search

eu-federation-gateway-service / efgs-federation-gateway

The goal of this project is to develop the official European solution for the interoperability between national backend servers of decentralised contact tracing applications to combat COVID-19.
Apache License 2.0
59 stars 25 forks source link

Build fails on tomcat-embeded-core #229

Closed ryanbnl closed 3 years ago

ryanbnl commented 4 years ago

Tested on:

The maven build is failing due to the CVE check:

[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  30.394 s
[INFO] Finished at: 2020-10-27T13:41:44+01:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.0.2:check (validate) on project efgs-federation-gateway:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities:
[ERROR]
[ERROR] tomcat-embed-core-9.0.38.jar: CVE-2020-13943
[ERROR]
[ERROR] See the dependency-check report for more details.
[ERROR]
[ERROR]
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

For some strange reason it is not failing on OSX.

ryanbnl commented 4 years ago

The workaround is to remove the owasp plugin from pom.xml; then the build works on Ubuntu but fails on Windows (see my other ticket!).

dfischer-tech commented 3 years ago

could be closed as we added CVE-2020-13943 to OWASP suppression list in: https://github.com/eu-federation-gateway-service/efgs-federation-gateway/commit/abfba57c8efb1fbbbf553f4dc10d1a4ae5d4b2c3