NIFI-9213 Upgraded Dependency Check Plugin to 6.3.1
- Suppressed false positive for ftpserver
- Suppressed false positive for com.metamx:http-client
- Suppressed false positive for Jetty servlet-api
- Suppressed false positive for Testcontainers MySQL
- Suppressed false positive for vorbis-java-tika
This closes #5384
Signed-off-by: Joe Gresock <jgresock@gmail.com>
diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml
index 0a71a41..df9a719 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -15,13 +15,38 @@
-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
- <notes>Suppress false positives for Apache NiFi packages</notes>
+ <notes>NiFi packages contain other project names, which can cause incorrect identification</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.nifi/.*$</packageUrl>
<cpe regex="true">^cpe:.*$</cpe>
</suppress>
<suppress>
- <notes>Suppress false positives for Jetty Test Helper</notes>
+ <notes>Jetty Test Helper is incorrectly identified as part of Jetty Server</notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty-test-helper.*$</packageUrl>
<cpe regex="true">^cpe:.*$</cpe>
</suppress>
+ <suppress>
+ <notes>Apache FTP Server library is incorrectly identified with Apache HTTP Server</notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/ftpserver\-core@.*$</packageUrl>
+ <cpe>cpe:/a:apache:http_server</cpe>
+ </suppress>
+ <suppress>
+ <notes>Meta MX HTTP Client is incorrectly identified as Netty</notes>
+ <packageUrl regex="true">^pkg:maven/com\.metamx/http\-client@.*$</packageUrl>
+ <cpe>cpe:/a:netty:netty</cpe>
+ </suppress>
+ <suppress>
+ <notes>Servlet API libraries with the Jetty package are incorrectly associated with Jetty Server</notes>
+ <packageUrl regex="true">^pkg:maven/org\.mortbay\.jetty/servlet\-api@.*$</packageUrl>
+ <cpe regex="true">^cpe:/a:.*:jetty:.*$</cpe>
+ </suppress>
+ <suppress>
+ <notes>Testcontainers MySQL is incorrectly identified with MySQL server</notes>
+ <packageUrl regex="true">^pkg:maven/org\.testcontainers/mysql@.*$</packageUrl>
+ <cpe>cpe:/a:mysql:mysql</cpe>
+ </suppress>
+ <suppress>
+ <notes>Vorbis Java Tika is incorrectly linked to flac_project</notes>
+ <packageUrl regex="true">^pkg:maven/org\.gagravarr/vorbis\-java\-tika@.*$</packageUrl>
+ <cpe>cpe:/a:flac_project:flac</cpe>
+ </suppress>
</suppressions>
diff --git a/pom.xml b/pom.xml
index 56fab65..0d1a6bd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1109,7 +1109,7 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
- <version>6.1.5</version>
+ <version>6.3.1</version>
<executions>
<execution>
<inherited>false</inherited>
@@ -1118,6 +1118,8 @@
</goals>
<configuration>
<suppressionFiles>nifi-dependency-check-maven/suppressions.xml</suppressionFiles>
+ <!-- Skip System Scope to avoid dependency resolution errors with jdk.tools on Java 8 -->
+ <skipSystemScope>true</skipSystemScope>
</configuration>
</execution>
</executions>