Merge pull request #113 from Nuvindu/fix-vulnerability

Fix CVE-2023-44483 Vulnerability in Ballerina SOAP Module

ballerina/Ballerina.toml

@@ -37,5 +37,5 @@ path = "./lib/wss4j-ws-security-common-3.0.1.jar"
 [[platform.java17.dependency]]
 groupId = "org.apache.santuario"
 artifactId = "xmlsec"
-version = "3.0.2"
-path = "./lib/xmlsec-3.0.2.jar"
+version = "3.0.3"
+path = "./lib/xmlsec-3.0.3.jar"

ballerina/Dependencies.toml

@@ -64,7 +64,7 @@ dependencies = [
 [[package]]
 org = "ballerina"
 name = "http"
-version = "2.10.3"
+version = "2.10.1"
 dependencies = [
 	{org = "ballerina", name = "auth"},
 	{org = "ballerina", name = "cache"},

gradle.properties

@@ -36,7 +36,8 @@ stdlibHttpVersion=2.10.1
 stdlibTransactionVersion=1.8.0
 wsSecurityDomVersion=3.0.1
 wsSecurityCommonVersion=3.0.1
-xmlSecVersion=3.0.2
+xmlSecVersion=3.0.3
+guavaVersion=32.1.1-jre
 
 # Ballerinax Observer
 observeVersion=1.2.0

native/build.gradle

@@ -28,10 +28,10 @@ dependencies {
     checkstyle "com.puppycrawl.tools:checkstyle:${checkstylePluginVersion}"
 
     implementation group: 'org.ballerinalang', name: 'ballerina-runtime', version: "${ballerinaLangVersion}"
-    implementation 'com.google.guava:guava:32.1.1-jre'
-    implementation 'org.apache.wss4j:wss4j-ws-security-dom:3.0.1'
-    implementation 'org.apache.santuario:xmlsec:3.0.2'
-    implementation 'org.apache.wss4j:wss4j-ws-security-common:3.0.1'
+    implementation group: 'com.google.guava', name: 'guava', version: "${guavaVersion}"
+    implementation group: 'org.apache.wss4j', name: 'wss4j-ws-security-dom', version: "${wsSecurityDomVersion}"
+    implementation group: 'org.apache.wss4j', name: 'wss4j-ws-security-common', version: "${wsSecurityCommonVersion}"
+    implementation group: 'org.apache.santuario', name: 'xmlsec', version: "${xmlSecVersion}"
     compileOnly group: 'org.graalvm.nativeimage', name: 'svm', version: '22.2.0'
 }