Skip to content

Commit

Permalink
Upgrade some dependencies and change some tool scripts to produce sarif
Browse files Browse the repository at this point in the history 
files. With this upgrade, Java 11 is required to run Benchmark 1.2.
  • Loading branch information
@davewichers
davewichers committed Apr 15, 2024
1 parent 1e3417e commit 00bcf97
Show file tree
Hide file tree
Showing 6 changed files with 26 additions and 24 deletions.
2 changes: 2 additions & 0 deletions .mvn/jvm.config
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
--add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED

30 changes: 14 additions & 16 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -637,7 +637,7 @@
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.14.0</version>
<version>2.16.1</version>
</dependency>

<dependency>
Expand All @@ -651,7 +651,7 @@
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-reload4j</artifactId>
<version>2.0.12</version>
<version>2.0.13</version>
</dependency>

<dependency>
Expand Down Expand Up @@ -804,8 +804,7 @@
<dependency>
<groupId>org.hsqldb</groupId>
<artifactId>hsqldb</artifactId>
<!-- <version>2.7.1</version> 2.6.0+ requires Java 11. -->
<version>2.5.2</version>
<version>2.7.2</version>
</dependency>

<dependency>
Expand Down Expand Up @@ -955,8 +954,8 @@
<configuration>
<rules>
<enforceBytecodeVersion>
<maxJdkVersion>${java.target}</maxJdkVersion>
<message>Dependencies shouldn't require Java 9+.</message>
<maxJdkVersion>11</maxJdkVersion>
<message>Dependencies shouldn't require Java 12+.</message>
</enforceBytecodeVersion>
</rules>
<fail>warn</fail>
Expand All @@ -971,7 +970,7 @@
<rules>
<requireJavaVersion>
<version>${java.target}</version>
<message>Benchmark is currently written to support Java 8+.</message>
<message>Benchmark is currently written to support Java 8.</message>
</requireJavaVersion>
</rules>
</configuration>
Expand Down Expand Up @@ -1100,8 +1099,7 @@
<plugin>
<groupId>com.diffplug.spotless</groupId>
<artifactId>spotless-maven-plugin</artifactId>
<!-- This is the last version that supports Java 8. 2.31.0+ requires Java 11. -->
<version>2.30.0</version>
<version>2.43.0</version>
<configuration>
<!-- optional: limit format enforcement to just the files changed by this feature branch -->
<ratchetFrom>origin/master</ratchetFrom>
Expand Down Expand Up @@ -1166,7 +1164,7 @@

<!-- apply a specific flavor of google-java-format -->
<googleJavaFormat>
<version>1.7</version>
<version>1.8</version>
<style>AOSP</style>
</googleJavaFormat>
</java>
Expand Down Expand Up @@ -1223,9 +1221,9 @@

<properties>
<failOnMissingWebXml>false</failOnMissingWebXml>
<java.target>8</java.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.target>8</java.target>
<maven.war.webxml>${basedir}/src/config/web.xml</maven.war.webxml>
<!-- runenv defaults to local here. But scripts can set this to 'remote' to launch remotely accessible Benchmark. e.g., mvn clean package cargo:run -Pdeploy1.2 -Drunenv=remote -->
<runenv>local</runenv>
Expand All @@ -1241,18 +1239,18 @@
</tomcat.jvmargs.debug>
<log.directory>${project.build.directory}/log</log.directory>

