Feat/springdocs upgrade (#15)

* Migration to Springdoc 2 * Migration to Springdoc 2 * Explicit import of newer version of fileupload to fix CVE-2023-24998 * Added another h2 CVE suppression since still only used for testing * Added false positive for guava * Removed version since it's managed at parent * Moved version since it's managed at parent
corona-warn-app · Mar 15, 2023 · 964f6a3 · 964f6a3
1 parent 0809116
commit 964f6a3
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 3 deletions.
diff --git a/feign/pom.xml b/feign/pom.xml
@@ -27,9 +27,15 @@
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-openfeign</artifactId>
         </dependency>
+
         <dependency>
             <groupId>io.github.openfeign</groupId>
             <artifactId>feign-httpclient</artifactId>
         </dependency>
+        <!-- To satisfy CVE-2023-24998 happening in openfeign -->
+        <dependency>
+            <groupId>commons-fileupload</groupId>
+            <artifactId>commons-fileupload</artifactId>
+        </dependency>
     </dependencies>
 </project>
diff --git a/owasp/suppressions.xml b/owasp/suppressions.xml
@@ -14,11 +14,17 @@
     <suppress>
         <notes>H2 is only used for testing, not production</notes>
         <cve>CVE-2022-45868</cve>
+        <cve>CVE-2018-14335</cve>
     </suppress>
 
     <suppress>
         <notes>False positive. CVE is matching for hutools. OWASP Check matches for json-lib</notes>
         <cve>CVE-2022-45688</cve>
     </suppress>
 
+    <suppress>
+        <notes>False positive. guava version is higher than 30.0 and this CVE should not match</notes>
+        <cve>CVE-2020-8908</cve>
+    </suppress>
+
 </suppressions>
diff --git a/pom.xml b/pom.xml
@@ -80,8 +80,8 @@
             </dependency>
             <dependency>
                 <groupId>org.springdoc</groupId>
-                <artifactId>springdoc-openapi-ui</artifactId>
-                <version>1.6.14</version>
+                <artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
+                <version>2.0.4</version>
             </dependency>
 
 
@@ -117,6 +117,11 @@
                 <version>3.6.1</version>
                 <scope>compile</scope>
             </dependency>
+            <dependency>
+                <groupId>commons-fileupload</groupId>
+                <artifactId>commons-fileupload</artifactId>
+                <version>1.5</version>
+            </dependency>
 
 
             <!-- JJWT -->

diff --git a/spring-boot/pom.xml b/spring-boot/pom.xml
@@ -73,7 +73,7 @@
         <!-- Documentation -->
         <dependency>
             <groupId>org.springdoc</groupId>
-            <artifactId>springdoc-openapi-ui</artifactId>
+            <artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
         </dependency>
 
         <!-- Test -->