Add Dependency-Check checks / reporting. Update several versions of vulernerable dependencies (none which were actually exploitable through ESAPI).

Author: kwwall

pom.xml

@@ -126,8 +126,9 @@
         </dependency>
         <dependency>
             <groupId>commons-beanutils</groupId>
-            <artifactId>commons-beanutils-core</artifactId>
-            <version>1.8.3</version>
+            <artifactId>commons-beanutils</artifactId>
+            <!-- We need to use 1.9.2 (or later) here to address CVE-2014-0114. -->
+            <version>1.9.3</version>
         </dependency>
         <dependency>
             <groupId>junit</groupId>
@@ -150,13 +151,13 @@
         <dependency>
             <groupId>commons-fileupload</groupId>
             <artifactId>commons-fileupload</artifactId>
-            <version>1.3.1</version>
+            <version>1.3.2</version>
             <scope>compile</scope>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.4</version>
+            <version>2.5</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -185,12 +186,24 @@
         <dependency>
             <groupId>org.owasp.antisamy</groupId>
             <artifactId>antisamy</artifactId>
-            <version>1.5.3</version>
+            <version>1.5.5</version>
+        </dependency>
+        <!-- The following is only a TRANSITIVE dependency used by antisamy.
+             Antisamy uses 2.7.0, which has unpatched vulnerability
+             CVE-2014-0107 so we try to force it to 2.7.2 to address this
+             as we are already using the latest version of antisamy.
+             However, as of ESAPI 2.1.0.1 at least, ESAPI does NOT use this
+             library directly.
+        -->
+        <dependency>
+            <groupId>xalan</groupId>
+            <artifactId>xalan</artifactId>
+            <version>2.7.2</version>
         </dependency>
         <dependency>
             <groupId>org.apache.xmlgraphics</groupId>
             <artifactId>batik-css</artifactId>
-            <version>1.8</version>
+            <version>1.9</version>
         </dependency>
 		<dependency>
 		    <groupId>org.mockito</groupId>
@@ -272,6 +285,21 @@
                 <version>4.1.0</version>
             </plugin>
 
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>1.4.4</version>
+                <configuration>
+                    <failBuildOnCVSS>1</failBuildOnCVSS>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>check</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
 
@@ -344,14 +372,6 @@
                     </reportSet>
                 </reportSets>
             </plugin>
-            <plugin>
-                <groupId>org.owasp</groupId>
-                <artifactId>dependency-check-maven</artifactId>
-                <version>1.3.3</version>
-                <configuration>
-                    <externalReport>false</externalReport>
-                </configuration>
-            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-report-plugin</artifactId>