Skip to content

Commit

Permalink
Added suppressions for CVEs out of our control.
Browse files Browse the repository at this point in the history 
Updated dependencies beanmapper, beanmapper-spring, spring-boot.

- Modified tests to use the configuration-method that is automatically generated by the BeanMapper-record.
- Updated maven.yml
  • Loading branch information
@marcus-talbot42
marcus-talbot42 committed Sep 15, 2022
1 parent 5295ed1 commit d79ff1d
Show file tree
Hide file tree
Showing 5 changed files with 43 additions and 48 deletions.
27 changes: 4 additions & 23 deletions .github/workflows/maven.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,26 +10,7 @@ on:
branches: [ master ]

jobs:
build:

runs-on: ubuntu-latest

steps:
- name: Repository checkout
uses: actions/checkout@v2
- name: Cache local Maven repository
uses: actions/cache@v2
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-maven-
- name: Set up JDK 1.8
uses: actions/setup-java@v1
with:
java-version: 1.8
- name: OWASP dependency checks
run: mvn dependency-check:check
- name: Build with Maven
run: mvn clean verify -Dgpg.skip
- name: Code coverage with Codecov
uses: codecov/codecov-action@v1
call-workflow:
uses: 42BV/42-github-workflows/.github/workflows/maven-test.yml@main
with:
java-version: 17
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [Unreleased]
### Upgrades
- Upgraded beanmapper(4.0.0), beanmapper-spring(4.0.0) and spring-boot(2.7.3) dependencies.

## [3.2.0] - 2020-12-16
### Upgrades
Expand Down
20 changes: 16 additions & 4 deletions owasp-suppressions.xml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,20 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress base="true">
<notes><![CDATA[ False positive - spring security crypto version not in CVE description ]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring-security-crypto@.*$</packageUrl>
<cve>CVE-2020-5408</cve>
</suppress>
<suppress>
<notes> spring-core-5.3.20.jar and spring-tx-5.3.20.jar, waiting for fix from spring</notes>
<cve>CVE-2016-1000027</cve>
</suppress>
<suppress>
<notes>This is all about lower versions of the springframework.</notes>
<filePath regex="true">.*\bspring-security.*-5\.4\.2\.jar</filePath>
<cve>CVE-2018-1258</cve>
<notes>Fails due to snakeyaml-1.30, waiting for fix from spring</notes>
<cve>CVE-2022-38752</cve>
<cve>CVE-2022-38750</cve>
<cve>CVE-2022-38751</cve>
<cve>CVE-2022-38749</cve>
<cve>CVE-2022-25857</cve>
</suppress>
</suppressions>
24 changes: 12 additions & 12 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,15 +56,15 @@
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>

<spring.boot.version>2.4.1</spring.boot.version>
<beanmapper.version>3.1.0</beanmapper.version>
<beanmapper.spring.version>3.1.0</beanmapper.spring.version>
<spring.boot.version>2.7.3</spring.boot.version>
<beanmapper.version>4.0.0</beanmapper.version>
<beanmapper.spring.version>4.0.0</beanmapper.spring.version>

<maven.release.plugin.version>2.5.3</maven.release.plugin.version>
<maven.scm.provider.gitexe.version>1.9.2</maven.scm.provider.gitexe.version>
<maven.scm.provider.gitexe.version>1.13.0</maven.scm.provider.gitexe.version>
</properties>

<dependencies>
Expand Down Expand Up @@ -139,7 +139,7 @@
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
<version>1.6.7</version>
<version>1.6.8</version>
<extensions>true</extensions>
<configuration>
<serverId>sonatype-nexus-staging</serverId>
Expand All @@ -150,7 +150,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<version>3.4.1</version>
<executions>
<execution>
<id>attach-javadocs</id>
Expand All @@ -177,7 +177,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<version>2.2.1</version>
<version>3.2.1</version>
<executions>
<execution>
<id>attach-sources</id>
Expand All @@ -190,7 +190,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.5</version>
<version>3.0.1</version>
<executions>
<execution>
<id>sign-artifacts</id>
Expand All @@ -204,7 +204,7 @@
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.8.6</version>
<version>0.8.8</version>
<executions>
<execution>
<goals>
Expand All @@ -223,7 +223,7 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>6.0.3</version>
<version>7.1.2</version>
<configuration>
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
<skipProvidedScope>true</skipProvidedScope>
Expand Down
18 changes: 9 additions & 9 deletions src/test/java/io/beanmapper/autoconfigure/BeanMapperAutoConfigTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,14 +82,14 @@ public void autoconfig_shouldCreateBeanMapper_withDefaultUnproxy_whenEnvIsSet()
public void autoconfig_shouldRegisterCollectionHandler_ifScanned() {
loadApplicationContext(BEANMAPPER_USE_HIBERNATE_UNPROXY_PROP);
BeanMapper mapper = context.getBean(BeanMapper.class);
List<CollectionHandler> customCollectionHandlers = mapper.getConfiguration().getCollectionHandlers()
List<CollectionHandler> customCollectionHandlers = mapper.configuration().getCollectionHandlers()
.stream()
.filter(handler ->
handler.getType().equals(TestEntity.class) ||
handler.getType().equals(TestEntity2.class))
.collect(toList());
assertEquals(2, customCollectionHandlers.size());
TestCollectionHandlerWithAppCtx collectionHandler = (TestCollectionHandlerWithAppCtx)mapper.getConfiguration().getCollectionHandlerFor(TestEntity2.class);
TestCollectionHandlerWithAppCtx collectionHandler = (TestCollectionHandlerWithAppCtx)mapper.configuration().getCollectionHandlerFor(TestEntity2.class);
assertNotNull(collectionHandler.getApplicationContext());
}

