From 7bcde5d43956acf119b16bd5ac9544eb58c479f6 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 27 Nov 2017 21:14:34 -0500 Subject: [PATCH 1/7] move non-test dependency version numbers to properties --- dependency-check-core/pom.xml | 3 +- dependency-check-maven/pom.xml | 17 +++-- pom.xml | 127 ++++++++++++++++++++++++--------- 3 files changed, 104 insertions(+), 43 deletions(-) diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index be1c2cd6e..3df269715 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -248,7 +248,8 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. com.google.code.gson gson - + org.apache.maven.scm maven-scm-provider-cvsexe diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index 0a238dcbb..05b423b25 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -184,7 +184,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.apache.maven.shared maven-artifact-transfer - 0.9.0 @@ -200,14 +199,14 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.apache.maven.plugins maven-invoker-plugin - 3.0.1 - - - org.codehaus.groovy - groovy-all - 2.4.11 - - + 4 diff --git a/pom.xml b/pom.xml index 86da3e0be..c6575e51e 100644 --- a/pom.xml +++ b/pom.xml @@ -132,6 +132,50 @@ Copyright (c) 2012 - Jeremy Long 3.0 2.17 3.6 + 1.7 + 1.8 + 2.10 + 2.10.4 + 2.5 + 2.9 + 2.19.1 + 0.7.9 + 3.0.4 + 2.4 + 2.3 + + + 1.6 + 3.0.1u2 + 2.4 + 1.4.196 + 1.4 + 2.5 + + + 3.4 + 1.5.6 + 4.12 + 1.3 + 1.27 + + 1.10.2 + 1.14 + 3.0.0 + 3.3.0 + 3.5 + 3.0 + 3.2.2 + 1.7 + 1.4 + + + 2.2 + + 1.0.4 + 0.9.0 + + @@ -255,6 +299,18 @@ Copyright (c) 2012 - Jeremy Long maven-javadoc-plugin 2.10.4 + + org.apache.maven.plugins + maven-invoker-plugin + 3.0.1 + + + org.codehaus.groovy + groovy-all + 2.4.11 + + + @@ -460,7 +516,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.doxia doxia-module-markdown - 1.7 + ${doxia-module-markdown.version} @@ -471,7 +527,7 @@ Copyright (c) 2012 - Jeremy Long false org.apache.maven.plugins maven-antrun-plugin - 1.8 + ${maven-antrun-plugin.version} copy-xsd @@ -498,12 +554,12 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.plugins maven-dependency-plugin - 2.10 + ${maven-dependency-plugin.version} org.apache.maven.plugins maven-javadoc-plugin - 2.10.4 + ${maven-javadoc-plugin.version} false Copyright© 2012-17 Jeremy Long. All Rights Reserved. @@ -520,12 +576,12 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.plugins maven-jxr-plugin - 2.5 + ${maven-jxr-plugin.version} org.apache.maven.plugins maven-project-info-reports-plugin - 2.9 + ${maven-project-info-reports-plugin.version} @@ -552,7 +608,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.plugins maven-surefire-report-plugin - 2.19.1 + ${maven-surefire-report-plugin.version} @@ -564,7 +620,7 @@ Copyright (c) 2012 - Jeremy Long org.jacoco jacoco-maven-plugin - 0.7.9 + ${jacoco-maven-plugin.version} target/coverage-reports/jacoco-ut.exec @@ -582,12 +638,12 @@ Copyright (c) 2012 - Jeremy Long org.codehaus.mojo findbugs-maven-plugin - 3.0.4 + ${findbugs-maven-plugin.version} org.codehaus.mojo taglist-maven-plugin - 2.4 + ${taglist-maven-plugin.version} @@ -611,7 +667,7 @@ Copyright (c) 2012 - Jeremy Long org.codehaus.mojo versions-maven-plugin - 2.3 + ${versions-maven-plugin.version} @@ -629,43 +685,43 @@ Copyright (c) 2012 - Jeremy Long joda-time joda-time - 1.6 + ${joda-time.version} com.google.code.findbugs annotations - 3.0.1u2 + ${com.google.code.findbugs.annotations.version} com.google.code.gson gson - 2.4 + ${com.google.code.gson.version} com.h2database h2 - 1.4.196 + ${com.h2database.version} commons-cli commons-cli - 1.4 + ${commons-cli.version} commons-io commons-io - 2.5 + ${commons-io.version} org.apache.commons commons-lang3 - 3.4 + ${commons-lang3.version} com.sun.mail mailapi - 1.5.6 + ${com.sun.mail.mailapi.version} ch.qos.logback @@ -680,13 +736,13 @@ Copyright (c) 2012 - Jeremy Long junit junit - 4.12 + ${junit.version} test org.apache.commons commons-compress - 1.14 + ${commons-compress.version} org.apache.ant @@ -731,7 +787,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.shared file-management - 3.0.0 + ${org.apache.maven.shared.file-management.version} org.apache.maven @@ -741,61 +797,61 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.plugin-testing maven-plugin-testing-harness - 3.3.0 + ${maven-plugin-testing-harness.version} org.apache.maven.plugin-tools maven-plugin-annotations - 3.5 + ${maven-plugin-annotations.version} org.apache.maven.reporting maven-reporting-api - 3.0 + ${maven-reporting-api.version} commons-collections commons-collections - 3.2.2 + ${commons-collections.version} org.apache.velocity velocity - 1.7 + ${org.apache.velocity.version} org.sonatype.plexus plexus-sec-dispatcher - 1.4 + ${plexus-sec-dispatcher.version} org.apache.maven.shared maven-dependency-tree - 2.2 + ${maven-dependency-tree.version} org.glassfish javax.json - 1.0.4 + ${org.glassfish.javax.json.version} org.hamcrest hamcrest-core - 1.3 + ${hamcrest-core.version} test org.jmockit jmockit - 1.27 + ${org.jmockit.version} test org.jsoup jsoup - 1.10.2 + ${jsoup.version} org.slf4j @@ -807,6 +863,11 @@ Copyright (c) 2012 - Jeremy Long slf4j-simple ${slf4j.version} + + org.apache.maven.shared + maven-artifact-transfer + ${maven-artifact-transfer.version} + From ae128c38ecbcc7f6b5ff5c63a44c7f8bd2366cc9 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 27 Nov 2017 22:29:25 -0500 Subject: [PATCH 2/7] configured version updates --- pom.xml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/pom.xml b/pom.xml index c6575e51e..6170a5c7e 100644 --- a/pom.xml +++ b/pom.xml @@ -314,6 +314,27 @@ Copyright (c) 2012 - Jeremy Long + + org.codehaus.mojo + versions-maven-plugin + 2.4 + + + + false + + org.apache.maven.shared:maven-dependency-tree + joda-time:joda-time + org.apache.commons:commons-lang3 + + + post-clean + + update-properties + + + + org.apache.maven.plugins maven-compiler-plugin From 19c223161d63b796c3212398dbf5a46e82711c6f Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 27 Nov 2017 22:35:07 -0500 Subject: [PATCH 3/7] fix plugin configuration --- pom.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pom.xml b/pom.xml index 6170a5c7e..2c9bc4a81 100644 --- a/pom.xml +++ b/pom.xml @@ -317,9 +317,13 @@ Copyright (c) 2012 - Jeremy Long org.codehaus.mojo versions-maven-plugin - 2.4 + 2.5 + post-clean + + update-properties + false @@ -328,10 +332,6 @@ Copyright (c) 2012 - Jeremy Long org.apache.commons:commons-lang3 - post-clean - - update-properties - From a31dddf8ef5fbca1ebbd95fba29d470887531aa8 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 27 Nov 2017 22:45:56 -0500 Subject: [PATCH 4/7] updated config --- pom.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 2c9bc4a81..1a0420bf4 100644 --- a/pom.xml +++ b/pom.xml @@ -320,7 +320,7 @@ Copyright (c) 2012 - Jeremy Long 2.5 - post-clean + pre-clean update-properties @@ -330,6 +330,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.shared:maven-dependency-tree joda-time:joda-time org.apache.commons:commons-lang3 + org.apache.lucene From 0a2bfcaed2d2624b840d8be6c34e9684f1661856 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 27 Nov 2017 23:14:17 -0500 Subject: [PATCH 5/7] upgrades --- .../analyzer/CentralAnalyzerTest.java | 4 +- pom.xml | 38 +++++++++---------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java index f6a2f4fb9..2146d5cc8 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java @@ -61,7 +61,7 @@ public class CentralAnalyzerTest { new Expectations() { { centralSearch.searchSha1(SHA1_SUM); - returns(expectedMavenArtifacts); + returns(expectedMavenArtifacts, expectedMavenArtifacts); } }; @@ -176,7 +176,7 @@ public class CentralAnalyzerTest { new Expectations() { { dependency.getSha1sum(); - returns(SHA1_SUM); + returns(SHA1_SUM, SHA1_SUM); } }; } diff --git a/pom.xml b/pom.xml index 1a0420bf4..d7b804fd9 100644 --- a/pom.xml +++ b/pom.xml @@ -125,55 +125,55 @@ Copyright (c) 2012 - Jeremy Long UTF-8 github 4.7.2 - 1.9.8 - 1.7.24 - 1.2.0 + 1.10.1 + 1.8.0-beta0 + 1.2.3 - 3.0 + 3.5.2 2.17 3.6 1.7 1.8 - 2.10 - 2.10.4 + 3.0.2 + 3.0.0-M1 2.5 2.9 - 2.19.1 + 2.20.1 0.7.9 - 3.0.4 + 3.0.5 2.4 - 2.3 + 2.5 1.6 3.0.1u2 - 2.4 + 2.8.2 1.4.196 1.4 - 2.5 + 2.6 3.4 - 1.5.6 + 1.6.0 4.12 1.3 - 1.27 + 1.37 - 1.10.2 - 1.14 + 1.11.2 + 1.15 3.0.0 3.3.0 3.5 3.0 - 3.2.2 + 20040616 1.7 1.4 2.2 - 1.0.4 - 0.9.0 + 1.1.2 + 0.9.1 @@ -237,7 +237,7 @@ Copyright (c) 2012 - Jeremy Long org.codehaus.mojo animal-sniffer-maven-plugin - 1.15 + 1.16 org.apache.maven.plugins From eddffaae3dbd7db41ff37f830bdf6ca574cdfb9b Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 2 Dec 2017 06:54:40 -0500 Subject: [PATCH 6/7] updated versions and include new enforcer rule to validate class file formats of dependencies --- pom.xml | 48 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 34 insertions(+), 14 deletions(-) diff --git a/pom.xml b/pom.xml index d7b804fd9..32cfce1c5 100644 --- a/pom.xml +++ b/pom.xml @@ -125,8 +125,9 @@ Copyright (c) 2012 - Jeremy Long UTF-8 github 4.7.2 - 1.10.1 - 1.8.0-beta0 + 1.9.9 + + 1.7.25 1.2.3 3.5.2 @@ -165,14 +166,14 @@ Copyright (c) 2012 - Jeremy Long 3.3.0 3.5 3.0 - 20040616 + 3.2.2 1.7 1.4 2.2 - 1.1.2 + 1.0.4 0.9.1 @@ -232,7 +233,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.plugins maven-enforcer-plugin - 1.4.1 + 3.0.0-M1 org.codehaus.mojo @@ -327,10 +328,15 @@ Copyright (c) 2012 - Jeremy Long false - org.apache.maven.shared:maven-dependency-tree - joda-time:joda-time + org.apache.maven.shared:maven-dependency-treeÏ org.apache.commons:commons-lang3 org.apache.lucene + commons-collections:commons-collections + joda-time:joda-time + org.slf4j + org.apache.ant + + org.glassfish:javax.json @@ -363,6 +369,14 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.plugins maven-enforcer-plugin + + + org.owasp.maven.enforcer + class-file-format-rule + 1.0.0 + + + true enforce-java @@ -377,13 +391,19 @@ Copyright (c) 2012 - Jeremy Long - - - - true - org.apache.maven.plugins - maven-enforcer-plugin - + + enforce-classfileformat + + + + 51 + + + + + enforce + + enforce-maven-3 From 872a524c444effd33e7fbb66ecacd7949243793c Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 3 Dec 2017 11:40:42 -0500 Subject: [PATCH 7/7] updated to use wildcare --- pom.xml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/pom.xml b/pom.xml index 32cfce1c5..6bfac6c10 100644 --- a/pom.xml +++ b/pom.xml @@ -328,15 +328,15 @@ Copyright (c) 2012 - Jeremy Long false - org.apache.maven.shared:maven-dependency-treeÏ - org.apache.commons:commons-lang3 - org.apache.lucene - commons-collections:commons-collections - joda-time:joda-time - org.slf4j - org.apache.ant + org.apache.maven.shared:maven-dependency-tree:*Ï + org.apache.commons:commons-lang3:* + org.apache.lucene:*:* + commons-collections:commons-collections:* + joda-time:joda-time:* + org.slf4j:*:* + org.apache.ant:*:* - org.glassfish:javax.json + org.glassfish:javax.json:*