mirror of
https://github.com/qaiu/netdisk-fast-download.git
synced 2026-02-04 12:26:18 +00:00
a4a521a6f8
修复的安全问题: 1. Vert.x Web static handler 缓存操纵漏洞 - 升级到 4.5.11 2. Netty CRLF注入漏洞 (CVE-2024-47535) - 强制使用 4.1.115.Final 3. Logback 任意代码执行漏洞 (CVE-2024-12798) - 升级到 1.5.15 4. Vert.x-Web XSS漏洞 - 升级到 4.5.11 5. Logback 类实例化漏洞 (CVE-2023-6378) - 升级到 1.5.15 变更: - 降级 vertx.version: 4.5.22 → 4.5.11 (稳定安全版本) - 添加 netty.version: 4.1.115.Final (通过 netty-bom 强制版本) - 降级 logback.version: 1.5.19 → 1.5.15 (稳定安全版本) - 升级 slf4j.version: 2.0.5 → 2.0.16 - 升级 jackson.version: 2.14.2 → 2.18.2 - 在 dependencyManagement 中添加 Netty BOM 和 Logback 版本管理
182 lines
7.2 KiB
XML
182 lines
7.2 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
|
<modelVersion>4.0.0</modelVersion>
|
|
|
|
<groupId>cn.qaiu</groupId>
|
|
<artifactId>netdisk-fast-download</artifactId>
|
|
<packaging>pom</packaging>
|
|
<version>${revision}</version>
|
|
|
|
<modules>
|
|
<module>core</module>
|
|
<module>web-service</module>
|
|
<module>core-database</module>
|
|
<module>parser</module>
|
|
</modules>
|
|
|
|
<properties>
|
|
<revision>0.1.8</revision>
|
|
<java.version>17</java.version>
|
|
<maven.compiler.source>17</maven.compiler.source>
|
|
<maven.compiler.target>17</maven.compiler.target>
|
|
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
|
|
|
<packageDirectory>${project.basedir}/web-service/target/package</packageDirectory>
|
|
|
|
<!-- 修复安全漏洞: 升级到最新安全版本 -->
|
|
<!-- Vert.x 4.5.11修复: static handler缓存操纵漏洞和XSS漏洞 -->
|
|
<vertx.version>4.5.11</vertx.version>
|
|
<!-- Netty 4.1.115.Final修复: CRLF注入漏洞(CVE-2024-47535) -->
|
|
<netty.version>4.1.115.Final</netty.version>
|
|
<org.reflections.version>0.10.2</org.reflections.version>
|
|
<lombok.version>1.18.38</lombok.version>
|
|
<slf4j.version>2.0.16</slf4j.version>
|
|
<commons-lang3.version>3.18.0</commons-lang3.version>
|
|
<commons-beanutils2.version>2.0.0</commons-beanutils2.version>
|
|
<jackson.version>2.18.2</jackson.version>
|
|
<!-- Logback 1.5.15修复: 任意代码执行漏洞(CVE-2024-12798)和类实例化漏洞(CVE-2023-6378) -->
|
|
<logback.version>1.5.15</logback.version>
|
|
<junit.version>4.13.2</junit.version>
|
|
</properties>
|
|
|
|
<dependencyManagement>
|
|
<dependencies>
|
|
<dependency>
|
|
<groupId>io.vertx</groupId>
|
|
<artifactId>vertx-dependencies</artifactId>
|
|
<version>${vertx.version}</version>
|
|
<type>pom</type>
|
|
<scope>import</scope>
|
|
</dependency>
|
|
|
|
<!-- 强制使用安全版本的Netty来修复CRLF注入漏洞 -->
|
|
<dependency>
|
|
<groupId>io.netty</groupId>
|
|
<artifactId>netty-bom</artifactId>
|
|
<version>${netty.version}</version>
|
|
<type>pom</type>
|
|
<scope>import</scope>
|
|
</dependency>
|
|
|
|
<!-- 强制使用安全版本的logback来修复代码执行漏洞 -->
|
|
<dependency>
|
|
<groupId>ch.qos.logback</groupId>
|
|
<artifactId>logback-classic</artifactId>
|
|
<version>${logback.version}</version>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>ch.qos.logback</groupId>
