Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps):[#xxx] fix OWASP dependency errors #729

Merged
merged 15 commits into from
Jan 26, 2024
Merged

chore(deps):[#xxx] fix OWASP dependency errors #729

merged 15 commits into from
Jan 26, 2024

Conversation

dsmf
Copy link

@dsmf dsmf commented Jan 22, 2024
edited
Loading

  • Suppressed CVE-2024-20932 from graal-sdk-21.2.0.jar because according to comment in CVE this is not applicable for us.

  • Update to Spring Boot 3.1.8: This fixes the following CVEs:

@github-actions GitHub Actions
Copy link

CHANGELOG file was not updated! Make sure to include important changes.

dsmf added 3 commits January 22, 2024 17:40
@dsmf
chore(deps):[#xxx] correct scope for logback dependency
a5ea055
@dsmf
chore(deps):[#xxx] remove unused maven property graal-sdk.version
c07d38a 
graal-sdk comes via transitive dependency from jsonschemafriend but newest version of this still uses 21.2.0. The property with the newer version isn't used anywhere anymore.
@dsmf
chore(deps):[#xxx] add owasp suppression for CVE-2024-20932
d88a890 
reason: https://nvd.nist.gov/vuln/detail/CVE-2024-20932
"... This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator)..."
@dsmf dsmf mentioned this pull request Jan 22, 2024
Open
@dsmf dsmf changed the title chore(deps):[#xxx] update logback.version to 1.4.14 because of CVE-20… chore(deps):[#xxx] update dependencies Jan 22, 2024
@dsmf dsmf changed the title chore(deps):[#xxx] update dependencies chore(deps):[#xxx] fix OWASP dependency errors Jan 22, 2024
ds-ext-kmassalski
ds-ext-kmassalski reviewed Jan 23, 2024
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
dsmf added 3 commits January 26, 2024 01:52
@dsmf
Merge remote-tracking branch 'origin/main' into chore/update-dependen…
4d87e64 
…cies

# Conflicts:
#	CHANGELOG.md
@dsmf
chore(deps):[#xxx] fix suppression for CVE-2023-51074 because only us…
4dceefb 
…ed in tests
@dsmf
chore(deps):[#xxx] fix spring-core-6.0.14.jar: CVE-2024-22233(7.5) by…
2b375d9 
… updating spring boot to 3.1.8

also fixes CVE-2023-6378 logback serialization vulnerability therefore undo of manual dependency management for logback
@dsmf dsmf marked this pull request as ready for review January 26, 2024 01:34
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@dsmf dsmf merged commit e7a1d01 into main Jan 26, 2024
@dsmf dsmf deleted the chore/update-dependencies branch January 26, 2024 11:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ds-ext-kmassalski ds-ext-kmassalski ds-ext-kmassalski approved these changes

@ds-jhartmann ds-jhartmann Awaiting requested review from ds-jhartmann

@ds-psosnowski ds-psosnowski Awaiting requested review from ds-psosnowski

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dsmf @ds-ext-kmassalski