Fix vulnerabilities

Suppress Axis vulnerability. It doesn't affect us. Exclude clojurescript from clojure.network.ip.
solita · Sep 14, 2023 · eb6653d · eb6653d
1 parent 31672ac
commit eb6653d
Show file tree

Hide file tree

Showing 2 changed files with 111 additions and 102 deletions.
diff --git a/etp-backend/deps.edn b/etp-backend/deps.edn
@@ -1,107 +1,108 @@
-{:paths ["src/main/clj"
- "src/main/sql"
- "src/main/resources"]
+{:paths  ["src/main/clj"
+  "src/main/sql"
+  "src/main/resources"]
  :mvn/repos {"shibboleth" {:url "https://build.shibboleth.net/maven/releases/"}}
- :deps {org.clojure/clojure {:mvn/version "1.10.1"}
- ch.qos.logback/logback-classic {:mvn/version "1.4.11"}
- org.slf4j/log4j-over-slf4j {:mvn/version "1.7.36"}
- flathead/flathead {:mvn/version "0.0.6"}
- integrant/integrant {:mvn/version "0.8.1"}
- hikari-cp/hikari-cp {:mvn/version "2.14.0"}
- org.postgresql/postgresql {:mvn/version "42.6.0"}
- org.clojure/java.jdbc {:mvn/version "0.7.12"}
- org.clojure/data.csv {:mvn/version "1.0.1"}
- http-kit/http-kit {:mvn/version "2.7.0"}
- ring/ring-core {:mvn/version "1.10.0"}
- javax.servlet/servlet-api {:mvn/version "2.5"}
- org.clojure/tools.logging {:mvn/version "1.2.4"}
- prismatic/schema {:mvn/version "1.4.1"}
- metosin/reitit-ring {:mvn/version "0.6.0"}
- metosin/reitit-swagger {:mvn/version "0.6.0"}
- metosin/reitit-swagger-ui {:mvn/version "0.6.0"}
- metosin/reitit-middleware {:mvn/version "0.6.0"}
- metosin/reitit-dev {:mvn/version "0.6.0"}
- metosin/reitit-schema {:mvn/version "0.6.0"}
- metosin/muuntaja {:mvn/version "0.6.8"}
- metosin/jsonista {:mvn/version "0.3.7"}
- metosin/schema-tools {:mvn/version "0.13.1"}
- ;; TODO Spec-tools can be removed when the issue below has been fixed:
- ;; https://github.com/metosin/reitit/issues/355
- metosin/spec-tools {:mvn/version "0.10.6"}
- webjure/jeesql {:mvn/version "0.4.7"}
- clj-http/clj-http {:mvn/version "3.12.3"}
- buddy/buddy-core {:mvn/version "1.11.423"}
- buddy/buddy-sign {:mvn/version "3.5.351"}
- buddy/buddy-hashers {:mvn/version "2.0.167"}
- org.apache.poi/poi {:mvn/version "5.2.3"}
- org.apache.poi/poi-ooxml {:mvn/version "5.2.3"}
- org.apache.pdfbox/pdfbox {:mvn/version "2.0.29"}
- puumerkki/puumerkki {:mvn/version "0.9.2"
- :exclusions [ring/ring
- ring/ring-core
- ring/ring-defaults
- hiccup/hiccup
- clj-http/clj-http
- ring/ring-jetty-adapter
- org.clojure/data.json]}
- org.clojure/core.match {:mvn/version "1.0.1"}
- com.cognitect.aws/api {:mvn/version "0.8.686"}
