From a1404adf3142ba00a5dde4e60358f10616f13263 Mon Sep 17 00:00:00 2001
From: Neal McBurnett <nealmcb@freeandfair.us>
Date: Wed, 27 Sep 2017 09:03:20 -0600
Subject: [PATCH 1/2] Add owasp dependency-check-maven plugin for server
 security report

Run it via `mvn dependency-check:check`
---
 server/eclipse-project/pom.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/server/eclipse-project/pom.xml b/server/eclipse-project/pom.xml
index 1c5fe5828..874c5c864 100644
--- a/server/eclipse-project/pom.xml
+++ b/server/eclipse-project/pom.xml
@@ -124,6 +124,14 @@
 					<target>1.8</target>
 				</configuration>
 			</plugin>
+			<plugin>
+				<groupId>org.owasp</groupId>
+				<artifactId>dependency-check-maven</artifactId>
+				<version>1.3.3</version>
+				<configuration>
+					<name>Dependency Check</name>
+				</configuration>
+			</plugin>
 		</plugins>
 	</build>
 	<dependencies>

From 2538ac05d7f3147b6cad6efeec76b4865eba5f45 Mon Sep 17 00:00:00 2001
From: Neal McBurnett <nealmcb@freeandfair.us>
Date: Thu, 28 Sep 2017 12:11:51 -0600
Subject: [PATCH 2/2] Add owasp-dependency-check-suppression.xml and try to get
 it working

Not sure how to configure it yet.
---
 .../owasp-dependency-check-suppression.xml    | 51 +++++++++++++++++++
 server/eclipse-project/pom.xml                |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 server/eclipse-project/owasp-dependency-check-suppression.xml

diff --git a/server/eclipse-project/owasp-dependency-check-suppression.xml b/server/eclipse-project/owasp-dependency-check-suppression.xml
new file mode 100644
index 000000000..adb99ac5b
--- /dev/null
+++ b/server/eclipse-project/owasp-dependency-check-suppression.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
+   <suppress>
+      <!-- This is mistaken data: the cve doesn't affect version 1.3.3 -->
+      <notes><![CDATA[
+      file name: commons-fileupload-1.3.3.jar
+      ]]></notes>
+      <sha1>04ff14d809195b711fd6bcc87e6777f886730ca1</sha1>
+      <cve>CVE-2016-1000031</cve>
+   </suppress>
+   <suppress>
+      <!-- Mistaken CPE -->
+      <notes><![CDATA[
+      file name: ehcache-2.10.3.jar/rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml
+      ]]></notes>
+      <sha1>8e69498dd5f7ed71790aa990f4bc1c72e5515234</sha1>
+      <cpe>cpe:/a:eclipse:jetty:8.1.15.v20140411</cpe>
+   </suppress>
+   <suppress>
+      <!-- Mistaken CPE -->
+      <notes><![CDATA[
+      file name: ehcache-2.10.3.jar/rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml
+      ]]></notes>
+      <sha1>8e69498dd5f7ed71790aa990f4bc1c72e5515234</sha1>
+      <cpe>cpe:/a:jetty:jetty:8.1.15.v20140411</cpe>
+   </suppress>
+   <suppress>
+      <!-- ColoradoRLA doesn't use Jetty’s password management or WebSockets -->
+      <notes><![CDATA[
+      file name: jetty-io-9.4.4.v20170414.jar
+      ]]></notes>
+      <sha1>4a1da5a31fbfcdf01e0e4b00a6c5aea96d45801f</sha1>
+      <cve>CVE-2017-9735</cve>
+   </suppress>
+   <suppress>
+      <!-- ColoradoRLA doesn't use Jetty’s password management or WebSockets -->
+      <notes><![CDATA[
+      file name: websocket-api-9.4.4.v20170414.jar
+      ]]></notes>
+      <sha1>83ac5e5ccb73da1c1839805e4d7f284422b7535f</sha1>
+      <cve>CVE-2017-9735</cve>
+   </suppress>
+   <suppress>
+      <!-- ColoradoRLA doesn't parse XML from untrusted sources -->
+      <notes><![CDATA[
+      file name: ehcache-2.10.3.jar/rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.core/jackson-annotations/pom.xml
+      ]]></notes>
+      <sha1>bf2a064aec0f86ef110ded6b11147350cfef0bb7</sha1>
+      <cpe>cpe:/a:fasterxml:jackson:2.3.0</cpe>
+   </suppress>
+</suppressions>
diff --git a/server/eclipse-project/pom.xml b/server/eclipse-project/pom.xml
index 874c5c864..d03090d36 100644
--- a/server/eclipse-project/pom.xml
+++ b/server/eclipse-project/pom.xml
@@ -130,6 +130,7 @@
 				<version>1.3.3</version>
 				<configuration>
 					<name>Dependency Check</name>
+					<suppressionFiles>owasp-dependency-check-suppression.xml</suppressionFiles>
 				</configuration>
 			</plugin>
 		</plugins>