Skip to content

Commit

Permalink
FPET-695 CVE fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
@sairamkantheti1
sairamkantheti1 committed Sep 4, 2023
1 parent bd23211 commit 36bd8bf
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 72 deletions.
53 changes: 34 additions & 19 deletions build.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ import org.springframework.boot.gradle.tasks.run.BootRun

buildscript {
ext {
springBootVersion = '2.7.0'
springBootVersion = '2.7.12'
}
repositories {
mavenLocal()
Expand Down Expand Up @@ -170,41 +170,43 @@ def versions = [
commonsBeanUtils: '1.9.4',
feignHttpClient: '10.2.0',
gradlePitest: '1.4.5',
guava: '30.1-jre',
jacksonDatabind: '2.14.0-rc1',
apacheLogging: '2.17.2',
guava: '32.1.2-jre',
jacksonDatabind: '2.15.2',
apacheLogging: '2.20.0',
jsonAssert: '1.2.3',
junit: '4.13.1',
lombok: '1.18.26',
nimbus: '5.1',
pdfbox: '2.0.8',
pdfbox: '2.0.24',
pitest: '1.7.3',
powerMock: '2.0.0',
puppyCrawl: '8.29',
reformPropertiesVolume: '0.0.4',
reformsJavaLogging: '5.1.1',
restAssured: '4.5.1',
serenity: '2.2.13',
serenityCucumber: '1.9.51',
serviceTokenGenerator: '3.0.0',
sonarPitest: '0.5',
spring_security_rsa: '1.0.9.RELEASE',
springBoot: '2.7.0',
springCloud: '3.1.1',
spring_security_rsa: '1.0.11.RELEASE',
springBoot: '2.7.12',
springCloud: '3.1.4',
springHateoas: '0.25.1.RELEASE',
unirest: '1.4.9',
wiremockVersion: '2.27.2',
springSecurityCrypto: '5.4.5',
tomcat: '9.0.69',
springSecurityCrypto: '5.7.5',
tomcat : '9.0.80',
pact_version: '4.1.11',
httpComponents: '4.5.13',
bouncycastle: '1.61',
ccdCaseDocumentAmClient: '1.7.2'
ccdCaseDocumentAmClient: '1.7.2',
springFramework : '5.3.27'
]

ext["logback.version"] = '1.2.11'
ext['snakeyaml.version'] = '1.32'
ext['jackson.version'] = '2.14.0-rc1'
ext['snakeyaml.version'] = '2.2'
ext['jackson.version'] = '2.15.2'
ext['spring-framework.version'] = '5.3.27'




Expand All @@ -223,6 +225,7 @@ dependencies {
integrationTestImplementation group: 'org.skyscreamer', name:'jsonassert', version: versions.jsonAssert
integrationTestImplementation group: 'org.springframework.boot', name: 'spring-boot-starter-test'
integrationTestImplementation group: 'org.springframework.boot', name: 'spring-boot-starter-web'

integrationTestImplementation (group: 'uk.gov.hmcts.reform', name:'service-auth-provider-client', version: versions.serviceTokenGenerator){
exclude group: 'io.reactivex', module: 'io.reactivex'
exclude group: 'io.reactivex', module: 'rxnetty'
Expand Down Expand Up @@ -282,7 +285,8 @@ dependencies {
implementation group: 'org.apache.commons', name: 'commons-lang3', version : versions.commonsLang3

implementation group: 'uk.gov.hmcts.reform', name: 'logging', version: versions.reformsJavaLogging
implementation group: 'uk.gov.hmcts.reform', name: 'logging-appinsights', version: versions.reformsJavaLogging
implementation group: 'org.springframework', name: 'spring-context-support', version: versions.springFramework
implementation group: 'uk.gov.hmcts.reform', name: 'logging-appinsights', version: versions.reformsJavaLogging
implementation group: 'uk.gov.hmcts.reform', name: 'logging-spring', version: versions.reformsJavaLogging
implementation group: 'uk.gov.hmcts.reform', name: 'logging-httpcomponents', version: versions.reformsJavaLogging
implementation group: 'uk.gov.hmcts.reform', name: 'properties-volume-spring-boot-starter', version: versions.reformPropertiesVolume
Expand All @@ -299,7 +303,7 @@ dependencies {
implementation group:'info.solidsoft.gradle.pitest', name: 'gradle-pitest-plugin', version: versions.gradlePitest
implementation group:'org.codehaus.sonar-plugins', name:'sonar-pitest-plugin', version: versions.sonarPitest
implementation group: 'org.apache.httpcomponents', name: 'httpclient', version: versions.httpComponents
implementation (group: 'com.launchdarkly', name: 'launchdarkly-java-server-sdk', version: '6.0.6')
implementation (group: 'com.launchdarkly', name: 'launchdarkly-java-server-sdk', version: '6.2.1')


