Magic-Mirror/cryptomator
1
0
Fork 0
mirror of https://github.com/cryptomator/cryptomator.git synced 2025-02-17 00:29:00 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

[Snyk] Security upgrade org.cryptomator:webdav-nio-adapter from 1.2.2 to 1.2.3 (#1698)

Browse Source 
* fix: pom.xml to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-1313686

* adjusted suppression config

* bump webdav version

Co-authored-by: Sebastian Stenzel <sebastian.stenzel@gmail.com>
This commit is contained in:
Snyk bot 2021-06-24 10:58:47 +03:00 committed by GitHub
parent 8ac253504f
commit b4a97803ff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pom.xml
View File

@ -31,7 +31,7 @@
<cryptomator.integrations.linux.version>1.0.0-beta1</cryptomator.integrations.linux.version>
<cryptomator.fuse.version>1.3.1</cryptomator.fuse.version>
<cryptomator.dokany.version>1.3.1</cryptomator.dokany.version>
<cryptomator.webdav.version>1.2.2</cryptomator.webdav.version>
<cryptomator.webdav.version>1.2.4</cryptomator.webdav.version>
<!-- 3rd party dependencies -->
<javafx.version>16</javafx.version>

41
suppression.xml
View File

@ -14,40 +14,15 @@
<!-- Jetty false positives below -->
<suppress>
<notes><![CDATA[ Affects jetty < 6.1.22 ]]></notes>
<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
<cve>CVE-2009-5045</cve>
</suppress>
<suppress>
<notes><![CDATA[ Affects jetty < 6.1.22 ]]></notes>
<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
<cve>CVE-2009-5046</cve>
</suppress>
<notes><![CDATA[
Suppress all for this javax.servlet api package:
There are lots of false positives, simply because its version number is way beyond the remaining
org.eclipse.jetty jar files. Note, that our actual Jetty version is different.
<suppress>
<notes><![CDATA[ Affects jetty-server 9.x ]]></notes>
As long as we don't suppress anything in org.eclipse.jetty:jetty-server or :jetty-servlet,
vulnerabilities will still trigger if we actually use an outdated Jetty version.
]]></notes>
<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
<cve>CVE-2017-9735</cve>
</suppress>
<suppress>
<notes><![CDATA[ Affects jetty-server 9.x ]]></notes>
<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
<cve>CVE-2017-7656</cve>
</suppress>
<suppress>
<notes><![CDATA[ Affects jetty-server 9.x ]]></notes>
<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
<cve>CVE-2017-7657</cve>
</suppress>
<suppress>
<notes><![CDATA[ Affects jetty-server 9.x ]]></notes>
<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
<cve>CVE-2017-7658</cve>
</suppress>
<suppress>
<notes><![CDATA[ Fixed since jetty-server 10.0.0.beta2 ]]></notes>
<gav>org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6</gav>
<cve>CVE-2020-27216</cve>
<cpe regex="true">.*</cpe>
</suppress>
</suppressions>