Fixed CVE issue on spring-core

81d7d0c6 · cdanger · f27ebd3b · 81d7d0c6 · 81d7d0c6 · 81d7d0c6
Commit 81d7d0c6 authored Jul 12, 2018 by cdanger
--- a/owasp-dependency-check-suppression.xml
+++ b/owasp-dependency-check-suppression.xml
@@ -10,4 +10,13 @@
      <cve>CVE-2007-6059</cve>
      <cve>CVE-2015-9097</cve>
   </suppress>
-</suppressions>
\ No newline at end of file
+   
+   <suppress>
+      <notes><![CDATA[
+      file name: spring-core-4.3.17.RELEASE.jar,
+      false positive for CVE-2018-1258
+      ]]></notes>
+     <gav>org.springframework:spring-core:4.3.17.RELEASE</gav> 
+     <cve>CVE-2018-1258</cve>
+   </suppress>
+</suppressions>
--- a/pdp-engine/pom.xml
+++ b/pdp-engine/pom.xml
@@ -31,9 +31,6 @@
 				etc. -->
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-core</artifactId>
-			<!-- Mitigation for CVE-2018-1257, CVE-2018-1258, CVE-2018-1275, CVE-2018-1271, CVE-2018-1270, CVE-2018-1272.
- 			TODO: fix it in authzforce-ce-parent's managed version -->
-			<version>4.3.17.RELEASE</version>
 		</dependency>
 		<dependency>
 			<!-- For loading XML schemas with OASIS catalog (CatalogManager) -->

--- a/pdp-testutils/owasp-dependency-check-suppression.xml
+++ b/pdp-testutils/owasp-dependency-check-suppression.xml
@@ -10,4 +10,13 @@
      <cve>CVE-2007-6059</cve>
      <cve>CVE-2015-9097</cve>
   </suppress>
-</suppressions>
\ No newline at end of file
+
+ <suppress>
+	       <notes><![CDATA[
+		             file name: spring-core-4.3.17.RELEASE.jar,
+			           false positive for CVE-2018-1258
+				         ]]></notes>
+				      <gav>org.springframework:spring-core:4.3.17.RELEASE</gav>
+				           <cve>CVE-2018-1258</cve>
+					      </suppress>
+</suppressions>
--- a/pom.xml
+++ b/pom.xml
@@ -36,6 +36,13 @@
            <version>15.2.0</version>
         </dependency>
         <!-- /AuthzForce dependencies -->
+	 <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-core</artifactId>
+	    <!-- Mitigation for CVE-2018-1257, CVE-2018-1258, CVE-2018-1275, CVE-2018-1271, CVE-2018-1270, CVE-2018-1272.
+		                         TODO: fix it in authzforce-ce-parent's managed version -->
+	    <version>4.3.17.RELEASE</version>
+         </dependency>
         <!-- Test dependencies -->
         <dependency>
            <groupId>junit</groupId>