essepuntato / LODE

Live OWL Documentation Environment, to convert OWL ontologies into HTML human-readable pages.
ISC License
106 stars 55 forks source link

OWASP dependency check #40

Open gnespolino opened 2 years ago

gnespolino commented 2 years ago

Expected - pom.xml should contain OWASP dependency check plugin

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>6.0.1</version>
    <executions>
        <execution>
            <goals>
                <goal>check</goal>
            </goals>
        </execution>
    </executions>
</plugin>

OWASP check output:

One or more dependencies were identified with known vulnerabilities in LODE:

commons-beanutils-1.9.3.jar (pkg:maven/commons-beanutils/commons-beanutils@1.9.3, cpe:2.3:a:apache:commons_beanutils:1.9.3:*:*:*:*:*:*:*) : CVE-2014-0114, CVE-2019-10086
commons-io-2.4.jar (pkg:maven/commons-io/commons-io@2.4, cpe:2.3:a:apache:commons_io:2.4:*:*:*:*:*:*:*) : CVE-2021-29425
guava-18.0.jar (pkg:maven/com.google.guava/guava@18.0, cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:*) : CVE-2018-10237, CVE-2020-8908
guice-4.0-beta.jar/META-INF/maven/com.google.guava/guava/pom.xml (pkg:maven/com.google.guava/guava@11.0.1, cpe:2.3:a:google:guava:11.0.1:*:*:*:*:*:*:*) : CVE-2018-10237, CVE-2020-8908
httpclient-4.2.3.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.2.3, cpe:2.3:a:apache:httpclient:4.2.3:*:*:*:*:*:*:*) : CVE-2014-3577, CVE-2015-5262, CVE-2020-13956
httpclient-cache-4.2.5.jar (pkg:maven/org.apache.httpcomponents/httpclient-cache@4.2.5, cpe:2.3:a:apache:httpclient:4.2.5:*:*:*:*:*:*:*) : CVE-2014-3577, CVE-2020-13956
jackson-databind-2.3.3.jar (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.3, cpe:2.3:a:fasterxml:jackson-databind:2.3.3:*:*:*:*:*:*:*) : CVE-2017-7525, CVE-2018-7489, CVE-2020-35490, CVE-2020-35491, CVE-2020-36518, CVE-2022-42003, CVE-2022-42004
jena-core-2.10.1.jar (pkg:maven/org.apache.jena/jena-core@2.10.1, cpe:2.3:a:apache:jena:2.10.1:*:*:*:*:*:*:*) : CVE-2021-39239, CVE-2022-28890
jena-iri-0.9.6.jar (pkg:maven/org.apache.jena/jena-iri@0.9.6, cpe:2.3:a:apache:jena:0.9.6:*:*:*:*:*:*:*) : CVE-2021-39239, CVE-2022-28890
jquery.js (pkg:javascript/jquery@1.6.2) : CVE-2011-4969, CVE-2012-6708, CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023
log4j-1.2.17.jar (pkg:maven/log4j/log4j@1.2.17, cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:*) : CVE-2019-17571, CVE-2020-9493, CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307
org.apache.commons.io-2.4.jar (pkg:maven/org.apache.directory.studio/org.apache.commons.io@2.4, cpe:2.3:a:apache:commons_io:2.4:*:*:*:*:*:*:*, cpe:2.3:a:apache:directory_studio:2.4:*:*:*:*:*:*:*) : CVE-2021-29425
owlapi-distribution-4.0.2.jar (pkg:maven/net.sourceforge.owlapi/owlapi-distribution@4.0.2, cpe:2.3:a:apache:commons-httpclient:4.0.2:*:*:*:*:*:*:*, cpe:2.3:a:apache:commons_io:4.0.2:*:*:*:*:*:*:*, cpe:2.3:a:binary_project:binary:4.0.2:*:*:*:*:*:*:*) : CVE-2012-6153
owlapi-distribution-4.0.2.jar: httpclient-4.2.5.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.2.5, cpe:2.3:a:apache:httpclient:4.2.5:*:*:*:*:*:*:*) : CVE-2014-3577, CVE-2015-5262, CVE-2020-13956
owlapi-distribution-4.0.2.jar: xz-1.5.jar (cpe:2.3:a:tukaani:xz:1.5:*:*:*:*:*:*:*) : CVE-2015-4035
xercesImpl-2.11.0.jar (pkg:maven/xerces/xercesImpl@2.11.0, cpe:2.3:a:apache:xerces2_java:2.11.0:*:*:*:*:*:*:*) : CVE-2012-0881, CVE-2013-4002, CVE-2017-10355, CVE-2022-23437
giorgialodi commented 2 years ago

@luigi-asprino @alessandro-russo secondo voi possiamo fare qualcosa per questo?