From 6fabd4dea86a26a3ae0059b87387db6ef2a57a46 Mon Sep 17 00:00:00 2001 From: d-t-w Date: Mon, 5 Feb 2024 16:55:33 +1100 Subject: [PATCH 1/8] bump minor slipway-jetty9 deps --- slipway-jetty9/project.clj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/slipway-jetty9/project.clj b/slipway-jetty9/project.clj index 23a62e88..28b0cb9e 100644 --- a/slipway-jetty9/project.clj +++ b/slipway-jetty9/project.clj @@ -29,7 +29,7 @@ [org.eclipse.jetty.websocket/websocket-server "9.4.53.v20231009"] [org.eclipse.jetty.websocket/websocket-servlet "9.4.53.v20231009"] [org.eclipse.jetty/jetty-jaas "9.4.53.v20231009"] - [org.slf4j/slf4j-api "2.0.10"]] + [org.slf4j/slf4j-api "2.0.11"]] :source-paths ["src" "common/src" "common-javax/src"] :test-paths ["test" "common/test"] From 311f7e328b587c0f2822a983f72b60bc0bc07b30 Mon Sep 17 00:00:00 2001 From: d-t-w Date: Mon, 5 Feb 2024 16:56:52 +1100 Subject: [PATCH 2/8] bump slipway-jetty10 deps --- slipway-jetty10/project.clj | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/slipway-jetty10/project.clj b/slipway-jetty10/project.clj index b3d35f78..0f4e077a 100644 --- a/slipway-jetty10/project.clj +++ b/slipway-jetty10/project.clj @@ -25,12 +25,12 @@ [org.clojure/tools.logging "1.2.4"] [ring/ring-servlet "1.9.6"] [com.taoensso/sente "1.17.0"] - [org.eclipse.jetty.websocket/websocket-jetty-api "10.0.19"] - [org.eclipse.jetty.websocket/websocket-jetty-server "10.0.19" :exclusions [org.slf4j/slf4j-api]] - [org.eclipse.jetty.websocket/websocket-servlet "10.0.19" :exclusions [org.slf4j/slf4j-api]] - [org.eclipse.jetty/jetty-server "10.0.19" :exclusions [org.slf4j/slf4j-api]] - [org.eclipse.jetty/jetty-jaas "10.0.19" :exclusions [org.slf4j/slf4j-api]] - [org.slf4j/slf4j-api "2.0.10"]] + [org.eclipse.jetty.websocket/websocket-jetty-api "10.0.20"] + [org.eclipse.jetty.websocket/websocket-jetty-server "10.0.20" :exclusions [org.slf4j/slf4j-api]] + [org.eclipse.jetty.websocket/websocket-servlet "10.0.20" :exclusions [org.slf4j/slf4j-api]] + [org.eclipse.jetty/jetty-server "10.0.20" :exclusions [org.slf4j/slf4j-api]] + [org.eclipse.jetty/jetty-jaas "10.0.20" :exclusions [org.slf4j/slf4j-api]] + [org.slf4j/slf4j-api "2.0.11"]] :source-paths ["common/src" "common-jetty1x/src" "common-javax/src"] :test-paths ["test" "common/test"]) From 10d49a1c383b110dd5d24d898aafe991c4c9ee1f Mon Sep 17 00:00:00 2001 From: d-t-w Date: Mon, 5 Feb 2024 16:58:03 +1100 Subject: [PATCH 3/8] bump slipway-jetty11 deps --- slipway-jetty11/project.clj | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/slipway-jetty11/project.clj b/slipway-jetty11/project.clj index 552cec23..b7480d00 100644 --- a/slipway-jetty11/project.clj +++ b/slipway-jetty11/project.clj @@ -25,12 +25,12 @@ [org.clojure/tools.logging "1.2.4"] [ring/ring-servlet "1.9.6"] [com.taoensso/sente "1.17.0"] - [org.eclipse.jetty.websocket/websocket-jetty-api "11.0.19"] - [org.eclipse.jetty.websocket/websocket-jetty-server "11.0.19" :exclusions [org.slf4j/slf4j-api]] - [org.eclipse.jetty.websocket/websocket-servlet "11.0.19" :exclusions [org.slf4j/slf4j-api]] - [org.eclipse.jetty/jetty-server "11.0.19" :exclusions [org.slf4j/slf4j-api]] - [org.eclipse.jetty/jetty-jaas "11.0.19" :exclusions [org.slf4j/slf4j-api]] - [org.slf4j/slf4j-api "2.0.10"]] + [org.eclipse.jetty.websocket/websocket-jetty-api "11.0.20"] + [org.eclipse.jetty.websocket/websocket-jetty-server "11.0.20" :exclusions [org.slf4j/slf4j-api]] + [org.eclipse.jetty.websocket/websocket-servlet "11.0.20" :exclusions [org.slf4j/slf4j-api]] + [org.eclipse.jetty/jetty-server "11.0.20" :exclusions [org.slf4j/slf4j-api]] + [org.eclipse.jetty/jetty-jaas "11.0.20" :exclusions [org.slf4j/slf4j-api]] + [org.slf4j/slf4j-api "2.0.11"]] :source-paths ["common/src" "common-jetty1x/src" "common-jakarta/src"] :test-paths ["test" "common/test"]) From 9a32954d50b87650e6d1c1b3ccf4c4cc9e76456c Mon Sep 17 00:00:00 2001 From: d-t-w Date: Mon, 5 Feb 2024 17:00:03 +1100 Subject: [PATCH 4/8] prep for 1.1.12 release --- CHANGELOG.md | 4 ++++ README.md | 4 ++-- slipway-jetty10/project.clj | 2 +- slipway-jetty11/project.clj | 2 +- slipway-jetty9/project.clj | 2 +- 5 files changed, 9 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2691924c..d2519f0e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,10 @@ # Change Log All notable changes to this project will be documented in this file. This change log follows the conventions of [keepachangelog.com](http://keepachangelog.com/) +## [1.1.12] - 2024-02-05 + +Bump to latest Jetty version (11.0.20 or equivalent) + ## [1.1.11] - 2024-01-08 Bump to latest Jetty version (11.0.19 or equivalent) diff --git a/README.md b/README.md index 99aeb8ce..3de5a63d 100644 --- a/README.md +++ b/README.md @@ -7,8 +7,8 @@ | Jetty Version | Current Jetty Dependency | Clojars Project | | ------------- | ------------------------ | --------------- | | Jetty 9 | 9.4.53.v20231009 | [![Clojars Project](https://img.shields.io/clojars/v/io.factorhouse/slipway-jetty9.svg)](https://clojars.org/io.factorhouse/slipway-jetty9) | -| Jetty 10 | 10.0.19 | [![Clojars Project](https://img.shields.io/clojars/v/io.factorhouse/slipway-jetty10.svg)](https://clojars.org/io.factorhouse/slipway-jetty10) | -| Jetty 11 | 11.0.19 | [![Clojars Project](https://img.shields.io/clojars/v/io.factorhouse/slipway-jetty11.svg)](https://clojars.org/io.factorhouse/slipway-jetty11) | +| Jetty 10 | 10.0.20 | [![Clojars Project](https://img.shields.io/clojars/v/io.factorhouse/slipway-jetty10.svg)](https://clojars.org/io.factorhouse/slipway-jetty10) | +| Jetty 11 | 11.0.20 | [![Clojars Project](https://img.shields.io/clojars/v/io.factorhouse/slipway-jetty11.svg)](https://clojars.org/io.factorhouse/slipway-jetty11) | | Jetty 12 | - | Available once Jetty 12 stabilises. | ---- diff --git a/slipway-jetty10/project.clj b/slipway-jetty10/project.clj index 0f4e077a..7c657551 100644 --- a/slipway-jetty10/project.clj +++ b/slipway-jetty10/project.clj @@ -1,4 +1,4 @@ -(defproject io.factorhouse/slipway-jetty10 "1.1.11" +(defproject io.factorhouse/slipway-jetty10 "1.1.12" :description "A Clojure Companion for Jetty" diff --git a/slipway-jetty11/project.clj b/slipway-jetty11/project.clj