High Five OWASP Dependency check plugin

[koa]

Hi,
im pretty new on forum and thats my first contribution. Im not sure if everyone find it usefull.. Anyway, after this implementation, before every build the plugin checks all dependencies for vulnerabilities. Its configurable, for example, with my default settings, and higher score then 7.0 the Build will fail. This can be removed or be set to higher/lower score. The report is exported in HTML Format (more formats are supported).
Plugin webpage: https://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html

SETUP:
Apply patch (can be applied to all chronicles):

Code: [Select]

From 23d759366fc5493757a67f23f73e53d98e3ee1b3 Mon Sep 17 00:00:00 2001
From: devkoa <[email protected]>
Date: Sun, 13 Mar 2022 17:01:38 +0100
Subject: [PATCH] owasp

---
 L2J_Mobius_CT_2.6_HighFive/.gitignore      |  1 +
 L2J_Mobius_CT_2.6_HighFive/build.xml       | 43 +++++++++++++++++++++-
 L2J_Mobius_CT_2.6_HighFive/suppression.xml | 10 +++++
 3 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 L2J_Mobius_CT_2.6_HighFive/.gitignore
 create mode 100644 L2J_Mobius_CT_2.6_HighFive/suppression.xml

diff --git a/L2J_Mobius_CT_2.6_HighFive/.gitignore b/L2J_Mobius_CT_2.6_HighFive/.gitignore
new file mode 100644
index 0000000000..d6ca47d233
--- /dev/null
+++ b/L2J_Mobius_CT_2.6_HighFive/.gitignore
@@ -0,0 +1 @@
+report-owasp/
diff --git a/L2J_Mobius_CT_2.6_HighFive/build.xml b/L2J_Mobius_CT_2.6_HighFive/build.xml
index b42c28317f..8023363b43 100644
--- a/L2J_Mobius_CT_2.6_HighFive/build.xml
+++ b/L2J_Mobius_CT_2.6_HighFive/build.xml
@@ -26,6 +26,22 @@
  <property name="datapack" location="dist" />
  <property name="libs" location="${datapack}/libs" />
  <property name="src" location="java" />
+ <property name="OWASP_BASE" location="${basedir}/report-owasp" />
+ <tstamp>
+ <format property="CURRENT_TIMESTAMP" pattern="yyyy-MM-dd"  locale="en,UK" />
+ </tstamp>
+ <property name="REPORT_DIR" location="${OWASP_BASE}/${CURRENT_TIMESTAMP}" />
+
+ <property name="dependency-check.home" value="V:/dependency-check-ant"/>
+ <path id="dependency-check.path">
+    <pathelement location="${dependency-check.home}/dependency-check-ant.jar"/>
+ <fileset dir="${dependency-check.home}/lib">
+ <include name="*.jar"/>
+ </fileset>
+ </path>
+ <taskdef resource="dependency-check-taskdefs.properties">
+    <classpath refid="dependency-check.path" />
+ </taskdef>
 
  <path id="classpath">
  <fileset dir="${libs}">
@@ -43,8 +59,33 @@
  </chainedmapper>
  </mapper>
  </pathconvert>
+
+ <target name="dependency-check-update" description="Dependency-Check Update">
+ <dependency-check-update />
+ </target>
+
+ <target name="dependency-check" depends="dependency-check-update" description="Dependency-Check Analysis">
+ <delete dir="${REPORT_DIR}" quiet="true" />
+ <mkdir dir="${REPORT_DIR}" />
+ <dependency-check projectname="L2J_Mobius_CT_2.6_HighFive"
+   reportoutputdirectory="${REPORT_DIR}"
+   reportformat="HTML"
+   centralAnalyzerUseCache="false"
+   nodeAuditAnalyzerUseCache="false"
+   failBuildOnCVSS="7">
+ <suppressionfile path="${basedir}/suppression.xml" />
+ <retirejsFilter regex="copyright.*jeremy long" />
+ <fileset dir="dist/libs">
+ <include name="**/*.jar"/>
+ </fileset>
+ </dependency-check>
+ </target>
+
+ <target name="dependency-check-purge" description="Dependency-Check purge">
+ <dependency-check-purge />
+ </target>
 
