CIV-4869: [cmc-claim-store] - Fix for CVE-2021-28170 (#2839)

* CIV-4869: [cmc-claim-store] - Fix for CVE-2021-28170 * CIV-4869: [cmc-claim-store] - Fix for CVE-2021-28170 * CIV-4869: [cmc-claim-store] - Fix for CVE-2021-28170
hmcts · Mar 14, 2024 · e5273d6 · e5273d6
1 parent c8a2522
commit e5273d6
Show file tree

Hide file tree

Showing 7 changed files with 21 additions and 41 deletions.
diff --git a/build.gradle b/build.gradle
@@ -3,7 +3,7 @@ import java.util.stream.Collectors
 plugins {
   id 'checkstyle'
   id 'io.spring.dependency-management' version '1.1.0'
-  id 'org.springframework.boot' version '2.7.11'
+  id 'org.springframework.boot' version '2.7.18'
   id 'org.owasp.dependencycheck' version '8.0.1'
   id 'org.sonarqube' version '2.8'
   id 'com.github.ben-manes.versions' version '0.36.0'
@@ -28,14 +28,15 @@ def springBootVersion = plugins.getPlugin('org.springframework.boot').class.pack
 def springCloudVersion = '2021.0.3'
 
 def versions = [
-  logback           : '1.2.10',
+  logback           : '1.2.13',
   springBoot        : springBootVersion,
   reformJavaLogging : '5.1.7',
   loggingAppinsights : '5.1.7',
   restAssuredVersion: '4.2.0',
-  jackson           : '2.14.2',
+  jackson           : '2.16.1',
   junit             : '5.7.1',
   junitPlatform     : '1.7.1',
+  elasticSearch     : '7.17.18'
 ]
 
 allprojects {
@@ -110,14 +111,14 @@ allprojects {
     }
     dependencies {
       // CVE-2020-13935
-      dependencySet(group: 'org.apache.tomcat.embed', version: '9.0.69') {
+      dependencySet(group: 'org.apache.tomcat.embed', version: '9.0.86') {
         entry 'tomcat-embed-core'
         entry 'tomcat-embed-el'
         entry 'tomcat-embed-websocket'
       }
       // checkstyle needs a certain version and so does spring fox swagger, so can't use latest
       // fun times...
-      dependencySet(group: 'com.google.guava', version: '30.1.1-jre') {
+      dependencySet(group: 'com.google.guava', version: '32.0.1-jre') {
         entry 'guava'
       }
       // solves CVE-2019-12086
@@ -167,7 +168,7 @@ allprojects {
       ) {
         entry 'snakeyaml'
       }
-      dependencySet(group: 'ch.qos.logback', version: '1.2.10') {
+      dependencySet(group: 'ch.qos.logback', version: '1.2.13') {
         entry 'logback-core'
         entry 'logback-classic'
       }
@@ -232,8 +233,8 @@ dependencies {
 
   implementation group: 'org.springdoc', name: 'springdoc-openapi-ui', version: '1.6.15'
 
-  implementation group: 'org.elasticsearch', name: 'elasticsearch', version: '7.13.4'
-  implementation group: 'org.postgresql', name: 'postgresql', version: '42.3.7'
+  implementation group: 'org.elasticsearch', name: 'elasticsearch', version: versions.elasticSearch
+  implementation group: 'org.postgresql', name: 'postgresql', version: '42.7.2'
 
   implementation group: 'uk.gov.service.notify', name: 'notifications-java-client', version: '3.17.2-RELEASE'
 