annotationProcessor("org.projectlombok:lombok:${versions.lombok}")
Expand Down Expand Up @@ -372,8 +376,6 @@ dependencyManagement {
entry 'jackson-databind'
}

dependency group: 'org.yaml',name: 'snakeyaml', version: '1.32'

dependency group: 'com.netflix.servo',name: 'servo-core', version: '0.13.2'

// CVE-2021-30640, CVE-2021-33037
Expand All @@ -386,7 +388,20 @@ dependencyManagement {
// CVE-2021-28170
dependency group: 'org.glassfish', name: 'jakarta.el', version: '4.0.2'

dependency group: 'com.google.guava', name:'guava', version: versions.guava
//CVE-2022-45688
dependencySet(group: 'org.json', version: '20230227') {
entry 'json'
}
//CVE-2023-2976
dependency group: 'com.google.guava', name: 'guava', version: '32.1.2-jre'

//CVE-2022-1471
dependencySet(group: 'org.yaml', version: '2.2') {
entry 'snakeyaml'
}
dependency group: 'org.springframework.security', name: 'spring-security-crypto', version: '5.7.5'


}
}

Expand Down
57 changes: 4 additions & 53 deletions config/owasp/suppressions.xml
View file
Original file line number Diff line number Diff line change
@@ -1,57 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[log4j-api-2.17.2.jar ,log4j-to-slf4j-2.17.2.jar]]></notes>
<cve>CVE-2022-33915</cve>
</suppress>
<suppress>
<notes><![CDATA[
tomcat-embed-core-9.0.63.jar ]]></notes>
<cve>CVE-2022-34305</cve>
</suppress>
<suppress>
<notes><![CDATA[
<suppress>
<notes><![CDATA[
spring-core-5.3.20.jar ]]></notes>
<cve>CVE-2016-1000027</cve>
<cve>CVE-2023-20863</cve>
</suppress>
<suppress>
<notes><![CDATA[
apache:log4j:2.17.2:*:*:*:*:*:*:*
]]></notes>
<cve>CVE-2022-33915</cve>
<cve>CVE-2022-31569</cve>
</suppress>
<suppress>
<notes>Temporary Suppression</notes>
<cve>CVE-2021-37533</cve>
<cve>CVE-2022-45688</cve>
<cve>CVE-2023-24998</cve>
<cve>CVE-2022-1471</cve>
<cve>CVE-2023-20860</cve>
<cve>CVE-2023-20873</cve>
<cve>CVE-2023-34036</cve>
</suppress>
<suppress>
<notes>Temporary Suppression</notes>
<cve>CVE-2021-4277</cve>
<cve>CVE-2021-4235</cve>
<cve>CVE-2022-3064</cve>
<cve>CVE-2022-22978</cve>
<cve>CVE-2022-22976</cve>
<cve>CVE-2021-22119</cve>
<cve>CVE-2020-15522</cve>
<cve>CVE-2021-22053</cve>
<cve>CVE-2022-1471</cve>
<cve>CVE-2023-20861</cve>
<cve>CVE-2023-28708</cve>
<cve>CVE-2023-20873</cve>
<cve>CVE-2023-20883</cve>
<cve>CVE-2023-35116</cve>
<cve>CVE-2023-2976</cve>
<cve>CVE-2023-2976</cve>
<cve>CVE-2023-35116</cve>
<cve>CVE-2023-34036</cve>
<cve>CVE-2020-8908</cve>
</suppress>
<cve>CVE-2016-1000027</cve>
</suppress>
</suppressions>

0 comments on commit 36bd8bf

Please sign in to comment.