Merge pull request #588 from hmcts/cve-fixes-150324-2

5197 Excluded H2 transitive dependency to resolve CVE
hmcts · Apr 3, 2024 · d8b65bf · d8b65bf
2 parents 6da2231 + 2e0610c
commit d8b65bf
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 12 deletions.
diff --git a/build.gradle b/build.gradle
@@ -86,6 +86,7 @@ configurations {
         exclude group: 'ch.qos.logback'
         exclude group: 'org.apache.logging.log4j', module: 'log4j-to-slf4j'
         exclude group: 'commons-logging', module: 'commons-logging'
+        exclude group: 'com.h2database', module: 'h2'
     }
 }
 // end::jar[]
@@ -173,7 +174,13 @@ dependencies {
     implementation group: 'org.springframework.security', name: 'spring-security-crypto', version: springSecurity
 
     // dependency check
-    implementation group: 'org.owasp', name: 'dependency-check-gradle', version: '9.0.4'
+    implementation 'org.owasp:dependency-check-gradle'
+    constraints {
+        implementation('org.owasp:dependency-check-gradle:9.0.9') {
+        }
+        implementation('org.owasp:dependency-check-core:9.0.9') {
+        }
+    }
 
     // CVE-2021-28170
     implementation "org.glassfish:jakarta.el:4.0.2"

diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml
@@ -1,20 +1,25 @@
 <?xml version="1.0" encoding="UTF-8"?><suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
   <suppress>
     <notes>Temporary Suppression
-        CVE-2023-33202 refer [Ticket]
-        CVE-2024-25710 refer [Ticket]
-        CVE-2024-26308 refer [Ticket]
-        CVE-2024-23686 refer [Ticket]
-        CVE-2022-45868 refer [Ticket]
-        CVE-2023-35116 refer [Ticket]
+        CVE-2023-2976 refer [Ticket]
+        CVE-2023-41080 refer [Ticket]
+        CVE-2023-42795 refer [Ticket]
+        CVE-2023-45648 refer [Ticket]
+        CVE-2023-44487 refer [Ticket]
+        CVE-2020-8908 refer [Ticket]
         CVE-2023-34053 refer [Ticket]
         CVE-2023-34055 refer [Ticket]
         CVE-2023-34042 refer [Ticket]
-        CVE-2023-44487 refer [Ticket]
-        CVE-2023-46589 refer [Ticket]
-        CVE-2023-42795 refer [Ticket]
-        CVE-2023-45648 refer [Ticket]
-        CVE-2024-1597 refer [Ticket]</notes>
+        CVE-2024-25710 refer [Ticket]
+        CVE-2024-26308 refer [Ticket]</notes>
+    <cve>CVE-2023-41080</cve>
+    <cve>CVE-2023-42795</cve>
+    <cve>CVE-2023-45648</cve>
+    <cve>CVE-2023-44487</cve>
+    <cve>CVE-2023-34053</cve>
+    <cve>CVE-2023-34055</cve>
+    <cve>CVE-2023-46589</cve>
+    <cve>CVE-2023-35116</cve>
     <cve>CVE-2023-33202</cve>
     <cve>CVE-2024-25710</cve>
     <cve>CVE-2024-26308</cve>