dependency upgrades and suppress irrelevant security vulnerability in jackson-databind

2022-10-05 06:31:53 +02:00 · 2022-10-05 06:31:53 +02:00 · 398f15d5de
commit 398f15d5de
parent a93143ff00
3 changed files with 15 additions and 7 deletions
--- a/build.gradle
+++ b/build.gradle
@ -1,11 +1,11 @@
 plugins {
    id 'java'
-    id 'org.springframework.boot' version '2.7.3'
+    id 'org.springframework.boot' version '2.7.4'
    id 'io.openapiprocessor.openapi-processor' version '2022.2'
-    id 'io.spring.dependency-management' version '1.0.13.RELEASE'
+    id 'io.spring.dependency-management' version '1.0.14.RELEASE'
    id 'com.github.jk1.dependency-license-report' version '2.1'
-    id "org.owasp.dependencycheck" version "7.1.2"
-    id "com.diffplug.spotless" version "6.10.0"
+    id "org.owasp.dependencycheck" version "7.2.1"
+    id "com.diffplug.spotless" version "6.11.0"
    id 'jacoco'
    id 'info.solidsoft.pitest' version '1.9.0'
    id 'se.patrikerdes.use-latest-versions' version '0.2.18'
@ -57,7 +57,7 @@ dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-web'
    implementation 'org.springdoc:springdoc-openapi-ui:1.6.11'
    implementation 'org.liquibase:liquibase-core'
-    implementation 'com.vladmihalcea:hibernate-types-55:2.19.0'
+    implementation 'com.vladmihalcea:hibernate-types-55:2.19.2'
    implementation 'org.openapitools:jackson-databind-nullable:0.2.3'
    implementation 'org.modelmapper:modelmapper:3.1.0'

@ -75,10 +75,10 @@ dependencies {
    testImplementation 'org.testcontainers:testcontainers'
    testImplementation 'org.testcontainers:junit-jupiter'
    testImplementation 'org.testcontainers:postgresql'
-    testImplementation 'com.tngtech.archunit:archunit-junit5:1.0.0-rc1'
+    testImplementation 'com.tngtech.archunit:archunit-junit5:1.0.0'
    testImplementation 'io.rest-assured:spring-mock-mvc'
    testImplementation 'org.hamcrest:hamcrest-core:2.2'
-    testImplementation 'org.pitest:pitest-junit5-plugin:1.0.0'
+    testImplementation 'org.pitest:pitest-junit5-plugin:1.1.0'
 }

 dependencyManagement {
--- a/etc/owasp-dependency-check-suppression.xml
+++ b/etc/owasp-dependency-check-suppression.xml
@ -7,4 +7,11 @@
        <packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl>
        <cve>CVE-2016-1000027</cve>
    </suppress>
+    <suppress>
+        <notes><![CDATA[
+           We don't use the UNWRAP_SINGLE_VALUE_ARRAYS feature and thus are not affected.
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+        <cve>CVE-2022-42003</cve>
+    </suppress>
 </suppressions>
--- a/gradle.properties
+++ b/gradle.properties
@ -2,6 +2,7 @@
 # Spring BOM overrides
 postgresql.version = 42.4.1
 snakeyaml.version = 1.32
+jackson-databind = 2.13.4

 # TODO: can be removed if all dependencies are JDK 16 compliant, check with `gw clean check`
 # and check output for "cannot access class ... because module jdk.compiler does not export ..."