index b7480d00..4b3c0cdc 100644 --- a/slipway-jetty11/project.clj +++ b/slipway-jetty11/project.clj @@ -1,4 +1,4 @@ -(defproject io.factorhouse/slipway-jetty11 "1.1.11" +(defproject io.factorhouse/slipway-jetty11 "1.1.12" :description "A Clojure Companion for Jetty" diff --git a/slipway-jetty9/project.clj b/slipway-jetty9/project.clj index 28b0cb9e..2cd6aa50 100644 --- a/slipway-jetty9/project.clj +++ b/slipway-jetty9/project.clj @@ -1,4 +1,4 @@ -(defproject io.factorhouse/slipway-jetty9 "1.1.11" +(defproject io.factorhouse/slipway-jetty9 "1.1.12" :description "A Clojure Companion for Jetty" From 5bd6604ff6b068cfde67244b6f9e53f441c6a117 Mon Sep 17 00:00:00 2001 From: d-t-w Date: Mon, 5 Feb 2024 17:25:58 +1100 Subject: [PATCH 5/8] update actions --- .github/workflows/ci.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index da3e863a..4977c0c6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,24 +14,24 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Java8 if: ${{ matrix.project == 'slipway-jetty9' }} - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: distribution: 'temurin' java-version: '8' - name: Setup Java11 if: ${{ matrix.project != 'slipway-jetty9' }} - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: distribution: 'temurin' java-version: '11' - name: Install clojure tools - uses: DeLaGuardo/setup-clojure@10.3 + uses: DeLaGuardo/setup-clojure@12.3 with: lein: 'latest' github-token: ${{ secrets.GITHUB_TOKEN }} @@ -62,7 +62,7 @@ jobs: - name: Persist NVD if: always() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: NVD result path: ./${{ matrix.project }}/dependency-check/report/* From 73c2cf0d3ae7fef0eb4cd09ef8f2799cfe2fc383 Mon Sep 17 00:00:00 2001 From: d-t-w Date: Mon, 5 Feb 2024 17:34:23 +1100 Subject: [PATCH 6/8] update nvd --- .github/workflows/ci.yml | 2 +- scripts/dependency-checker.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4977c0c6..f2899396 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -64,6 +64,6 @@ jobs: if: always() uses: actions/upload-artifact@v4 with: - name: NVD result + name: nvd-${{ matrix.project.profile }}-${{ github.sha }} path: ./${{ matrix.project }}/dependency-check/report/* retention-days: 1 diff --git a/scripts/dependency-checker.sh b/scripts/dependency-checker.sh index aace62c8..93e1d043 100755 --- a/scripts/dependency-checker.sh +++ b/scripts/dependency-checker.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -VERSION="8.4.0" +VERSION="9.0.9" if [ ! -d "dependency-check" ] then From acdb4919ffa13a0a6338eb4b59b80483acbf06f1 Mon Sep 17 00:00:00 2001 From: d-t-w Date: Mon, 5 Feb 2024 17:39:50 +1100 Subject: [PATCH 7/8] suppress clojure false-positive CVE --- slipway-jetty10/dependency-check-suppressions.xml | 5 +++++ slipway-jetty11/dependency-check-suppressions.xml | 5 +++++ slipway-jetty9/dependency-check-suppressions.xml | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/slipway-jetty10/dependency-check-suppressions.xml b/slipway-jetty10/dependency-check-suppressions.xml index a0e2af1c..734ef66d 100644 --- a/slipway-jetty10/dependency-check-suppressions.xml +++ b/slipway-jetty10/dependency-check-suppressions.xml @@ -7,4 +7,9 @@ ^pkg:maven/commons\-fileupload/commons\-fileupload@.