From 57eca984c778e3b563bbf7278a168be4ed4770e4 Mon Sep 17 00:00:00 2001
From: Duarte Pires Lopes <49475154+Jefex7@users.noreply.github.com>
Date: Fri, 26 Apr 2024 09:39:31 +0100
Subject: [PATCH] DTSCCI-060 Reduce CVEs (#2846)

* Remove CVEs

* Adding & Upgrading dependencies

* Adding dependencies

* Upgrading dependencies

* Adding CVEs to suppressions.xml

* Add CVE to suppressions.xml

* Upgrade dependencies
---
 build.gradle                      | 10 +++--
 ccd-adapter/build.gradle          |  2 +-
 ccd-sample-data/build.gradle      |  2 +-
 config/owasp/suppressions.xml     | 61 ++-----------------------------
 domain-model/build.gradle         |  4 +-
 job-scheduler/build.gradle        |  4 +-
 launch-darkly-client/build.gradle |  2 +-
 7 files changed, 17 insertions(+), 68 deletions(-)

diff --git a/build.gradle b/build.gradle
index 6b312bece8..b54b7a2fb5 100644
--- a/build.gradle
+++ b/build.gradle
@@ -36,7 +36,7 @@ def versions = [
   jackson           : '2.17.0',
   junit             : '5.7.1',
   junitPlatform     : '1.7.1',
-  elasticSearch     : '7.17.18'
+  elasticSearch     : '7.17.20'
 ]
 
 allprojects {
@@ -115,16 +115,20 @@ allprojects {
       dependencySet(group: 'com.google.guava', version: '32.0.1-jre') {
         entry 'guava'
       }
+
       //Solves CVE-2023-35116
       dependency group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: versions.jackson
       dependency group: 'com.fasterxml.jackson.core', name: 'jackson-core', version: versions.jackson
       dependency group: 'com.fasterxml.jackson.core', name: 'jackson-annotations', version: versions.jackson
 
 
+      //Solves CVE-2022-45688, CVE-2023-5072
+      dependency group: 'org.json', name: 'json', version: '20231013'
+
       // solves CVE-2022-25857
       dependencySet(
         group: 'org.yaml',
-        version: '1.33'
+        version: '2.0'
       ) {
         entry 'snakeyaml'
       }
@@ -201,7 +205,7 @@ dependencies {
     exclude group: 'java-logging', module: ' java-logging'
   }
   implementation group: 'uk.gov.hmcts.reform', name: 'document-management-client', version: '7.0.0'
-  implementation group: 'com.launchdarkly', name: 'launchdarkly-java-server-sdk', version: '6.1.0'
+  implementation group: 'com.launchdarkly', name: 'launchdarkly-java-server-sdk', version: '6.3.0'
   implementation group: 'uk.gov.hmcts.reform', name: 'core-case-data-store-client', version: '4.7.6'
   implementation group: 'com.github.hmcts', name: 'ccd-case-document-am-client', version: '1.7.1'
   implementation group: 'com.github.hmcts', name: 'doc-assembly-client', version: '1.2.2'
diff --git a/ccd-adapter/build.gradle b/ccd-adapter/build.gradle
index 904db48512..ee4d643080 100644
--- a/ccd-adapter/build.gradle
+++ b/ccd-adapter/build.gradle
@@ -6,7 +6,7 @@ dependencies {
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter'
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-json'
   implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.10'
-  implementation group: 'com.google.guava', name: 'guava', version: '30.1.1-jre'
+  implementation group: 'com.google.guava', name: 'guava', version: '32.0.1-jre'
 
   annotationProcessor group: 'org.projectlombok', name: 'lombok', version: '1.18.26'
   compileOnly group: 'org.projectlombok', name: 'lombok', version: '1.18.26'
diff --git a/ccd-sample-data/build.gradle b/ccd-sample-data/build.gradle
index d53420fffd..71ef6f46f4 100644
--- a/ccd-sample-data/build.gradle
+++ b/ccd-sample-data/build.gradle
@@ -9,5 +9,5 @@ dependencies {
   implementation project(':domain-model')
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-json'
 
