Skip to content
This repository has been archived by the owner on Jun 25, 2024. It is now read-only.

Commit

Permalink
Merge pull request #96 from patientsknowbest/bump-deps-fix-owasp-mar-23
Browse files Browse the repository at this point in the history 
Bump deps to fix owasp
  • Loading branch information
@MFAshby
MFAshby authored Mar 29, 2023
2 parents 582e703 + 7b9eda9 commit 6c27165
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 32 deletions.
49 changes: 24 additions & 25 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

<apache.commons.text.version>1.10.0</apache.commons.text.version>
<approvalcrest.version>0.61.1</approvalcrest.version>
<approvalcrest.version>0.61.2</approvalcrest.version>
<hamcrest.version>2.2</hamcrest.version>
<vavr.version>0.10.2</vavr.version>

Expand All @@ -57,7 +57,7 @@
<version.apache-commons-io>2.6</version.apache-commons-io>
<javax.javaee-api.version>8.0</javax.javaee-api.version>
<avro.version>1.11.0</avro.version>
<camel.version>3.19.0</camel.version>
<camel.version>3.20.2</camel.version>

<maven.compiler.plugin.version>3.8.1</maven.compiler.plugin.version>
<maven.source.plugin.version>3.2.1</maven.source.plugin.version>
Expand All @@ -75,17 +75,17 @@

<commons.testing.version>54-8e2e575-247593</commons.testing.version>
<spring-cloud.version>2021.0.5</spring-cloud.version>
<spring.boot.version>2.7.5</spring.boot.version>
<spring.boot.version>2.7.10</spring.boot.version>
<immutables.version>2.9.0</immutables.version>
<checker-qual.version>3.25.0</checker-qual.version>
<checker-qual.version>3.32.0</checker-qual.version>
<kotlin.version>1.6.21</kotlin.version>
<errorprone.version>2.16</errorprone.version>
<errorprone.version>2.18.0</errorprone.version>
<groovy.version>2.5.17</groovy.version>
<retrofit.version>2.9.0</retrofit.version>
<okhttp.version>4.10.0</okhttp.version>
<jakarta.persistence-api.version>2.2.3</jakarta.persistence-api.version>
<jakarta.xml.bind-api.version>2.3.3</jakarta.xml.bind-api.version>
<hibernate-core.version>5.6.9.Final</hibernate-core.version> <!-- Please ensure that this remains consistent with the version specified in the spring boot bom -->
<hibernate-core.version>5.6.15.Final</hibernate-core.version> <!-- Please ensure that this remains consistent with the version specified in the spring boot bom -->
<jakarta.inject-api.version>1.0</jakarta.inject-api.version>
<jaxb-impl.version>2.3.6</jaxb-impl.version>
<jakarta.activation-api.version>2.0.1</jakarta.activation-api.version>
Expand All @@ -94,13 +94,11 @@
<assertj-version>3.23.1</assertj-version>

<!-- Required to force google components like pub-sub to more recent versions than camel bom will pull in. Keep in line with PHR -->
<spring-cloud-gcp.version>3.4.0</spring-cloud-gcp.version>
<spring-cloud-gcp.version>3.4.7</spring-cloud-gcp.version>

<!-- Only needed because of a security issue, remove when spring-cloud-dependencies uses at least spring security version 5.7.5 -->
<spring.security.version>5.7.5</spring.security.version>

<!--Required until approvalcrest is compatible with latest gson again -->
<google.gson.version>2.9.0</google.gson.version>
<jackson-bom.version>2.14.2</jackson-bom.version>
<google.gson.version>2.10.1</google.gson.version>
</properties>

<modules>
Expand All @@ -119,21 +117,20 @@

<dependencyManagement>
<dependencies>
<!-- Only needed because of a security issue, remove when spring-cloud-dependencies uses at least spring security version 5.7.5 -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-bom</artifactId>
<version>${spring.security.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>spring-cloud-gcp-dependencies</artifactId>
<version>${spring-cloud-gcp.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson</groupId>
<artifactId>jackson-bom</artifactId>
<version>${jackson-bom.version}</version>
<scope>import</scope>
<type>pom</type>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
Expand Down Expand Up @@ -311,6 +308,13 @@
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>camel-core</artifactId>
<type>test-jar</type>
<scope>test</scope>
<version>${camel.version}</version>
</dependency>
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>camel-xml-jaxb</artifactId>
Expand Down Expand Up @@ -398,7 +402,6 @@
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<!-- latest version is 2.9.0 but it is non-backwards-compatible with karsaig's approval crest -->
<version>${google.gson.version}</version>
</dependency>
</dependencies>
Expand Down Expand Up @@ -452,11 +455,7 @@
to pick the highest version. Otherwise we may end up unexpectedly swapping to an older
version if the 'nearest' definition changes, or end up unexpectedly using a different version
to what we've specified via a parent bom -->
<requireUpperBoundDeps>
<excludes>
<exclude>com.google.code.gson:gson</exclude>
</excludes>
</requireUpperBoundDeps>
<requireUpperBoundDeps/>
<banCircularDependencies/>
<banDuplicateClasses/>
<bannedDependencies>
Expand Down
1 change: 0 additions & 1 deletion spring-boot-infrastructure/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<version>${spring.boot.version}</version>
<scope>test</scope>
</dependency>
<dependency>
Expand Down
4 changes: 0 additions & 4 deletions spring-infrastructure/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,6 @@
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
<dependency>
<groupId>org.checkerframework</groupId>
<artifactId>checker-qual</artifactId>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
Expand Down
13 changes: 11 additions & 2 deletions suppression.xml
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">

<suppress until="2023-03-01Z">
<suppress until="2024-01-01Z">
<!-- This seems to be a false positive because the report refers the com.google.code.gson library -->
<notes><![CDATA[
file name: google-http-client-gson-*.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.http\-client/google\-http\-client\-gson@.*$</packageUrl>
<cve>CVE-2022-25647</cve>
</suppress>
<suppress until="2022-12-06Z">
<suppress until="2024-01-01Z">
<!-- This is a false positive. The CVE is for much lower version of springs security than this one. But
according to the CVE website the vulnerability is being "reassessed" so we should check back in 2 months and
see if there's any update -->
Expand All @@ -19,5 +19,14 @@
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-.*$</packageUrl>
<vulnerabilityName>CVE-2020-5408</vulnerabilityName>
</suppress>
<suppress until="2023-06-01Z">
<!-- Refer to https://github.com/google/guava/issues/4011 -->
<!-- Hopefully Google will either remove or update the deprecated method that is affected by this CVE; until then we suppress it -->
<notes><![CDATA[
file name: guava-31.1-jre.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
<cve>CVE-2020-8908</cve>
</suppress>

</suppressions>

0 comments on commit 6c27165

Please sign in to comment.