From e54547fc32735c7e13699d5231dc9c520a6eb825 Mon Sep 17 00:00:00 2001
From: Philippe Deslauriers <philde@chainguard.dev>
Date: Mon, 4 Mar 2024 20:33:32 +0000
Subject: [PATCH] dependency-track: Fix CVEs

Signed-off-by: Philippe Deslauriers <philde@chainguard.dev>
---
 dependency-track.yaml         |  4 +++-
 dependency-track/pombump.yaml | 11 +++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 dependency-track/pombump.yaml

diff --git a/dependency-track.yaml b/dependency-track.yaml
index eae7ccf19a9..338acc9922c 100644
--- a/dependency-track.yaml
+++ b/dependency-track.yaml
@@ -1,7 +1,7 @@
 package:
   name: dependency-track
   version: 4.10.1
-  epoch: 1
+  epoch: 2
   description:
   copyright:
     - license: Apache-2.0
@@ -29,6 +29,8 @@ pipeline:
       tag: ${{package.version}}
       expected-commit: fcb8e784d9b208de5ab755a979a48f2535f3c390
 
+  - uses: maven/pombump
+
   - runs: |
       export LANG=en_US.UTF-8
       # Build the API Server and the bundled UI jars
diff --git a/dependency-track/pombump.yaml b/dependency-track/pombump.yaml
new file mode 100644
index 00000000000..3282b730dd9
--- /dev/null
+++ b/dependency-track/pombump.yaml
@@ -0,0 +1,11 @@
+patches:
+  - groupId: org.apache.commons
+    artifactId: commons-compress
+    version: 1.26.0
+    scope: import
+    type: jar
+  - groupId:  org.postgresql
+    artifactId: postgresql
+    version: 42.6.1
+    scope: import
+    type: jar