- com.cognitect.aws/endpoints {:mvn/version "1.1.12.504"}
- com.cognitect.aws/s3 {:mvn/version "848.2.1413.0"}
- de.ubercode.clostache/clostache {:mvn/version "1.4.0"}
- commonmark-hiccup/commonmark-hiccup {:mvn/version "0.3.0"}
+ :deps  {org.clojure/clojure  {:mvn/version "1.10.1"}
+  ch.qos.logback/logback-classic  {:mvn/version "1.4.11"}
+  org.slf4j/log4j-over-slf4j  {:mvn/version "1.7.36"}
+  flathead/flathead  {:mvn/version "0.0.6"}
+  integrant/integrant  {:mvn/version "0.8.1"}
+  hikari-cp/hikari-cp  {:mvn/version "2.14.0"}
+  org.postgresql/postgresql  {:mvn/version "42.6.0"}
+  org.clojure/java.jdbc  {:mvn/version "0.7.12"}
+  org.clojure/data.csv  {:mvn/version "1.0.1"}
+  http-kit/http-kit  {:mvn/version "2.7.0"}
+  ring/ring-core  {:mvn/version "1.10.0"}
+  javax.servlet/servlet-api  {:mvn/version "2.5"}
+  org.clojure/tools.logging  {:mvn/version "1.2.4"}
+  prismatic/schema  {:mvn/version "1.4.1"}
+  metosin/reitit-ring  {:mvn/version "0.6.0"}
+  metosin/reitit-swagger  {:mvn/version "0.6.0"}
+  metosin/reitit-swagger-ui  {:mvn/version "0.6.0"}
+  metosin/reitit-middleware  {:mvn/version "0.6.0"}
+  metosin/reitit-dev  {:mvn/version "0.6.0"}
+  metosin/reitit-schema  {:mvn/version "0.6.0"}
+  metosin/muuntaja  {:mvn/version "0.6.8"}
+  metosin/jsonista  {:mvn/version "0.3.7"}
+  metosin/schema-tools  {:mvn/version "0.13.1"}
+  ;; TODO Spec-tools can be removed when the issue below has been fixed:
+  ;; https://github.com/metosin/reitit/issues/355
+  metosin/spec-tools  {:mvn/version "0.10.6"}
+  webjure/jeesql  {:mvn/version "0.4.7"}
+  clj-http/clj-http  {:mvn/version "3.12.3"}
+  buddy/buddy-core  {:mvn/version "1.11.423"}
+  buddy/buddy-sign  {:mvn/version "3.5.351"}
+  buddy/buddy-hashers  {:mvn/version "2.0.167"}
+  org.apache.poi/poi  {:mvn/version "5.2.3"}
+  org.apache.poi/poi-ooxml  {:mvn/version "5.2.3"}
+  org.apache.pdfbox/pdfbox  {:mvn/version "2.0.29"}
+  puumerkki/puumerkki  {:mvn/version "0.9.2"
+  :exclusions [ring/ring
+  ring/ring-core
+  ring/ring-defaults
+  hiccup/hiccup
+  clj-http/clj-http
+  ring/ring-jetty-adapter
+  org.clojure/data.json]}
+  org.clojure/core.match  {:mvn/version "1.0.1"}
+  com.cognitect.aws/api  {:mvn/version "0.8.686"}
+  com.cognitect.aws/endpoints  {:mvn/version "1.1.12.504"}
+  com.cognitect.aws/s3  {:mvn/version "848.2.1413.0"}
+  de.ubercode.clostache/clostache  {:mvn/version "1.4.0"}
+  commonmark-hiccup/commonmark-hiccup  {:mvn/version "0.3.0"}
 
