Skip to content
This repository has been archived by the owner on Feb 22, 2024. It is now read-only.
/ opensaml-bom Public archive

A maven BOM for OpenSAML that fixes vulnerable dependencies

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

swedenconnect/opensaml-bom

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

Logo

opensaml-bom

License Maven Central

Maven Bill of Materials (BOM) for OpenSAML

The dependencies you get from OpenSAML sometimes are old and Snyk complains about some of them. This project contains a Maven BOM that fixes these issues.

The versioning of this BOM corresponds to the OpenSAML version that it fixes (starting from 3.4.3) followed by another version which is the actual version for this BOM regarding the given OpenSAML release, for example 3.4.3.R1.

Include the following in your POM using OpenSAML to get patched transitive dependencies:

<dependencyManagement>
  <dependencies>
      
    <!-- Setup OpenSAML dependencies with no reported vulnerabilities. -->
    <dependency>
      <groupId>se.swedenconnect.opensaml</groupId>
      <artifactId>opensaml-bom</artifactId>
      <version>...</version>
      <type>pom</type>
      <scope>import</scope>
    </dependency>

  </dependencies>
</dependencyManagement>

Special handling

In most cases you could just include the OpenSAML dependency you need and trust that the OpenSAML BOM has sorted out all dependencies, but for some includes you need to do a little bit more yourself.

dom4j

The opensaml-storage-impl jar has a transitive dependency to dom4j:dom4j:jar:1.6.1. This version has been reported to be vulnerable (https://snyk.io/vuln/SNYK-JAVA-DOM4J-174153). Unfortunately, the replacement needed has another group name (org.dom4j) so the BOM cannot fix this for you. It excludes the bad dom4j-dependency from opensaml-storage-impl, but you need to add the org.dom4j dependency yourself.

So, if you include opensaml-storage-impl as a dependency, you must do:

<dependency>
  <groupId>org.opensaml</groupId>
  <artifactId>opensaml-storage-impl</artifactId>
</dependency>

<!-- We don't want to use dom4j:dom4j:jar:1.6.1 from opensaml-storage-impl. -->   
<dependency>
  <groupId>org.dom4j</groupId>
  <artifactId>dom4j</artifactId>
</dependency>

Velocity and commons-collection

The Velocity template engine jar (org.apache.velocity:velocity:jar:1.7) is included by opensaml-saml-impl. This dependency will include the commons-collections:commons-collections:jar:3.2.1 dependency which Snyk reports has an arbitrary code execution vulnerability (https://app.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). It does not exist any fixes for this bug, so the OpenSAML BOM simply excludes the Velocity-dependency. If you need Velocity (for example when sending an AuthnRequest using OpenSAML-style), you need to include the dependency yourself.

<dependency>
  <groupId>org.apache.velocity</groupId>
  <artifactId>velocity</artifactId>
  <version>1.7</version>
</dependency>

Copyright © 2019-2022, Sweden Connect. Licensed under version 2.0 of the Apache License.

About

A maven BOM for OpenSAML that fixes vulnerable dependencies

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

11 watching

Forks

0 forks
Report repository

Releases

6 tags

Packages

No packages published