-  implementation group: 'com.google.guava', name: 'guava', version: '31.1-jre'
+  implementation group: 'com.google.guava', name: 'guava', version: '32.0.1-jre'
 }
diff --git a/config/owasp/suppressions.xml b/config/owasp/suppressions.xml
index 5e4a83ba94..b5eed8c1e2 100644
--- a/config/owasp/suppressions.xml
+++ b/config/owasp/suppressions.xml
@@ -1,66 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress until="2024-10-18">
+    <suppress>
         <cve>CVE-2023-39017</cve>
-        <cve>CVE-2023-6378</cve>
         <cve>CVE-2022-45688</cve>
+        <cve>CVE-2024-23446</cve>
+        <cve>CVE-2024-22257</cve>
         <cve>CVE-2023-5072</cve>
         <cve>CVE-2023-33202</cve>
     </suppress>
-    <suppress>
-        <notes><![CDATA[
-   file name: commons-fileupload-1.4.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/commons\-fileupload/commons\-fileupload@.*$</packageUrl>
-        <cve>CVE-2023-24998</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-   file name: guava-30.1.1-jre.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
-        <cve>CVE-2023-2976</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-   file name: guava-30.1.1-jre.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
-        <cve>CVE-2020-8908</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-   file name: guava-31.1-jre.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
-        <cve>CVE-2023-2976</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-   file name: guava-31.1-jre.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
-        <cve>CVE-2020-8908</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-   file name: jose4j-0.7.7.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.bitbucket\.b_c/jose4j@.*$</packageUrl>
-        <cve>CVE-2023-31582</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-   file name: launchdarkly-java-server-sdk-6.1.0.jar (shaded: com.google.guava:guava:30.1-jre)
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
-        <cve>CVE-2023-2976</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-   file name: snakeyaml-1.33.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
-        <cve>CVE-2022-1471</cve>
-    </suppress>
 </suppressions>
diff --git a/domain-model/build.gradle b/domain-model/build.gradle
index fc1e464555..9b9945206c 100644
--- a/domain-model/build.gradle
+++ b/domain-model/build.gradle
@@ -13,7 +13,7 @@ dependencies {
   implementation group: 'cz.jirutka.validator', name: 'validator-collection', version: '2.2.0'
 
   //   The below fixes https://nvd.nist.gov/vuln/detail/CVE-2019-12384 while waiting for spring to pull new version
-  implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.16.1'
+  implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.17.0'
 
   annotationProcessor group: 'org.projectlombok', name: 'lombok', version: '1.18.26'
   compileOnly group: 'org.projectlombok', name: 'lombok', version: '1.18.26'
@@ -24,7 +24,7 @@ dependencies {
   testImplementation group: 'org.assertj', name: 'assertj-core', version: '3.20.2'
   testImplementation group: 'javax.el', name: 'javax.el-api', version: '3.0.0'
   testImplementation group: 'org.glassfish.web', name: 'javax.el', version: '2.2.6'
-  testImplementation group: 'com.google.guava', name: 'guava', version: '30.1.1-jre'
+  testImplementation group: 'com.google.guava', name: 'guava', version: '32.0.1-jre'
   testImplementation group: 'org.mockito', name: 'mockito-junit-jupiter', version: '3.6.28'
   testImplementation group: 'org.junit.jupiter', name:'junit-jupiter-params', version:'5.7.0'
   testImplementation group: 'org.junit.jupiter', name: 'junit-jupiter-api', version: '5.7.0'
diff --git a/job-scheduler/build.gradle b/job-scheduler/build.gradle
index ccc49dfdf7..637ced4e54 100644
--- a/job-scheduler/build.gradle
+++ b/job-scheduler/build.gradle
@@ -1,7 +1,7 @@
 apply plugin: 'jacoco'
 
 def versions = [
-  logback          : '1.2.10',
+  logback          : '1.2.13',
   reformJavaLogging: '4.0.0'
 ]
 
@@ -11,7 +11,7 @@ dependencies {
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-jdbc'
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-aop'
   implementation group: 'org.postgresql', name: 'postgresql', version: '42.7.2'
-  implementation group: 'com.google.guava', name: 'guava', version: '30.1.1-jre'
+  implementation group: 'com.google.guava', name: 'guava', version: '32.0.1-jre'
   implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.10'
 
   annotationProcessor group: 'org.projectlombok', name: 'lombok', version: '1.18.26'
diff --git a/launch-darkly-client/build.gradle b/launch-darkly-client/build.gradle
index c3a202bc4a..dcc4afcc79 100644
--- a/launch-darkly-client/build.gradle
+++ b/launch-darkly-client/build.gradle
@@ -1,7 +1,7 @@
 apply plugin: 'jacoco'
 
 dependencies {
-  implementation group: 'com.launchdarkly', name: 'launchdarkly-java-server-sdk', version: '6.1.0'
+  implementation group: 'com.launchdarkly', name: 'launchdarkly-java-server-sdk', version: '6.3.0'
   implementation group: 'org.springframework', name: 'spring-context-support'
 
   testImplementation group: 'org.junit.jupiter', name: 'junit-jupiter-api'