- <target name="checkRequirements" description="Check Requirements.">
+ <target name="checkRequirements" depends="dependency-check" description="Check Requirements.">
  <fail message="Ant 1.8.2 is required. But your version is ${ant.version} and if you are using Eclipse probably is outdated.">
  <condition>
  <not>
diff --git a/L2J_Mobius_CT_2.6_HighFive/suppression.xml b/L2J_Mobius_CT_2.6_HighFive/suppression.xml
new file mode 100644
index 0000000000..29adb709f4
--- /dev/null
+++ b/L2J_Mobius_CT_2.6_HighFive/suppression.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+ <suppress>
+ <notes><![CDATA[Vulnerabilities on mariadb-java-client.]]></notes>
+ <cve>CVE-2020-28912</cve>
+ <cve>CVE-2021-46669</cve>
+ <cve>CVE-2021-46666</cve>
+ <cve>CVE-2021-46667</cve>
+ </suppress>
+</suppressions>
\ No newline at end of file
--
2.35.1.windows.2
Download plugin dependencies (go to plugin webpage or use the following link): https://github.com/jeremylong/DependencyCheck/releases/download/v7.0.0/dependency-check-ant-7.0.0-release.zip

Unpack it (better use another place and not inside the game repository because will build locally a database will all CVE Documents). Currently i configure it before each execution to check for CVE updates. NIST provides CVE Updates every 4 hours.
Open the build.xml and update the value on following property(line 35): <property name="dependency-check.home" value="V:/dependency-check-ant"/>
Set the path where you export the plugin dependencies.
There is a suppression.xml where you can set the ignored CVEs, currently i have add the mariadb-java-client vulnerabilities.
The report is generated inside the project directory "report-owasp/${yyyy-MM-dd}" (a gitignore file is added on repo with ignore rule for this dir)

**Update, diff was not complete, i export it as patch again.

Kind Regards
KoA

[Mobius]

https://mariadb.com/resources/blog/is-the-mariadb-jdbc-driver-affected-by-the-log4j-vulnerability/

Is the MariaDB Java connector affected by the security vulnerability recently discovered in Log4? By default, the Java connector does not use Log4j. However, if you have configured it to use SLF4j, keep reading.

[koa]

Results from mariadb-java-client-2.7.5.jar:
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '3,0':
mariadb-java-client-2.7.5.jar: CVE-2020-28912, CVE-2021-46669, CVE-2021-46666, CVE-2021-46667

The provided link describes another issue, i guess already patched: CVE-2021-45046, CVE-2021-44228. This is not anymore affect us.

https://nvd.nist.gov/vuln/detail/CVE-2020-28912 -> https://jira.mariadb.org/browse/MDEV-24040 -> fixed on Versions 10.1.48, 10.2.35, 10.3.26, 10.4.16, 10.5.7 and higher. If we update our Server in version higher then this we are good to go, and can be securelly added to suppression list.

https://nvd.nist.gov/vuln/detail/CVE-2021-46669 -> https://jira.mariadb.org/browse/MDEV-25638 -> Open! Here i guess we can only wait for a patch.

https://nvd.nist.gov/vuln/detail/CVE-2021-46666 -> https://jira.mariadb.org/browse/MDEV-25635 -> fixed on Versions 10.6.2, 10.2.39, 10.3.30, 10.4.20, 10.5.11 and higher. If we update our Server in version higher then this we are good to go, and can be securelly added to suppression list.

https://nvd.nist.gov/vuln/detail/CVE-2021-46667 -> 10.2.41, 10.3.32, 10.4.22, 10.5.13, 10.6.5 fixed on Versions 10.2.41, 10.3.32, 10.4.22, 10.5.13, 10.6.5 and higher. If we update our Server in version higher then this we are good to go, and can be securelly added to suppression list.


3 from 4 CVEs can be securelly added to suppressions list, but we should have our mariadb server on last stable version.

[koa]

I created a repo and i would keep there all my customised files. And any other on future based on Free Version. https://github.com/devkoa/l2j_mobius_customizations