Pom update (WebGoat#1290)

* asciidoctorj update * pom and suppression updates
mchataigner · Jul 11, 2022 · f8b7ca5 · f8b7ca5
1 parent e4eb5d7
commit f8b7ca5
Show file tree

Hide file tree

Showing 4 changed files with 76 additions and 51 deletions.
diff --git a/config/dependency-check/project-suppression.xml b/config/dependency-check/project-suppression.xml
@@ -1,42 +1,77 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress base="true">
+    <suppress>
         <notes><![CDATA[
-        This suppresses false positives identified on spring framework.
+        This suppresses all CVE entries that have a score below CVSS 7.
         ]]></notes>
-        <cpe>cpe:/a:pivotal_software:spring_framework</cpe>
-        <cve>CVE-2020-5398</cve>
+        <cvssBelow>7</cvssBelow>
     </suppress>
-    <suppress base="true">
+    <suppress>
         <notes><![CDATA[
-        This suppresses false positives identified on spring framework.
+        file name: spring-tx-5.3.21.jar
         ]]></notes>
-        <cpe>cpe:/a:redhat:undertow</cpe>
-        <cve>CVE-2019-14888</cve>
-    </suppress>
-    <suppress base="true">
+        <sha1>13f4f564024d2f85502c151942307c3ca851a4f7</sha1>
+        <cve>CVE-2016-1000027</cve>
+     </suppress>
+     <suppress>
         <notes><![CDATA[
-        This suppresses false positives identified on spring framework.
+        file name: spring-core-5.3.21.jar
         ]]></notes>
-        <cpe>cpe:/a:pivotal_software:spring_security</cpe>
-        <cve>CVE-2018-1258</cve>
-    </suppress>
-    <suppress base="true">
+        <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
+        <cve>CVE-2016-1000027</cve>
+     </suppress>
+     <suppress>
+        <notes><![CDATA[
+        file name: spring-aop-5.3.21.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-aop@.*$</packageUrl>
+        <cve>CVE-2016-1000027</cve>
+     </suppress>
+     <suppress>
+        <notes><![CDATA[
+        file name: spring-boot-starter-security-2.7.1.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring\-boot\-starter\-security@.*$</packageUrl>
+        <cve>CVE-2022-22978</cve>
+     </suppress>
+     <suppress>
+        <notes><![CDATA[
+        file name: jruby-stdlib-9.2.20.1.jar: jopenssl.jar (shaded: rubygems:jruby-openssl:0.11.0)
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/rubygems/jruby\-openssl@.*$</packageUrl>
         <cpe>cpe:/a:jruby:jruby</cpe>
-        <cve>CVE-2018-1000613</cve>
-        <cve>CVE-2018-1000180</cve>
-        <cve>CVE-2017-18640</cve>
-        <cve>CVE-2011-4838</cve>
-    </suppress>
-    <suppress base="true"><!-- vulnerable components lesson -->
+        <cpe>cpe:/a:openssl:openssl</cpe>
+     </suppress>
+    <suppress>
+        <notes><![CDATA[
+        file name: xstream-1.4.5.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.thoughtworks\.xstream/xstream@.*$</packageUrl>
         <cpe>cpe:/a:xstream_project:xstream</cpe>
-        <cve>CVE-2017-7957</cve>
-        <cve>CVE-2016-3674</cve>
-        <cve>CVE-2020-26217</cve>
-        <cve>CVE-2020-26258</cve>
-    </suppress>
-    <suppress base="true"><!-- webgoat-server -->
-        <cpe>cpe:/a:postgresql:postgresql</cpe>
-        <cve>CVE-2018-10936</cve>
-    </suppress>
+        <vulnerabilityName>CVE-2013-7285</vulnerabilityName>
+        <vulnerabilityName>CVE-2016-3674</vulnerabilityName>
+        <vulnerabilityName>CVE-2017-7957</vulnerabilityName>
+        <vulnerabilityName>CVE-2020-26217</vulnerabilityName>
+        <vulnerabilityName>CVE-2020-26258</vulnerabilityName>
+        <vulnerabilityName>CVE-2020-26259</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21341</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21342</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21343</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21344</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21345</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21346</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21347</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21348</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21349</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21350</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21351</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-43859</vulnerabilityName>
+     </suppress>
+     <suppress>
+        <notes><![CDATA[
+        file name: spring-jcl-5.3.21.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-.*@.*$</packageUrl>
+        <cve>CVE-2016-1000027</cve>
+     </suppress>
 </suppressions>
diff --git a/pom.xml b/pom.xml
@@ -119,7 +119,7 @@
         <webwolf.port>9090</webwolf.port>
 
