From feb8460872030b0faeab59597d3dfc7e7b5c25d8 Mon Sep 17 00:00:00 2001
From: Joze RIHTARSIC <joze.RIHTARSIC@ext.ec.europa.eu>
Date: Thu, 3 Nov 2022 10:23:09 +0100
Subject: [PATCH] OWASP fix
---
owasp-false-positive-warnings.xml | 10 +++++-----
pom.xml | 10 +++++-----
.../edelivery/smp/services/ui/UITruststoreService.java | 2 +-
3 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/owasp-false-positive-warnings.xml b/owasp-false-positive-warnings.xml
index 9974d484f..5ce76ba0d 100644
--- a/owasp-false-positive-warnings.xml
+++ b/owasp-false-positive-warnings.xml
@@ -2,16 +2,16 @@
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
- file name: spring-security-crypto-5.7.2.jar
- ]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@5.7.2$</packageUrl>
+ file name: spring-security-crypto-5.7.5.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
<vulnerabilityName>CVE-2020-5408</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
- file names for spring framework: spring-*-5.3.21.jar
+ file name: spring-web-5.3.23.jar
]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-(core|web|oap)@5.3.21.*$</packageUrl>
+ <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-web@.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
</suppress>
</suppressions>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index bfd53d569..365ec4394 100644
--- a/pom.xml
+++ b/pom.xml
@@ -35,7 +35,7 @@
<maven.compiler.target>1.8</maven.compiler.target>
<maven.compiler.source>1.8</maven.compiler.source>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
- <edelivery.ssl-auth.version>1.11</edelivery.ssl-auth.version>
+ <edelivery.ssl-auth.version>1.12-SNAPSHOT</edelivery.ssl-auth.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<ant-commons-net.version>1.6.5</ant-commons-net.version>
@@ -59,8 +59,8 @@
<hibernate.validator.version>7.0.1.Final</hibernate.validator.version>
<hibernate.version>5.6.9.Final</hibernate.version>
<httpclient.version>4.5.13</httpclient.version>
- <jackson-databind.version>2.13.3</jackson-databind.version>
- <jackson.version>2.13.3</jackson.version>
+ <jackson-databind.version>2.13.4.2</jackson-databind.version>
+ <jackson.version>2.13.4</jackson.version>
<javaee-api.version>7.0</javaee-api.version>
<javax.annotation.version>1.3.2</javax.annotation.version>
<javax.mail.version>1.6.2</javax.mail.version>
@@ -78,8 +78,8 @@
<soapui.plugin.version>5.1.2</soapui.plugin.version>
<spring-modules-jakarta-commons.version>0.8</spring-modules-jakarta-commons.version>
<spring.boot.version>2.7.4</spring.boot.version>
- <spring.security.version>5.7.2</spring.security.version>
- <spring.version>5.3.21</spring.version>
+ <spring.security.version>5.7.5</spring.security.version>
+ <spring.version>5.3.23</spring.version>
<xmlunit.version>2.9.0</xmlunit.version>
<!-- plugins -->
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UITruststoreService.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UITruststoreService.java
index 11d51b349..f074781ce 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UITruststoreService.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UITruststoreService.java
@@ -255,7 +255,7 @@ public class UITruststoreService {
Pattern subjectRegExp = configurationService.getCertificateSubjectRegularExpression();
List<String> allowedCertificatePolicies = configurationService.getAllowedCertificatePolicies();
CertificateValidator certificateValidator = new CertificateValidator(
- null, truststore,
+ Collections.emptyList(), truststore,
subjectRegExp != null ? subjectRegExp.pattern() : null,
allowedCertificatePolicies != null ? allowedCertificatePolicies : Collections.emptyList());
LOG.debug("Validate certificate with truststore, subject regexp [{}] and allowed certificate policies [{}]", subjectRegExp, allowedCertificatePolicies);
--
GitLab