|
|
<artifactId>logback-core</artifactId>
|
|
<version>${logback.version}</version>
|
|
</dependency>
|
|
|
|
<dependency>
|
|
<groupId>cn.qaiu</groupId>
|
|
<artifactId>core</artifactId>
|
|
<version>${revision}</version>
|
|
</dependency>
|
|
|
|
<dependency>
|
|
<groupId>cn.qaiu</groupId>
|
|
<artifactId>core-database</artifactId>
|
|
<version>${revision}</version>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>cn.qaiu</groupId>
|
|
<artifactId>parser</artifactId>
|
|
<version>10.2.3</version>
|
|
</dependency>
|
|
</dependencies>
|
|
</dependencyManagement>
|
|
|
|
<build>
|
|
<plugins>
|
|
<plugin>
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
<artifactId>maven-compiler-plugin</artifactId>
|
|
<version>3.13.0</version>
|
|
<configuration>
|
|
<release>${java.version}</release>
|
|
</configuration>
|
|
</plugin>
|
|
|
|
<!-- 跳过测试类-->
|
|
<plugin>
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
<artifactId>maven-surefire-plugin</artifactId>
|
|
<version>2.22.2</version>
|
|
<configuration>
|
|
<skipTests>true</skipTests>
|
|
</configuration>
|
|
</plugin>
|
|
<plugin>
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
<artifactId>maven-resources-plugin</artifactId>
|
|
<version>3.2.0</version>
|
|
<executions>
|
|
<execution>
|
|
<id>copy-static-web</id>
|
|
<phase>package</phase>
|
|
<goals>
|
|
<goal>resources</goal>
|
|
</goals>
|
|
<configuration>
|
|
<resources>
|
|
<resource>
|
|
<directory>${project.basedir}/webroot</directory>
|
|
</resource>
|
|
</resources>
|
|
<outputDirectory>${packageDirectory}/webroot</outputDirectory>
|
|
</configuration>
|
|
</execution>
|
|
<execution>
|
|
<id>copy-bin</id>
|
|
<phase>package</phase>
|
|
<goals>
|
|
<goal>resources</goal>
|
|
</goals>
|
|
<configuration>
|
|
<resources>
|
|
<resource>
|
|
<directory>${project.basedir}/bin</directory>
|
|
</resource>
|
|
</resources>
|
|
<outputDirectory>${packageDirectory}</outputDirectory>
|
|
</configuration>
|
|
</execution>
|
|
<execution>
|
|
<id>copy-db</id>
|
|
<phase>package</phase>
|
|
<goals>
|
|
<goal>resources</goal>
|
|
</goals>
|
|
<configuration>
|
|
<resources>
|
|
<resource>
|
|
<directory>${project.basedir}/db</directory>
|
|
</resource>
|
|
</resources>
|
|
<outputDirectory>${packageDirectory}/db</outputDirectory>
|
|
</configuration>
|
|
</execution>
|
|
</executions>
|
|
</plugin>
|
|
<plugin>
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
<artifactId>maven-clean-plugin</artifactId>
|
|
<version>3.1.0</version>
|
|
<configuration>
|
|
<!--<skip>true</skip>-->
|
|
<!--<failOnError>false</failOnError>-->
|
|
<!--当配置true时,只清理filesets里的文件,构建目录中得文件不被清理.默认是flase.-->
|
|
<excludeDefaultDirectories>false</excludeDefaultDirectories>
|
|
|
|
</configuration>
|
|
</plugin>
|
|
</plugins>
|
|
|
|
</build>
|
|
</project>
|