Home Explore Help
Register Sign In
coolbeer
/
cryptomator
mirror of https://github.com/cryptomator/cryptomator.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

[Snyk] Security upgrade org.cryptomator:webdav-nio-adapter from 1.2.2 to 1.2.3 (#1698)

* fix: pom.xml to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-1313686

* adjusted suppression config

* bump webdav version

Co-authored-by: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Snyk bot 3 years ago
parent
8ac253504f
commit
b4a97803ff
2 changed files with 9 additions and 34 deletions
Split View Show Diff Stats
  1. 1 1
      pom.xml
  2. 8 33
      suppression.xml

+ 1 - 1
pom.xml
View File 

@@ -31,7 +31,7 @@
 
 		<cryptomator.integrations.linux.version>1.0.0-beta1</cryptomator.integrations.linux.version>
 
 		<cryptomator.fuse.version>1.3.1</cryptomator.fuse.version>
 
 		<cryptomator.dokany.version>1.3.1</cryptomator.dokany.version>
 
-		<cryptomator.webdav.version>1.2.2</cryptomator.webdav.version>
 
+		<cryptomator.webdav.version>1.2.4</cryptomator.webdav.version>
 
 
 		<!-- 3rd party dependencies -->
 
 		<javafx.version>16</javafx.version>

+ 8 - 33
suppression.xml
View File 

@@ -14,40 +14,15 @@
 
 
 	<!-- Jetty false positives below -->
 
 	<suppress>
 
-		<notes><![CDATA[ Affects jetty < 6.1.22 ]]></notes>
 
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
 
-		<cve>CVE-2009-5045</cve>
 
-	</suppress>
 
-	<suppress>
 
-		<notes><![CDATA[ Affects jetty < 6.1.22 ]]></notes>
 
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
 
-		<cve>CVE-2009-5046</cve>
 
-	</suppress>
 
+		<notes><![CDATA[
 
+		Suppress all for this javax.servlet api package:
 
+		There are lots of false positives, simply because its version number is way beyond the remaining
 
+		org.eclipse.jetty jar files. Note, that our actual Jetty version is different.
 
 
-	<suppress>
 
-		<notes><![CDATA[ Affects jetty-server 9.x ]]></notes>
 
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
 
-		<cve>CVE-2017-9735</cve>
 
-	</suppress>
 
-	<suppress>
 
-		<notes><![CDATA[ Affects jetty-server 9.x ]]></notes>
 
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
 
-		<cve>CVE-2017-7656</cve>
 
-	</suppress>
 
-	<suppress>
 
-		<notes><![CDATA[ Affects jetty-server 9.x ]]></notes>
 
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
 
-		<cve>CVE-2017-7657</cve>
 
-	</suppress>
 
-	<suppress>
 
-		<notes><![CDATA[ Affects jetty-server 9.x ]]></notes>
 
-		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
 
-		<cve>CVE-2017-7658</cve>
 
-	</suppress>
 
-
 
-	<suppress>
 
-		<notes><![CDATA[ Fixed since jetty-server 10.0.0.beta2 ]]></notes>
 
+		As long as we don't suppress anything in org.eclipse.jetty:jetty-server or :jetty-servlet,
 
+		vulnerabilities will still trigger if we actually use an outdated Jetty version.
 
+		]]></notes>
 
 		<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
 
-		<cve>CVE-2020-27216</cve>
 
+		<cpe regex="true">.*</cpe>
 
 	</suppress>
 
 </suppressions>