From 398f15d5dea5e83d74bdca4ad4f42c6373e1fbc9 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Wed, 5 Oct 2022 06:31:53 +0200 Subject: [PATCH] dependency upgrades and suppress irrelevant security vulnerability in jackson-databind --- build.gradle | 14 +++++++------- etc/owasp-dependency-check-suppression.xml | 7 +++++++ gradle.properties | 1 + 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/build.gradle b/build.gradle index 0e573ba8..72217dc7 100644 --- a/build.gradle +++ b/build.gradle @@ -1,11 +1,11 @@ plugins { id 'java' - id 'org.springframework.boot' version '2.7.3' + id 'org.springframework.boot' version '2.7.4' id 'io.openapiprocessor.openapi-processor' version '2022.2' - id 'io.spring.dependency-management' version '1.0.13.RELEASE' + id 'io.spring.dependency-management' version '1.0.14.RELEASE' id 'com.github.jk1.dependency-license-report' version '2.1' - id "org.owasp.dependencycheck" version "7.1.2" - id "com.diffplug.spotless" version "6.10.0" + id "org.owasp.dependencycheck" version "7.2.1" + id "com.diffplug.spotless" version "6.11.0" id 'jacoco' id 'info.solidsoft.pitest' version '1.9.0' id 'se.patrikerdes.use-latest-versions' version '0.2.18' @@ -57,7 +57,7 @@ dependencies { implementation 'org.springframework.boot:spring-boot-starter-web' implementation 'org.springdoc:springdoc-openapi-ui:1.6.11' implementation 'org.liquibase:liquibase-core' - implementation 'com.vladmihalcea:hibernate-types-55:2.19.0' + implementation 'com.vladmihalcea:hibernate-types-55:2.19.2' implementation 'org.openapitools:jackson-databind-nullable:0.2.3' implementation 'org.modelmapper:modelmapper:3.1.0' @@ -75,10 +75,10 @@ dependencies { testImplementation 'org.testcontainers:testcontainers' testImplementation 'org.testcontainers:junit-jupiter' testImplementation 'org.testcontainers:postgresql' - testImplementation 'com.tngtech.archunit:archunit-junit5:1.0.0-rc1' + testImplementation 'com.tngtech.archunit:archunit-junit5:1.0.0' testImplementation 'io.rest-assured:spring-mock-mvc' testImplementation 'org.hamcrest:hamcrest-core:2.2' - testImplementation 'org.pitest:pitest-junit5-plugin:1.0.0' + testImplementation 'org.pitest:pitest-junit5-plugin:1.1.0' } dependencyManagement { diff --git a/etc/owasp-dependency-check-suppression.xml b/etc/owasp-dependency-check-suppression.xml index 1776882e..4c258544 100644 --- a/etc/owasp-dependency-check-suppression.xml +++ b/etc/owasp-dependency-check-suppression.xml @@ -7,4 +7,11 @@ ^pkg:maven/org\.springframework/spring-web@.*$ CVE-2016-1000027 + + + ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$ + CVE-2022-42003 + diff --git a/gradle.properties b/gradle.properties index dbea849e..96a64eb1 100644 --- a/gradle.properties +++ b/gradle.properties @@ -2,6 +2,7 @@ # Spring BOM overrides postgresql.version = 42.4.1 snakeyaml.version = 1.32 +jackson-databind = 2.13.4 # TODO: can be removed if all dependencies are JDK 16 compliant, check with `gw clean check` # and check output for "cannot access class ... because module jdk.compiler does not export ..."