From 7ded0968c1e699fdf84c3d106bfc27c9e7ae536f Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 20 Dec 2021 17:29:25 +0100
Subject: [PATCH] Ban log4j all together and update OWASP dep check

Remove
---
 pom.xml | 48 ++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 38 insertions(+), 10 deletions(-)

diff --git a/pom.xml b/pom.xml
index cbc888ee0..84fca14d0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -133,6 +133,8 @@
         <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
         <java.version>17</java.version>
         <thymeleaf.version>3.0.14.RELEASE</thymeleaf.version>
+        <pmd.version>3.15.0</pmd.version>
+        <checkstyle.version>3.1.2</checkstyle.version>
     </properties>
 
     <modules>
@@ -141,14 +143,15 @@
         <module>webgoat-server</module>
         <module>webwolf</module>
         <module>webgoat-integration-tests</module>
-		<module>docker</module><!-- copy required jars in preparation of docker all-in-one build -->
+        <module>docker</module><!-- copy required jars in preparation of docker all-in-one build -->
     </modules>
 
+
     <dependencies>
-	    <dependency>
-			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-starter-validation</artifactId>
-		</dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-validation</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
@@ -187,7 +190,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-checkstyle-plugin</artifactId>
-                <version>3.1.2</version>
+                <version>${checkstyle.version}</version>
                 <configuration>
                     <encoding>UTF-8</encoding>
                     <consoleOutput>true</consoleOutput>
@@ -200,10 +203,11 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-pmd-plugin</artifactId>
-                <version>3.14.0</version>
+                <version>${pmd.version}</version>
                 <configuration>
-                    <targetJdk>15</targetJdk>
-                    <failurePriority>1</failurePriority><!-- 5 means fail even on the lowest priority, 0 means never fail -->
+                    <targetJdk>${maven.compiler.target}</targetJdk>
+                    <failurePriority>1
+                    </failurePriority><!-- 5 means fail even on the lowest priority, 0 means never fail -->
                     <rulesets>
                         <!--suppress UnresolvedMavenProperty -->
                         <ruleset>${maven.multiModuleProjectDirectory}/config/pmd/pmd-ruleset.xml</ruleset>
@@ -219,6 +223,30 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-enforcer-plugin</artifactId>
+                <version>3.0.0</version>
+                <executions>
+                    <execution>
+                        <id>Restrict-bad-log4j-versions</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>enforce</goal>
+                        </goals>
+                        <configuration>
+                            <rules>
+                                <bannedDependencies>
+                                    <excludes>
+                                        <exclude>org.apache.logging.log4j:log4j-core:(,2.15.0)</exclude>
+                                    </excludes>
+                                </bannedDependencies>
+                            </rules>
+                            <fail>true</fail>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
 
@@ -233,7 +261,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>6.1.3</version>
+                        <version>6.5.1</version>
                         <configuration>
                             <failBuildOnCVSS>7</failBuildOnCVSS>
                             <skipProvidedScope>true</skipProvidedScope>