dependency upgrades and suppress irrelevant security vulnerability in jackson-databind

This commit is contained in:
Michael Hoennig 2022-10-05 06:31:53 +02:00
parent a93143ff00
commit 398f15d5de
3 changed files with 15 additions and 7 deletions

View File

@ -1,11 +1,11 @@
plugins {
id 'java'
id 'org.springframework.boot' version '2.7.3'
id 'org.springframework.boot' version '2.7.4'
id 'io.openapiprocessor.openapi-processor' version '2022.2'
id 'io.spring.dependency-management' version '1.0.13.RELEASE'
id 'io.spring.dependency-management' version '1.0.14.RELEASE'
id 'com.github.jk1.dependency-license-report' version '2.1'
id "org.owasp.dependencycheck" version "7.1.2"
id "com.diffplug.spotless" version "6.10.0"
id "org.owasp.dependencycheck" version "7.2.1"
id "com.diffplug.spotless" version "6.11.0"
id 'jacoco'
id 'info.solidsoft.pitest' version '1.9.0'
id 'se.patrikerdes.use-latest-versions' version '0.2.18'
@ -57,7 +57,7 @@ dependencies {
implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springdoc:springdoc-openapi-ui:1.6.11'
implementation 'org.liquibase:liquibase-core'
implementation 'com.vladmihalcea:hibernate-types-55:2.19.0'
implementation 'com.vladmihalcea:hibernate-types-55:2.19.2'
implementation 'org.openapitools:jackson-databind-nullable:0.2.3'
implementation 'org.modelmapper:modelmapper:3.1.0'
@ -75,10 +75,10 @@ dependencies {
testImplementation 'org.testcontainers:testcontainers'
testImplementation 'org.testcontainers:junit-jupiter'
testImplementation 'org.testcontainers:postgresql'
testImplementation 'com.tngtech.archunit:archunit-junit5:1.0.0-rc1'
testImplementation 'com.tngtech.archunit:archunit-junit5:1.0.0'
testImplementation 'io.rest-assured:spring-mock-mvc'
testImplementation 'org.hamcrest:hamcrest-core:2.2'
testImplementation 'org.pitest:pitest-junit5-plugin:1.0.0'
testImplementation 'org.pitest:pitest-junit5-plugin:1.1.0'
}
dependencyManagement {

View File

@ -7,4 +7,11 @@
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
</suppress>
<suppress>
<notes><![CDATA[
We don't use the UNWRAP_SINGLE_VALUE_ARRAYS feature and thus are not affected.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<cve>CVE-2022-42003</cve>
</suppress>
</suppressions>

View File

@ -2,6 +2,7 @@
# Spring BOM overrides
postgresql.version = 42.4.1
snakeyaml.version = 1.32
jackson-databind = 2.13.4
# TODO: can be removed if all dependencies are JDK 16 compliant, check with `gw clean check`
# and check output for "cannot access class ... because module jdk.compiler does not export ..."