Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade org.cyclonedx:cyclonedx-core-java from 7.3.2 to 9.0.4 #21

Open
wants to merge 44 commits into
base: main
Choose a base branch
from
Open

[Snyk] Security upgrade org.cyclonedx:cyclonedx-core-java from 7.3.2 to 9.0.4 #21

wants to merge 44 commits into from

Conversation

KoukiHama
Copy link

This PR was automatically created by Snyk using the credentials of a real user.


![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Score Upgrade
high severity XML External Entity (XXE) Injection
SNYK-JAVA-ORGCYCLONEDX-7369650		   833   org.cyclonedx:cyclonedx-core-java:
7.3.2 -> 9.0.4
Major version upgrade Proof of Concept

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 XML External Entity (XXE) Injection

heliocastro added 30 commits May 30, 2024 15:51
@heliocastro
refactor(project): Remove liferay frontend
4743d31 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(java): Move to Java 17
86bbd27 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(project): Adjust dependencies for Java 17 and Liferay removal
0e69da3 
- Thrift updated to version 2020s compatible with Java 17+
- Set the default Tomcat base to be used now
- Removed Liferay and Java version specifics

Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(project): Remove flatten maven plugin
425da38 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(project): Remove log4j-osgi-support
6839d36 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(project): Remove liferay properties
819c2c5 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(project): Remove unused Jenkins build files
0ed5a12 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(datahandler): Update for modern thrift and Java 17
8d02ed2 
- Change Thrift code to use httpclient5
- Remove OSGI bn

Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
fix(deps): Remove duplicate json dependency version
5e046ea 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(thirdparty): Remove old couchdb-lucene
7e5c60e 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(scripts): Set default to newer Thrift
876945b 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(project): Move enforcer plugin to proper location
aff9aff 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(linter): Remove spotless as not used
c073cd6 
Spotless was a good idea, but never been properly used or implemented.
The solution should be revisited as the new codebase is active.

Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(project): Remove jacoco maven plugin
bb385fa 
Data of code coverage is not used all and should be better represented
on the next codebase.

Related to discussion on eclipse-sw360#2452

Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(project): Remove unused buildnumber maven plugin
c626191 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(project): Remove unused versions maven plugin
1e1bc29 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(frontend): Remove frontend references
681ab69 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(libraries): Remove OSGI bundle from CommonIO
f0ee317 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(libraries): Remove OSGI bundle from exporters
3d54efb 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(libraries): Remove OSGI bundle from importers
9979a85 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(project): Remove OSGI bundle plugin
3083c2d 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(project): Start transition to Jakarta API
3e69647 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(project): Add maven-git-versioning extension
9e13651 
Ref: https://github.com/qoomon/maven-git-versioning-extension

Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(docker): Initial docker refactor with Tomcat only
4b891be 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
chore(vscode): Improve Java buildsystem handling
4f79c63 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(rest): Make old authorization-server compile
8d32e8f 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(workflows): Build new codebase
6010914 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
feat(docker): Add couchdb-test properties
c80ddfc 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(project): Remove pontual build references on Liferay
d8cabf8 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(readme): Remove some liferay references
fa9c857 
Signed-off-by: Helio Chissini de Castro <[email protected]>
dependabot bot and others added 14 commits May 30, 2024 20:23
@dependabot @heliocastro
build(deps): bump org.apache.commons:commons-compress
b523c6e 
Bumps org.apache.commons:commons-compress from 1.21 to 1.26.0.

---
updated-dependencies:
- dependency-name: org.apache.commons:commons-compress
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@heliocastro
feat(workflow): Upload test results in case of failure
330c1be 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
fix(tests): Make partial importer tests pass
88b0c05 
- Refactored exceptions

- Commented testImportOnEmptyDb, void testImportTwiceWithOnlyAPart,
testImportTwiceIsANoOp as need to be refactored

- Add Siemens no-liferay branch fixes

Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(project): Disable client library temporary
4e2377f 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(couchdb): Remove old lucene patch
d168113 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
refactor(docker): Enable new codebase
21e31e5 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
fix(tests): Fix codebase to match springboot series 2.x
5c272bb 
- Upgrade to latest series 2.x springboot release
- Revert the rest functionality to javax required by the current
  codebase

Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
fix(project): Normalize version and deploy properties
9012a62 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
fix(project): Adjust version to match maven requirements
c1c5307 
Version is set now by git versioning plugin, but maven requires a static
defined entry to validate builds. Fixed on 18.99.0 as mark for post 18
development.

Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
fix(project): Adjust to use properties in main pom.xml
30851ec 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
fix(tests): Update to Java 17 compatible libraries
01ecf1f 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
fix(tests): Temporary disable client tests
7f3241a 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@heliocastro
chore(project): Ignore/exclude git-versioned
30b714f 
Signed-off-by: Helio Chissini de Castro <[email protected]>
@snyk-bot
fix: pom.xml to reduce vulnerabilities
fd2c192 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-ORGCYCLONEDX-7369650
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@KoukiHama @heliocastro @snyk-bot