*$ CVE-2023-24998 + + Clojure false positive + ^pkg:maven/org\.clojure/.*$ + CVE-2017-20189 + diff --git a/slipway-jetty11/dependency-check-suppressions.xml b/slipway-jetty11/dependency-check-suppressions.xml index a0d9218c..4bd7eaab 100644 --- a/slipway-jetty11/dependency-check-suppressions.xml +++ b/slipway-jetty11/dependency-check-suppressions.xml @@ -7,4 +7,9 @@ ^pkg:maven/commons\-fileupload/commons\-fileupload@.*$ CVE-2023-24998 + + Clojure false positive + ^pkg:maven/org\.clojure/.*$ + CVE-2017-20189 + diff --git a/slipway-jetty9/dependency-check-suppressions.xml b/slipway-jetty9/dependency-check-suppressions.xml index b955669d..2eb15ea0 100644 --- a/slipway-jetty9/dependency-check-suppressions.xml +++ b/slipway-jetty9/dependency-check-suppressions.xml @@ -7,4 +7,9 @@ ^pkg:maven/commons\-fileupload/commons\-fileupload@.*$ CVE-2023-24998 + + Clojure false positive + ^pkg:maven/org\.clojure/.*$ + CVE-2017-20189 + From 6c756444596dfb2ea278764ba535688ac01ed734 Mon Sep 17 00:00:00 2001 From: d-t-w Date: Mon, 5 Feb 2024 18:07:23 +1100 Subject: [PATCH 8/8] add another clojure redundant CVE suppression, fix project.matrix NVD artifact --- .github/workflows/ci.yml | 2 +- slipway-jetty10/dependency-check-suppressions.xml | 5 +++++ slipway-jetty11/dependency-check-suppressions.xml | 5 +++++ slipway-jetty9/dependency-check-suppressions.xml | 5 +++++ 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f2899396..3b737cab 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -64,6 +64,6 @@ jobs: if: always() uses: actions/upload-artifact@v4 with: - name: nvd-${{ matrix.project.profile }}-${{ github.sha }} + name: nvd-${{ matrix.project }}-${{ github.sha }} path: ./${{ matrix.project }}/dependency-check/report/* retention-days: 1 diff --git a/slipway-jetty10/dependency-check-suppressions.xml b/slipway-jetty10/dependency-check-suppressions.xml index 734ef66d..d6451854 100644 --- a/slipway-jetty10/dependency-check-suppressions.xml +++ b/slipway-jetty10/dependency-check-suppressions.xml @@ -12,4 +12,9 @@ ^pkg:maven/org\.clojure/.*$ CVE-2017-20189 + + Clojure false positive + ^pkg:maven/ring/ring\-codec@.*$ + CVE-2017-20189 + diff --git a/slipway-jetty11/dependency-check-suppressions.xml b/slipway-jetty11/dependency-check-suppressions.xml index 4bd7eaab..4759505e 100644 --- a/slipway-jetty11/dependency-check-suppressions.xml +++ b/slipway-jetty11/dependency-check-suppressions.xml @@ -12,4 +12,9 @@ ^pkg:maven/org\.clojure/.*$ CVE-2017-20189 + + Clojure false positive + ^pkg:maven/ring/ring\-codec@.*$ + CVE-2017-20189 + diff --git a/slipway-jetty9/dependency-check-suppressions.xml b/slipway-jetty9/dependency-check-suppressions.xml index 2eb15ea0..4d64ab46 100644 --- a/slipway-jetty9/dependency-check-suppressions.xml +++ b/slipway-jetty9/dependency-check-suppressions.xml @@ -12,4 +12,9 @@ ^pkg:maven/org\.clojure/.*$ CVE-2017-20189 + + Clojure false positive + ^pkg:maven/ring/ring\-codec@.*$ + CVE-2017-20189 +