4 years ago · b0fce66d77
--- a/main/pom.xml
+++ b/main/pom.xml
@@ -230,6 +230,13 @@
 
				 				<version>${javafx.version}</version>
			
 
				 				<scope>test</scope>
			
 
				 			</dependency>
			
 
				+
			
 
				+			<!-- TODO: temporary fix for XXE attack, can be removed once java-jwt is updated -->
			
 
				+			<dependency>
			
 
				+				<groupId>com.fasterxml.jackson.core</groupId>
			
 
				+				<artifactId>jackson-databind</artifactId>
			
 
				+				<version>2.10.5.1</version>
			
 
				+			</dependency>
			
 
				 		</dependencies>
			
 
				 	</dependencyManagement>
			
 
				 
			
@@ -332,6 +339,32 @@
 
				 				</dependency>
			
 
				 			</dependencies>
			
 
				 		</profile>
			
 
				+		<profile>
			
 
				+			<id>dependency-check</id>
			
 
				+			<build>
			
 
				+				<plugins>
			
 
				+					<plugin>
			
 
				+						<groupId>org.owasp</groupId>
			
 
				+						<artifactId>dependency-check-maven</artifactId>
			
 
				+						<version>6.0.3</version>
			
 
				+						<configuration>
			
 
				+							<cveValidForHours>24</cveValidForHours>
			
 
				+							<failBuildOnCVSS>0</failBuildOnCVSS>
			
 
				+							<skipTestScope>true</skipTestScope>
			
 
				+							<detail>true</detail>
			
 
				+							<suppressionFile>suppression.xml</suppressionFile>
			
 
				+						</configuration>
			
 
				+						<executions>
			
 
				+							<execution>
			
 
				+								<goals>
			
 
				+									<goal>check</goal>
			
 
				+								</goals>
			
 
				+							</execution>
			
 
				+						</executions>
			
 
				+					</plugin>
			
 
				+				</plugins>
			
 
				+			</build>
			
 
				+		</profile>
			
 
				 	</profiles>
			
 
				 
			
 
				 	<build>
			
--- a/main/suppression.xml
+++ b/main/suppression.xml
@@ -0,0 +1,19 @@
 
				+<?xml version="1.0" encoding="UTF-8"?>
			
 
				+<!-- This file lists false positives found by org.owasp:dependency-check-maven build plugin -->
			
 
				+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
			
 
				+	<suppress>
			
 
				+		<notes><![CDATA[ Upstream fix backported from 2.11.0 to 2.10.5.1, see https://github.com/FasterXML/jackson-databind/issues/2589#issuecomment-714833837. ]]></notes>
			
 
				+		<gav>com.fasterxml.jackson.core:jackson-databind:2.10.5.1</gav>
			
 
				+		<cve>CVE-2020-25649</cve>
			
 
				+	</suppress>
			
 
				+	<suppress>
			
 
				+		<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for fuse-nio-adapter. For more info, see suppression.xml of https://github.com/cryptomator/fuse-nio-adapter ]]></notes>
			
 
				+		<gav regex="true">^org\.cryptomator:fuse-nio-adapter:.*$</gav>
			
 
				+		<cvssBelow>9</cvssBelow>
			
 
				+	</suppress>
			
 
				+	<suppress>
			
 
				+		<notes><![CDATA[ Suppress known vulnerabilities in FUSE libraries for jnr-fuse (dependency of fuse-nio-adapter). ]]></notes>
			
 
				+		<gav regex="true">^com\.github\.serceman:jnr-fuse:.*$</gav>
			
 
				+		<cvssBelow>9</cvssBelow>
			
 
				+	</suppress>
			
 
				+</suppressions>