- com.openhtmltopdf/openhtmltopdf-pdfbox {:mvn/version "1.0.10"}
- com.openhtmltopdf/openhtmltopdf-slf4j {:mvn/version "1.0.10"}
+  com.openhtmltopdf/openhtmltopdf-pdfbox  {:mvn/version "1.0.10"}
+  com.openhtmltopdf/openhtmltopdf-slf4j  {:mvn/version "1.0.10"}
 
- ;; Contains vulnerable version of batik-* libraries, exclude those
- ;; and add direct dependency to newer versions
- com.openhtmltopdf/openhtmltopdf-svg-support
- {:mvn/version "1.0.10"
- :exclusions [org.apache.xmlgraphics/batik-transcoder
- org.apache.xmlgraphics/batik-codec
- org.apache.xmlgraphics/batik-ext]}
- org.apache.xmlgraphics/batik-transcoder {:mvn/version "1.17"}
- org.apache.xmlgraphics/batik-codec {:mvn/version "1.17"}
- org.apache.xmlgraphics/batik-ext {:mvn/version "1.17"}
+  ;; Contains vulnerable version of batik-* libraries, exclude those
+  ;; and add direct dependency to newer versions
+  com.openhtmltopdf/openhtmltopdf-svg-support
+  {:mvn/version "1.0.10"
+  :exclusions [org.apache.xmlgraphics/batik-transcoder
+  org.apache.xmlgraphics/batik-codec
+  org.apache.xmlgraphics/batik-ext]}
+  org.apache.xmlgraphics/batik-transcoder  {:mvn/version "1.17"}
+  org.apache.xmlgraphics/batik-codec  {:mvn/version "1.17"}
+  org.apache.xmlgraphics/batik-ext  {:mvn/version "1.17"}
 
- ;; Non-alpha version does not support xml namespaces
- org.clojure/data.xml {:mvn/version "0.2.0-alpha8"}
- camel-snake-kebab/camel-snake-kebab {:mvn/version "0.4.3"}
- com.jcraft/jsch {:mvn/version "0.1.55"}
- com.sun.mail/javax.mail {:mvn/version "1.6.2"}
+  ;; Non-alpha version does not support xml namespaces
+  org.clojure/data.xml  {:mvn/version "0.2.0-alpha8"}
+  camel-snake-kebab/camel-snake-kebab  {:mvn/version "0.4.3"}
+  com.jcraft/jsch  {:mvn/version "0.1.55"}
+  com.sun.mail/javax.mail  {:mvn/version "1.6.2"}
 