@@ -266,7 +267,7 @@ dependencies {
   implementation group: 'org.springframework.security', name: 'spring-security-config'
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-oauth2-client'
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-oauth2-resource-server'
-  implementation group: 'com.nimbusds', name: 'nimbus-jose-jwt', version: '9.25'
+  implementation group: 'com.nimbusds', name: 'nimbus-jose-jwt', version: '9.37.3'
   implementation group: 'io.jsonwebtoken', name: 'jjwt', version: '0.9.1'
 
   implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.10'

diff --git a/config/owasp/suppressions.xml b/config/owasp/suppressions.xml
@@ -1,47 +1,26 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress until="2024-03-01">
-        <cve>CVE-2021-28170</cve>
-        <cve>CVE-2021-27568</cve>
-        <cve>CVE-2022-38752</cve>
-        <cve>CVE-2022-41946</cve>
-        <cve>CVE-2021-22044</cve>
-        <cve>CVE-2022-22978</cve>
-        <cve>CVE-2022-22976</cve>
-        <cve>CVE-2021-22119</cve>
-        <cve>CVE-2022-45688</cve>
+    <suppress until="2024-04-01">
         <cve>CVE-2023-24998</cve>
         <cve>CVE-2022-1471</cve>
-        <cve>CVE-2022-31692</cve>
-        <cve>CVE-2023-28708</cve>
-        <cve>CVE-2023-20861</cve>
-        <cve>CVE-2023-20863</cve>
-        <cve>CVE-2023-20873</cve>
-        <cve>CVE-2023-20862</cve>
-        <cve>CVE-2023-20883</cve>
         <cve>CVE-2020-8908</cve>
         <cve>CVE-2023-2976</cve>
-        <cve>CVE-2023-35116</cve>
-        <cve>CVE-2023-39017</cve>
-        <cve>CVE-2023-34034</cve>
         <cve>CVE-2023-33201</cve>
         <cve>CVE-2020-5408</cve>
         <cve>CVE-2016-1000027</cve>
-        <cve>CVE-2023-41080</cve>
-        <cve>CVE-2023-31419</cve>
-        <cve>CVE-2023-31418</cve>
-        <cve>CVE-2023-5072</cve>
-        <cve>CVE-2023-42795</cve>
-        <cve>CVE-2023-45648</cve>
         <cve>CVE-2023-31582</cve>
-        <cve>CVE-2023-44487</cve>
-        <cve>CVE-2023-6378</cve>
     </suppress>
     <suppress until="2024-04-18">
+        <cve>CVE-2022-45688</cve>
+        <cve>CVE-2023-5072</cve>
+        <cve>CVE-2023-39017</cve>
         <cve>CVE-2023-20860</cve>
         <cve>CVE-2023-33202</cve>
         <cve>CVE-2023-34055</cve>
         <cve>CVE-2023-46589</cve>
         <cve>CVE-2023-6378</cve>
+        <cve>CVE-2023-51775</cve>
+        <cve>CVE-2024-23446</cve>
+        <cve>CVE-2024-22243</cve>
     </suppress>
 </suppressions>
diff --git a/domain-model/build.gradle b/domain-model/build.gradle
@@ -13,7 +13,7 @@ dependencies {
   implementation group: 'cz.jirutka.validator', name: 'validator-collection', version: '2.2.0'
 
   //   The below fixes https://nvd.nist.gov/vuln/detail/CVE-2019-12384 while waiting for spring to pull new version
-  implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.14.2'
+  implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.16.1'
 
   annotationProcessor group: 'org.projectlombok', name: 'lombok', version: '1.18.26'
   compileOnly group: 'org.projectlombok', name: 'lombok', version: '1.18.26'

diff --git a/gradle.properties b/gradle.properties
@@ -3,4 +3,4 @@
 # seen when running :apiTests on Jenkins
 # This is a workaround for an issue with the Java 11 release currently being used.
 # See https://github.com/AdoptOpenJDK/openjdk-build/issues/893
-org.gradle.jvmargs=-XX:UseAVX=0
+# org.gradle.jvmargs=-XX:UseAVX=0
diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.6.1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-all.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
diff --git a/job-scheduler/build.gradle b/job-scheduler/build.gradle
@@ -10,7 +10,7 @@ dependencies {
   implementation group: 'org.springframework.retry', name: 'spring-retry'
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-jdbc'
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-aop'
-  implementation group: 'org.postgresql', name: 'postgresql', version: '42.3.7'
+  implementation group: 'org.postgresql', name: 'postgresql', version: '42.7.2'
   implementation group: 'com.google.guava', name: 'guava', version: '30.1.1-jre'
   implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.10'