Expand All @@ -98,7 +98,7 @@ public void autoconfig_shouldSetSecurityChecks() {
loadApplicationContext(ConfigWithSecurity.class);
BeanMapper mapper = context.getBean(BeanMapper.class);

assertTrue(mapper.getConfiguration().getRoleSecuredCheck() instanceof SpringRoleSecuredCheck);
assertTrue(mapper.configuration().getRoleSecuredCheck() instanceof SpringRoleSecuredCheck);
}


Expand All @@ -108,28 +108,28 @@ public void autoconfig_shouldNotSetSecurityChecks_ifSpringSecurityIsMissingFromC
loadApplicationContext(ConfigWithSecurity.class, new NoSpringSecurityClassLoader());
BeanMapper mapper = context.getBean(BeanMapper.class);

assertFalse(mapper.getConfiguration().getRoleSecuredCheck() instanceof SpringRoleSecuredCheck);
assertFalse(mapper.configuration().getRoleSecuredCheck() instanceof SpringRoleSecuredCheck);
}

@Test
public void autoconfig_shouldLoadIdToEntityBeanConverterAndHibernateUnproxy_withSpringDataOnClassPath() {
loadApplicationContext(ConfigWithSpringData.class);
BeanMapper mapper = context.getBean(BeanMapper.class);
List<BeanConverter> beanConverters = mapper.getConfiguration().getBeanConverters();
List<BeanConverter> beanConverters = mapper.configuration().getBeanConverters();
assertTrue(beanConverters.stream().anyMatch(c -> c instanceof IdToEntityBeanConverter));

BeanUnproxy unproxyDelegate = (BeanUnproxy) getField(mapper.getConfiguration().getBeanUnproxy(), "delegate");
BeanUnproxy unproxyDelegate = (BeanUnproxy) getField(mapper.configuration().getBeanUnproxy(), "delegate");
assertTrue(unproxyDelegate instanceof HibernateAwareBeanUnproxy);
}

@Test
public void autoconfig_shouldNotLoadIdToEntityBeanConverterAndHibernateUnproxy_withoutSpringDataOnClassPath() {
loadApplicationContext(ConfigWithSpringData.class, new NoSpringDataClassLoader());
BeanMapper mapper = context.getBean(BeanMapper.class);
List<BeanConverter> beanConverters = mapper.getConfiguration().getBeanConverters();
List<BeanConverter> beanConverters = mapper.configuration().getBeanConverters();
assertFalse(beanConverters.stream().anyMatch(c -> c instanceof IdToEntityBeanConverter));

BeanUnproxy unproxyDelegate = (BeanUnproxy) getField(mapper.getConfiguration().getBeanUnproxy(), "delegate");
BeanUnproxy unproxyDelegate = (BeanUnproxy) getField(mapper.configuration().getBeanUnproxy(), "delegate");
assertFalse(unproxyDelegate instanceof HibernateAwareBeanUnproxy);
assertTrue(unproxyDelegate instanceof DefaultBeanUnproxy);
}
Expand Down Expand Up @@ -194,7 +194,7 @@ private void assertBeanMapper(int expectedNumberOfPackagePrefixes, int expectedN

private void assertBeanMapper(int expectedNumberOfPackagePrefixes, int expectedNumberOfConverters, boolean hibernateUnproxy) {
BeanMapper mapper = context.getBean(BeanMapper.class);
io.beanmapper.config.Configuration config = mapper.getConfiguration();
io.beanmapper.config.Configuration config = mapper.configuration();
assertEquals(expectedNumberOfPackagePrefixes, config.getPackagePrefixes().size());
if (expectedNumberOfPackagePrefixes == 1) {
assertEquals("io.beanmapper.autoconfigure", config.getPackagePrefixes().get(0));
Expand Down

0 comments on commit d79ff1d

Please sign in to comment.