log4j.version>1.2.17</log4j.version>
<servlet-api.version>2.5.0</servlet-api.version>
<slf4j.log4j12.version>1.7.21</slf4j.log4j12.version>
- <spring.version>5.0.9.RELEASE</spring.version>
- <spring.security.version>5.0.7.RELEASE</spring.security.version>
- <jackson-jaxrs.version>2.9.7</jackson-jaxrs.version>
+ <jackson-jaxrs.version>2.10.1</jackson-jaxrs.version>
+ <version.jaxb.core>2.3.0.1</version.jaxb.core>
+ <version.jaxb.impl>2.3.2</version.jaxb.impl>
<!-- Other properties -->
<base.dir>.</base.dir>
@@ -155,17 +155,16 @@
<version>${jackson-jaxrs.version}</version>
</dependency>
- <!-- Spring Dependencies -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
- <version>${spring.version}</version>
+ <version>5.2.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
- <version>${spring.security.version}</version>
+ <version>5.2.1.RELEASE</version>
</dependency>
<!-- Logging Dependencies -->
@@ -197,16 +196,16 @@
</dependency>
<dependency>
- <groupId>com.sun.xml.bind</groupId>
- <artifactId>jaxb-core</artifactId>
- <version>2.3.0</version>
- </dependency>
+ <groupId>com.sun.xml.bind</groupId>
+ <artifactId>jaxb-impl</artifactId>
+ <version>${version.jaxb.impl}</version>
+ </dependency>
<dependency>
- <groupId>com.sun.xml.bind</groupId>
- <artifactId>jaxb-impl</artifactId>
- <version>2.3.0</version>
- </dependency>
+ <groupId>org.glassfish.jaxb</groupId>
+ <artifactId>jaxb-core</artifactId>
+ <version>${version.jaxb.core}</version>
+ </dependency>
</dependencies>
@@ -289,7 +288,6 @@
<server>local-tomcat</server>
<url>http://localhost:8080/manager/text</url>
<path>/${project.artifactId}-${project.version}</path>
-<!-- <path>/enmasse-${version}</path>-->
<!-- Warning the tomcat manager creds here are for deploying into a demo environment only. -->
<username>tcmanager</username>
<password>m@nager123</password>
@@ -311,11 +309,21 @@
</configuration>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>5.2.4</version>
+ <configuration>
+ <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
+ <suppressionFile>${project.basedir}/src/owasp/suppression.xml</suppressionFile>
+ </configuration>
+ </plugin>
+
<!-- War the app -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
- <version>2.4</version>
+ <version>3.2.3</version>
<configuration>
<warName>${project.artifactId}-${project.version}</warName>
<archive>
@@ -357,7 +365,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
- <version>3.8.0</version>
+ <version>3.8.1</version>
<configuration>
<source>${java.version}</source>
<target>${java.version}</target>
@@ -369,7 +377,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
- <version>3.0.0</version>
+ <version>3.2.0</version>
<executions>
<execution>
<id>attach-sources</id>
@@ -451,4 +459,26 @@
</repository>
</repositories>
-</project>
+ <!-- OWASP Dependency Vulnerability Scanner Profile -->
+ <profiles>
+
+ <profile>
+ <id>owasp</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+</profiles>
+</project>
\ No newline at end of file
diff --git a/src/owasp/suppression.xml b/src/owasp/suppression.xml
new file mode 100644
index 0000000..06d1344
--- /dev/null
+++ b/src/owasp/suppression.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+ <!-- Suppress OWASP warnings about spring security, security method override, not applicable here. -->
+ <suppress>
+ <notes><![CDATA[
+ file name: spring-security-core-5.2.1.RELEASE.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-core@.*$</packageUrl>
+ <cve>CVE-2018-1258</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: spring-security-web-5.2.1.RELEASE.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-web@.*$</packageUrl>
+ <cpe>cpe:/a:pivotal_software:spring_security</cpe>
+ </suppress>
+</suppressions>
\ No newline at end of file