         <!-- Shared properties with plugins and version numbers across submodules-->
-        <asciidoctorj.version>2.5.2</asciidoctorj.version>
+        <asciidoctorj.version>2.5.3</asciidoctorj.version>
         <bootstrap.version>3.3.7</bootstrap.version>
         <cglib.version>2.2</cglib.version> <!-- do not update necessary for lesson -->
         <checkstyle.version>3.1.2</checkstyle.version>
@@ -337,8 +337,8 @@
                         <version>6.5.1</version>
                         <configuration>
                             <failBuildOnCVSS>7</failBuildOnCVSS>
-                            <skipProvidedScope>true</skipProvidedScope>
-                            <skipRuntimeScope>true</skipRuntimeScope>
+                            <skipProvidedScope>false</skipProvidedScope>
+                            <skipRuntimeScope>false</skipRuntimeScope>
                             <suppressionFiles>
                                 <!--suppress UnresolvedMavenProperty -->
                                 <suppressionFile>
@@ -536,14 +536,7 @@
                             <groupId>org.asciidoctor</groupId>
                             <artifactId>asciidoctorj</artifactId>
                         </dependency>
-                        <dependency>
-                            <groupId>org.jruby</groupId>
-                            <artifactId>jruby-complete</artifactId>
-                        </dependency>
                     </requiresUnpack>
-                    <jvmArguments>
-                        <!-- -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000-->
-                    </jvmArguments>
                 </configuration>
             </plugin>
             <plugin>

diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
@@ -41,15 +41,15 @@
 public class SqlInjectionLesson6a extends AssignmentEndpoint {
 
     private final LessonDataSource dataSource;
-
+    private static final String YOUR_QUERY_WAS = "<br> Your query was: ";
     public SqlInjectionLesson6a(LessonDataSource dataSource) {
         this.dataSource = dataSource;
     }
 
     @PostMapping("/SqlInjectionAdvanced/attack6a")
     @ResponseBody
-    public AttackResult completed(@RequestParam String userid_6a) {
-        return injectableQuery(userid_6a);
+    public AttackResult completed(@RequestParam(value="userid_6a")  String userId) {
+        return injectableQuery(userId);
         // The answer: Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
     }
 
@@ -66,7 +66,7 @@ public AttackResult injectableQuery(String accountName) {
                     ResultSet.CONCUR_READ_ONLY)) {
                 ResultSet results = statement.executeQuery(query);
 
-                if ((results != null) && (results.first())) {
+                if ((results != null) && results.first()) {
                     ResultSetMetaData resultsMetaData = results.getMetaData();
                     StringBuilder output = new StringBuilder();
 
@@ -83,17 +83,16 @@ public AttackResult injectableQuery(String accountName) {
                         output.append(appendingWhenSucceded);
                         return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();
                     } else {
-                        return failed(this).output(output.toString() + "<br> Your query was: " + query).build();
+                        return failed(this).output(output.toString() + YOUR_QUERY_WAS + query).build();
                     }
                 } else {
-                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();
+                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(YOUR_QUERY_WAS + query).build();
                 }
             } catch (SQLException sqle) {
-                return failed(this).output(sqle.getMessage() + "<br> Your query was: " + query).build();
+                return failed(this).output(sqle.getMessage() + YOUR_QUERY_WAS + query).build();
             }
         } catch (Exception e) {
-            e.printStackTrace();
-            return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query).build();
+            return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + YOUR_QUERY_WAS + query).build();
         }
     }
 }
diff --git a/...t/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6aTest.java b/...t/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6aTest.java
@@ -23,9 +23,7 @@
 package org.owasp.webgoat.lessons.sql_injection.introduction;
 
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
 import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
 import static org.hamcrest.Matchers.containsString;