fix allowed licenses, do version upgrades upgrade and improve test coverage (#112)

Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/112 Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>
2024-10-10 09:31:43 +02:00
parent 60341bf644
commit cb8a5190ce
16 changed files with 1125 additions and 45 deletions
--- a/etc/allowed-licenses.json
+++ b/etc/allowed-licenses.json
@ -1,8 +1,10 @@
 {
    "allowedLicenses": [
-        { "moduleLicense": "Apache 2.0" },
        { "moduleLicense": "Apache 2" },
+        { "moduleLicense": "Apache 2.0" },
+        { "moduleLicense": "Apache-2.0" },
        { "moduleLicense": "Apache License 2.0" },
+        { "moduleLicense": "Apache License v2.0" },
        { "moduleLicense": "Apache License, Version 2.0" },
        { "moduleLicense": "The Apache Software License, Version 2.0" },

@ -11,6 +13,8 @@
        { "moduleLicense": "BSD-3-Clause" },
        { "moduleLicense": "The BSD License" },

+        { "moduleLicense": "The New BSD License" },
+
        { "moduleLicense": "CDDL 1.1" },
        { "moduleLicense": "CDDL/GPLv2+CE" },
        { "moduleLicense": "COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0" },
@ -29,11 +33,22 @@
        { "moduleLicense": "GNU General Public License, version 2 with the GNU Classpath Exception" },
        { "moduleLicense": "GPL2 w/ CPE" },

+        { "moduleLicense": "LGPL, version 2.1"},
+        { "moduleLicense": "LGPL-2.1-or-later"},
+
        { "moduleLicense": "MIT License" },
        { "moduleLicense": "MIT" },
        { "moduleLicense": "The MIT License (MIT)" },
        { "moduleLicense": "The MIT License" },

-        { "moduleName": "org.springdoc:springdoc-openapi" }
+        { "moduleLicense": "WTFPL" },
+
+        {
+            "moduleLicense": null,
+            "#moduleLicense": "Apache License 2.0, see https://github.com/springdoc/springdoc-openapi/blob/main/LICENSE",
+            "moduleVersion": "2.4.0",
+            "moduleName": "org.springdoc:springdoc-openapi"
+        }
+
    ]
 }
--- a/etc/owasp-dependency-check-suppression.xml
+++ b/etc/owasp-dependency-check-suppression.xml
@ -1,12 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-        <notes><![CDATA[
-           Cyclic references are not possible if file comes in JSON text format.
-       ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-        <cpe>cpe:/a:fasterxml:jackson-databind</cpe>
-    </suppress>
    <suppress>
        <notes><![CDATA[
           Internal tooling, not exposed to the Internet.
@ -14,4 +7,10 @@
        <packageUrl regex="true">^pkg:maven/org\.pitest/pitest\-command\-line@.*$</packageUrl>
        <cpe>cpe:/a:line:line</cpe>
    </suppress>
+    <suppress>
+        <notes><![CDATA[
+           Malicious HTTP redirect in JAXB on a REST-endpoint is not that dangerous.
+        ]]></notes>
+        <cve>CVE-2024-9329</cve>
+    </suppress>
 </suppressions>