| README.md | ●●●●● patch | view | raw | blame | history | |
| build.gradle | ●●●●● patch | view | raw | blame | history | |
| etc/owasp-dependency-check-suppression.xml | ●●●●● patch | view | raw | blame | history |
README.md
@@ -266,6 +266,7 @@ Some of these rules are checked with *ArchUnit* unit tests. ### Spotless Code Formatting Code formatting for Java is checked via *spotless*. @@ -275,7 +276,7 @@ gw spotlessCheck ``` This task is also included in `gw build`. This task is also included in `gw build` and `gw check`. To apply formatting rules, use: @@ -283,6 +284,23 @@ gw spotlessApply ``` ### OWASP Security Vulnerability Check An OWASP security vulnerability is configured and can be utilized by running: ```shell gw dependencyCheckAnalyze ``` This task is also included in `gw build` and `gw check`. It is configured in [build.gradle](build.gradle). Often vulnerability reports don't apply to our use cases. Therefore, reports can be [suppressed](./etc/owasp-dependency-check-suppression.xml). In case of suppression, a note must be added to explain why it does not apply to us. See also: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html. ## How To
@@ -72,3 +72,13 @@ toggleOffOn() } } project.tasks.check.dependsOn(spotlessCheck) dependencyCheck { cveValidForHours=4 format = 'ALL' suppressionFile = 'etc/owasp-dependency-check-suppression.xml' failOnError = true failBuildOnCVSS = 7 } project.tasks.check.dependsOn(dependencyCheckAnalyze) etc/owasp-dependency-check-suppression.xml
New file @@ -0,0 +1,10 @@ <?xml version="1.0" encoding="UTF-8"?> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> <suppress> <notes><![CDATA[ We don't use the Spring HTTP invoker which causes this vulnerability due to Java deserialization. ]]></notes> <packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl> <cve>CVE-2016-1000027</cve> </suppress> </suppressions>