- org.apache.wss4j/wss4j-ws-security-dom {:mvn/version "3.0.1"}
- org.apache.wss4j/wss4j-ws-security-common {:mvn/version "3.0.1"}
- com.sun.xml.messaging.saaj/saaj-impl {:mvn/version "3.0.2"}
- org.apache.axis/axis {:mvn/version "1.4"}
- commons-io/commons-io {:mvn/version "2.13.0"}
- ;; commons-discovery is needed by some other library dynamically at runtime
- ;; related to suomi.fi-viestit implementation
- commons-discovery/commons-discovery {:mvn/version "0.5"}
- com.sun.xml.ws/webservices-rt {:mvn/version "2.0.1"}
- kovacnica/clojure.network.ip {:mvn/version "0.1.3"}}
- :aliases {:dev {:extra-paths ["src/test/clj"
- "src/test/resources"
- "src/dev/clj"]
- :extra-deps {integrant/repl {:mvn/version "0.3.3"}
- eftest/eftest {:mvn/version "0.6.0"}
- prismatic/schema-generators {:mvn/version "0.1.5"}
- ring/ring-mock {:mvn/version "0.4.0"}
- org.xmlunit/xmlunit-core {:mvn/version "2.9.1"}}
- :jvm-opts ["-Djava.awt.headless=true"]}
- :test {:main-opts ["-e" "(run-tests-and-exit!)" "-A:dev"]}
- :test-ci {:main-opts ["-e" "(run-tests-with-junit-reporter-and-exit!)" "-A:dev"]}
- :coverage {:extra-deps {cloverage/cloverage {:mvn/version "1.2.4"}}
- :main-opts ["-m" "cloverage.coverage -p src/main -s src/test -e solita.etp.api.* -e user"]}
- :jar {:extra-deps {seancorfield/depstar {:mvn/version "1.1.136"}}
- :main-opts ["-m" "hf.depstar.jar" "target/etp-backend.jar"]}
- :uberjar {:extra-deps {uberdeps/uberdeps {:mvn/version "0.1.8"}}
- :main-opts ["-m" "uberdeps.uberjar"]}
- :deploy {:extra-deps {slipset/deps-deploy {:mvn/version "0.2.1"}}
- :main-opts ["-m" "deps-deploy.deps-deploy" "deploy"
- "target/etp-backend.jar"]}
- :outdated {:extra-deps {com.github.liquidz/antq {:mvn/version "2.5.1109"}}
- :main-opts ["-m" "antq.core"]}
- :lint {:extra-deps {clj-kondo/clj-kondo {:mvn/version "2023.09.07"}}
- :main-opts ["-m" "clj-kondo.main" "--lint" "src"]}}}
+ org.apache.wss4j/wss4j-ws-security-dom {:mvn/version "3.0.1"}
+ org.apache.wss4j/wss4j-ws-security-common {:mvn/version "3.0.1"}
+ com.sun.xml.messaging.saaj/saaj-impl {:mvn/version "3.0.2"}
+ org.apache.axis/axis {:mvn/version "1.4"}
+ commons-io/commons-io {:mvn/version "2.13.0"}
+ ;; commons-discovery is needed by some other library dynamically at runtime
+ ;; related to suomi.fi-viestit implementation
+ commons-discovery/commons-discovery {:mvn/version "0.5"}
+ com.sun.xml.ws/webservices-rt {:mvn/version "2.0.1"}
+ kovacnica/clojure.network.ip {:mvn/version "0.1.3"
+ :exclusions [org.clojure/clojurescript]}}
+ :aliases {:dev {:extra-paths ["src/test/clj"
+ "src/test/resources"
+ "src/dev/clj"]
+ :extra-deps {integrant/repl {:mvn/version "0.3.3"}
+ eftest/eftest {:mvn/version "0.6.0"}
+ prismatic/schema-generators {:mvn/version "0.1.5"}
+ ring/ring-mock {:mvn/version "0.4.0"}
+ org.xmlunit/xmlunit-core {:mvn/version "2.9.1"}}
+ :jvm-opts ["-Djava.awt.headless=true"]}
+ :test {:main-opts ["-e" "(run-tests-and-exit!)" "-A:dev"]}
+ :test-ci {:main-opts ["-e" "(run-tests-with-junit-reporter-and-exit!)" "-A:dev"]}
+ :coverage {:extra-deps {cloverage/cloverage {:mvn/version "1.2.4"}}
+ :main-opts ["-m" "cloverage.coverage -p src/main -s src/test -e solita.etp.api.* -e user"]}
+ :jar {:extra-deps {seancorfield/depstar {:mvn/version "1.1.136"}}
+ :main-opts ["-m" "hf.depstar.jar" "target/etp-backend.jar"]}
+ :uberjar {:extra-deps {uberdeps/uberdeps {:mvn/version "0.1.8"}}
+ :main-opts ["-m" "uberdeps.uberjar"]}
+ :deploy {:extra-deps {slipset/deps-deploy {:mvn/version "0.2.1"}}
+ :main-opts ["-m" "deps-deploy.deps-deploy" "deploy"
+ "target/etp-backend.jar"]}
+ :outdated {:extra-deps {com.github.liquidz/antq {:mvn/version "2.5.1109"}}
+ :main-opts ["-m" "antq.core"]}
+ :lint {:extra-deps {clj-kondo/clj-kondo {:mvn/version "2023.09.07"}}
+ :main-opts ["-m" "clj-kondo.main" "--lint" "src"]}}}
diff --git a/etp-backend/nvd_suppressions.xml b/etp-backend/nvd_suppressions.xml
@@ -41,6 +41,14 @@
  <packageUrl regex="true">^pkg:maven/org\.apache\.axis/axis@.*$</packageUrl>
  <vulnerabilityName>CVE-2007-2353</vulnerabilityName>
  </suppress>
+ <!-- ServiceFactory.getService is vulnerable. We don't use it. -->
+ <suppress>
+ <notes><![CDATA[
+ file name: axis-1.4.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.axis/axis@.*$</packageUrl>
+ <vulnerabilityName>CVE-2023-40743</vulnerabilityName>
+ </suppress>
 
  <!-- CVE itself is false -->
  <suppress>