DTSCCI-060 Reduce CVEs (#2844)

* Remove CVEs * Adding & Upgrading dependencies * Adding dependencies * Upgrading dependencies * Adding CVEs to suppressions.xml * Add CVE to suppressions.xml
hmcts · Apr 18, 2024 · 2760a78 · 2760a78
1 parent 548f599
commit 2760a78
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 77 deletions.
diff --git a/build.gradle b/build.gradle
@@ -25,15 +25,15 @@ dependencyUpdates.resolutionStrategy = {
 }
 
 def springBootVersion = plugins.getPlugin('org.springframework.boot').class.package.implementationVersion
-def springCloudVersion = '2021.0.3'
+def springCloudVersion = '2021.0.9'
 
 def versions = [
   logback           : '1.2.13',
   springBoot        : springBootVersion,
   reformJavaLogging : '5.1.7',
   loggingAppinsights : '5.1.7',
   restAssuredVersion: '4.2.0',
-  jackson           : '2.16.1',
+  jackson           : '2.17.0',
   junit             : '5.7.1',
   junitPlatform     : '1.7.1',
   elasticSearch     : '7.17.18'
@@ -110,78 +110,31 @@ allprojects {
       mavenBom "org.springframework.cloud:spring-cloud-dependencies:${springCloudVersion}"
     }
     dependencies {
-      // CVE-2020-13935
-      dependencySet(group: 'org.apache.tomcat.embed', version: '9.0.86') {
-        entry 'tomcat-embed-core'
-        entry 'tomcat-embed-el'
-        entry 'tomcat-embed-websocket'
-      }
       // checkstyle needs a certain version and so does spring fox swagger, so can't use latest
       // fun times...
       dependencySet(group: 'com.google.guava', version: '32.0.1-jre') {
         entry 'guava'
       }
-      // solves CVE-2019-12086
-      // remove once spring manager incorporates this changes
-      dependencySet(
-        group: 'com.fasterxml.jackson.core',
-        version: versions.jackson
-      ) {
-        entry 'jackson-core'
-      }
-      dependencySet(
-        group: 'com.fasterxml.jackson.core',
-        version: versions.jackson
-      ) {
-        entry 'jackson-databind'
-      }
-      dependencySet(
-        group: 'com.fasterxml.jackson.datatype',
-        version: versions.jackson
-      ) {
-        entry 'jackson-datatype-jdk8'
-        entry 'jackson-datatype-jsr310'
-      }
-      dependencySet(
-        group: 'com.fasterxml.jackson.module',
-        version: versions.jackson
-      ) {
-        entry 'jackson-module-parameter-names'
-      }
-      dependencySet(
-        group: 'com.fasterxml.jackson.core',
-        version: versions.jackson
-      ) {
-        entry 'jackson-annotations'
-      }
-      // solves CVE-2019-13990
-      dependencySet(
-        group: 'org.quartz-scheduler',
-        version: '2.3.2'
-      ) {
-        entry 'quartz'
-      }
+      //Solves CVE-2023-35116
+      dependency group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: versions.jackson
+      dependency group: 'com.fasterxml.jackson.core', name: 'jackson-core', version: versions.jackson
+      dependency group: 'com.fasterxml.jackson.core', name: 'jackson-annotations', version: versions.jackson
+
+
       // solves CVE-2022-25857
       dependencySet(
         group: 'org.yaml',
         version: '1.33'
       ) {
         entry 'snakeyaml'
       }
+
+      //Solves CVE-2023-6481,
       dependencySet(group: 'ch.qos.logback', version: '1.2.13') {
         entry 'logback-core'
         entry 'logback-classic'
       }
-      // solves CVE-2019-14900
-      dependency 'org.hibernate:hibernate-validator:6.2.4.Final'
 
-      // solves CVE-2020-25638
-      dependencySet(
-        group: 'org.hibernate',
-        version: '5.4.24.Final'
-      ) {
-        entry 'hibernate-core'
-      }
       dependencySet(
         group: 'org.hibernate',
         version: '6.2.4.Final'
@@ -236,7 +189,7 @@ dependencies {
   implementation group: 'org.elasticsearch', name: 'elasticsearch', version: versions.elasticSearch
   implementation group: 'org.postgresql', name: 'postgresql', version: '42.7.2'
 
-  implementation group: 'uk.gov.service.notify', name: 'notifications-java-client', version: '3.17.2-RELEASE'
+  implementation group: 'uk.gov.service.notify', name: 'notifications-java-client', version: '5.0.1-RELEASE'
 
   implementation group: 'uk.gov.hmcts.reform', name: 'logging', version: versions.reformJavaLogging
   implementation group: 'uk.gov.hmcts.reform', name: 'logging-appinsights', version: versions.loggingAppinsights

diff --git a/config/owasp/suppressions.xml b/config/owasp/suppressions.xml
@@ -1,27 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress until="2024-04-01">
-        <cve>CVE-2023-24998</cve>
-        <cve>CVE-2022-1471</cve>
-        <cve>CVE-2020-8908</cve>
-        <cve>CVE-2023-2976</cve>
-        <cve>CVE-2023-33201</cve>
-        <cve>CVE-2020-5408</cve>
-        <cve>CVE-2016-1000027</cve>
-        <cve>CVE-2023-31582</cve>
-    </suppress>
-    <suppress until="2024-04-18">
+    <suppress until="2024-10-18">
+        <cve>CVE-2023-39017</cve>
+        <cve>CVE-2023-6378</cve>
         <cve>CVE-2022-45688</cve>
         <cve>CVE-2023-5072</cve>
-        <cve>CVE-2023-39017</cve>
-        <cve>CVE-2023-20860</cve>
         <cve>CVE-2023-33202</cve>
-        <cve>CVE-2023-34055</cve>
-        <cve>CVE-2023-46589</cve>
-        <cve>CVE-2023-6378</cve>
-        <cve>CVE-2023-51775</cve>
-        <cve>CVE-2024-23446</cve>
-        <cve>CVE-2024-22243</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[