<version.apache.api-ldap>2.1.5</version.apache.api-ldap>
<version.apache.api-ldap>2.1.6</version.apache.api-ldap>
<version.apacheds>2.0.0.AM27</version.apacheds>
<version.fluido>2.0.0-M8</version.fluido>
<!-- hibernate is up to rev 6+. But 4.0.0. causes this error: symbol: org.hibernate.classic.Session not found -->
<version.hibernate>3.6.10.Final</version.hibernate>
<version.spotbugs.maven>4.8.3.1</version.spotbugs.maven>
<version.spotbugs>4.8.3</version.spotbugs>
<version.spotbugs.maven>4.8.4.0</version.spotbugs.maven>
<version.spotbugs>4.8.4</version.spotbugs>
<!-- Spring 6.x requires Java 17 -->
<version.springframework>5.3.33</version.springframework>
<version.springframework>5.3.34</version.springframework>
<!-- Tomcat 10 moves from Java EE to Jakarta EE, moving packages javax.* to jakarta.* - code changes likely required to address this change. -->
<tomcat.major.version>9</tomcat.major.version>
<version.tomcat>9.0.85</version.tomcat>
<version.tomcat>9.0.87</version.tomcat>
<tomcat.url>https://archive.apache.org/dist/tomcat/tomcat-${tomcat.major.version}/v${version.tomcat}/bin/apache-tomcat-${version.tomcat}.zip</tomcat.url>
</properties>

Expand Down
4 changes: 2 additions & 2 deletions scripts/runSemgrep.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ docker pull docker.io/semgrep/semgrep

benchmark_version=$(scripts/getBenchmarkVersion.sh)
semgrep_version=$(docker run --rm semgrep/semgrep semgrep --version)
result_file="/src/results/Benchmark_$benchmark_version-Semgrep-v$semgrep_version.json"
result_file="/src/results/Benchmark_$benchmark_version-Semgrep-v$semgrep_version.sarif"

docker run --rm -v "${PWD}:/src" semgrep/semgrep semgrep --config p/security-audit -q --json -o "$result_file" . > /dev/null
docker run --rm -v "${PWD}:/src" semgrep/semgrep semgrep --config p/security-audit -q --sarif -o "$result_file" . > /dev/null

2 changes: 2 additions & 0 deletions scripts/runShiftLeftScan.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ source scripts/requireCommand.sh

requireCommand docker

docker pull docker.io/shiftleft/scan:latest

benchmark_version=$(scripts/getBenchmarkVersion.sh)
shiflteft_version="2.0.4" # it's not (yet) possible to get the release version so we just assume it
result_file="results/Benchmark_$benchmark_version-ShiftLeftScan-v$shiflteft_version.json"
Expand Down
2 changes: 1 addition & 1 deletion scripts/runSnykSAST.sh
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Install Snyk per: https://docs.snyk.io/snyk-cli/install-or-update-the-snyk-cli
benchmark_version=$(scripts/getBenchmarkVersion.sh)
snyk code test --json-file-output=results/Benchmark_$benchmark_version-snykCodeCli.json
snyk code test --sarif-file-output=results/Benchmark_$benchmark_version-snykCodeCli.sarif

10 changes: 5 additions & 5 deletions src/main/java/org/owasp/benchmark/helpers/DataBaseServer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,15 +27,15 @@
import org.owasp.benchmark.service.pojo.XMLMessage;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class DataBaseServer {

@RequestMapping(value = "/resetdb", method = RequestMethod.GET)
@GetMapping(value = "/resetdb")
public ResponseEntity<List<XMLMessage>> getOtherOrder(
@RequestBody Person model, HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
Expand All @@ -44,7 +44,7 @@ public ResponseEntity<List<XMLMessage>> getOtherOrder(
return new ResponseEntity<List<XMLMessage>>(resp, HttpStatus.OK);
}

@RequestMapping(value = "/testdb", method = RequestMethod.POST)
@PostMapping(value = "/testdb")
public ResponseEntity<List<XMLMessage>> createOrder2(
@RequestBody Person model, HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
Expand All @@ -53,7 +53,7 @@ public ResponseEntity<List<XMLMessage>> createOrder2(
return new ResponseEntity<List<XMLMessage>>(resp, HttpStatus.OK);
}

@RequestMapping(value = "/getall", method = RequestMethod.GET)
@GetMapping(value = "/getall")
public ResponseEntity<List<XMLMessage>> getAll(
HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
Expand Down

0 comments on commit 00bcf97

Please sign in to comment.