Merge branch 'development' of https://github.com/hzi-braunschweig/SORMAS-Project into development

MateStrysewske · MateStrysewske · commit 21817522f4b8 · 2020-12-15T11:00:44.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,39 @@
+# This workflow will build a Java project with Maven
+# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
+
+name: Java CI with Maven
+
+env:
+  java: 11
+
+on:
+  push:
+    branches: [ development, master ]
+  pull_request:
+    branches: [ development ]
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Set up JDK ${{ env.java }}
+        uses: actions/setup-java@v1
+        with:
+          java-version: ${{ env.java }}
+
+      - name: Cache Maven packages
+        # FIXME(@JonasCir) #3733 remove '**/*.pom' once serverlib pom is renamed
+        uses: actions/cache@v2
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-java-${{ env.java }}-m2-${{ hashFiles('**/pom.xml', '**/*.pom') }}
+          restore-keys: ${{ runner.os }}-java-${{ env.java }}-m2
+
+      - name: Build with Maven
+        working-directory: ./sormas-base
+        run: mvn verify -B -ntp
diff --git a/.travis.yml b/.travis.yml
diff --git a/sormas-base/dependencies/check-suppressions.xml b/sormas-base/dependencies/check-suppressions.xml
@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+
+  <!-- *** False positives *** -->
+  <suppress>
+    <notes><![CDATA[
+    We are using newer Gradle version 5.4.1
+    ]]></notes>
+	<filePath regex="true">.*\bgradle-wrapper.*\.jar</filePath>
+    <cve>CVE-2019-11065</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    CVE addresses "data-tools" (not Java) which dows not seem to be uses by "jackson-dataformat-hal"
+    ]]></notes>
+	<filePath regex="true">.*\bjackson-dataformat-hal.*\.jar</filePath>
+    <cve>CVE-2018-18749</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    CVE is fixed with Keycloak 10, we use at least version 11
+    ]]></notes>
+	<filePath regex="true">.*\bkeycloak-.*\.jar</filePath>
+    <cve>CVE-2020-1728</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    We are using a newer version than Vaadin 6.4.9
+    ]]></notes>
+	<filePath regex="true">.*\bvaadin-sass-compiler\.jar</filePath>
+    <cve>CVE-2011-0509</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    False positive documented in Dependency Check 6.0.3, see https://github.com/jeremylong/DependencyCheck/issues/2511
+    ]]></notes>
+	<filePath regex="true">.*\bvaadin-sass-compiler\.jar</filePath>
+    <cve>CVE-2019-10799</cve>
+  </suppress>
+  <!-- *** False positives END *** -->
+
+  <!-- *** Not exploitable *** -->
+  <suppress>
+    <notes><![CDATA[
+    Not exploitable because we use Gradle as build tool to get public available dependencies without any credentials. Upgrade from 5.4.1 to 5.6.x might also be an option.
+    ]]></notes>
+	<filePath regex="true">.*\bgradle-wrapper.*\.jar</filePath>
+    <cve>CVE-2019-15052</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    Not relevant at the moment because we do not use SocketServer to receive logs.
+    ]]></notes>
+	<filePath regex="true">.*\blogback-.*\.jar</filePath>
+    <cve>CVE-2017-5929</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    maven-ant-tasks is not part of the release and is not relied on by the code
+    ]]></notes>
+	<filePath regex="true">.*\bmaven-ant-tasks.*\.jar/META-INF/.*\bplexus-utils.*</filePath>
+    <cve>CVE-2017-1000487</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    maven-ant-tasks is not part of the release and is not relied on by the code
+    ]]></notes>
+	<filePath regex="true">.*\bmaven-ant-tasks.*\.jar/META-INF/.*\bplexus-utils.*</filePath>
+    <vulnerabilityName>Directory traversal in org.codehaus.plexus.util.Expand</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    maven-ant-tasks is not part of the release and is not relied on by the code
+    ]]></notes>
+	<filePath regex="true">.*\bmaven-ant-tasks.*\.jar/META-INF/.*\bplexus-utils.*</filePath>
+    <vulnerabilityName>Possible XML Injection</vulnerabilityName>
+  </suppress>
+  <!-- *** Not exploitable END *** -->
+
+</suppressions>
