From c28d2afe2ad29f4b25b06178b9623f7efa909814 Mon Sep 17 00:00:00 2001
From: Sally MacFarlane <macfarla.github@gmail.com>
Date: Tue, 6 Sep 2022 10:17:24 +1000
Subject: [PATCH 1/6] add cve

Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
---
 cvss-suppressions.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cvss-suppressions.xml b/cvss-suppressions.xml
index 1b2804d97..59d8fa5b6 100644
--- a/cvss-suppressions.xml
+++ b/cvss-suppressions.xml
@@ -7,6 +7,7 @@
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/net\.consensys\.quorum\.tessera/partyinfo\-model@.*$</packageUrl>
         <cpe>cpe:/a:model_project:model</cpe>
+        <cve>CVE-2020-36460</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[

From 7f7b46f0c7494efe79d23cd8da98d0a51a6d3b23 Mon Sep 17 00:00:00 2001
From: Sally MacFarlane <macfarla.github@gmail.com>
Date: Tue, 6 Sep 2022 10:31:15 +1000
Subject: [PATCH 2/6] uprev snakeyaml

Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
---
 build.gradle | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/build.gradle b/build.gradle
index 75bf1bf32..29cde772a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -68,6 +68,8 @@ allprojects {
         testImplementation "nl.jqno.equalsverifier:equalsverifier:3.7.1"
         testImplementation "com.mockrunner:mockrunner-jdbc:2.0.4"
 
+        implementation "org.yaml:snakeyaml:1.31" // transitive dependency of jackson-databind:2.13.3
+
         implementation "commons-cli:commons-cli:1.5.0"
         implementation "commons-codec:commons-codec:1.15"
         implementation "commons-io:commons-io:2.11.0"

From fa0d7217eea846a9c290f40ac4e82c2ea47143c1 Mon Sep 17 00:00:00 2001
From: Sally MacFarlane <macfarla.github@gmail.com>
Date: Tue, 6 Sep 2022 10:53:57 +1000
Subject: [PATCH 3/6] force versions of snakeyaml and databind via
 configurations

Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
---
 tessera-jaxrs/sync-jaxrs/build.gradle | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/tessera-jaxrs/sync-jaxrs/build.gradle b/tessera-jaxrs/sync-jaxrs/build.gradle
index 2fefe7a72..a94648f7f 100644
--- a/tessera-jaxrs/sync-jaxrs/build.gradle
+++ b/tessera-jaxrs/sync-jaxrs/build.gradle
@@ -3,6 +3,12 @@ plugins {
   id "java-library"
 }
 
+configurations.all {
+    resolutionStrategy {
+      force 'org.yaml:snakeyaml:1.31', 'com.fasterxml.jackson.core:jackson-databind:2.13.3'
+    }
+}
+
 dependencies {
 
   implementation project(":tessera-jaxrs:common-jaxrs")
@@ -29,12 +35,6 @@ dependencies {
   api "jakarta.inject:jakarta.inject-api"
 
   compileOnly project(':tessera-jaxrs:openapi:common')
-
-  constraints {
-    implementation("com.fasterxml.jackson.core:jackson-databind:$jacksonDatabindVersion") {
-      because 'databind less than 2.13.2.2 has a bug'
-    }
-  }
 }
 
 jar {
@@ -50,8 +50,8 @@ jar {
 def generatedResources = "${project.buildDir}/generated-resources/openapi"
 
 resolve {
-  classpath = sourceSets.main.compileClasspath.plus(sourceSets.main.runtimeClasspath)
-  outputDir = file(generatedResources)
+  classpath = sourceSets.main.output
+    outputDir = file(generatedResources)
   outputFileName = "openapi.p2p"
   outputFormat = "JSONANDYAML"
   prettyPrint = "TRUE"

From 45196e14edbf6db08961299e48b57a907d30c960 Mon Sep 17 00:00:00 2001
From: Sally MacFarlane <macfarla.github@gmail.com>
Date: Tue, 6 Sep 2022 11:10:33 +1000
Subject: [PATCH 4/6] revert unintended change to classpath

Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
---
 tessera-jaxrs/sync-jaxrs/build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tessera-jaxrs/sync-jaxrs/build.gradle b/tessera-jaxrs/sync-jaxrs/build.gradle
index a94648f7f..587101574 100644
--- a/tessera-jaxrs/sync-jaxrs/build.gradle
+++ b/tessera-jaxrs/sync-jaxrs/build.gradle
@@ -50,7 +50,7 @@ jar {
 def generatedResources = "${project.buildDir}/generated-resources/openapi"
 
 resolve {
-  classpath = sourceSets.main.output
+  classpath = sourceSets.main.compileClasspath.plus(sourceSets.main.runtimeClasspath)
     outputDir = file(generatedResources)
   outputFileName = "openapi.p2p"
   outputFormat = "JSONANDYAML"

From f84660572586cb9a830bed1c6db4e93b8d6c044e Mon Sep 17 00:00:00 2001
From: Sally MacFarlane <macfarla.github@gmail.com>
Date: Tue, 6 Sep 2022 11:19:32 +1000
Subject: [PATCH 5/6] formatting

Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
---
 tessera-jaxrs/sync-jaxrs/build.gradle | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tessera-jaxrs/sync-jaxrs/build.gradle b/tessera-jaxrs/sync-jaxrs/build.gradle
index 587101574..92b6db6dd 100644
--- a/tessera-jaxrs/sync-jaxrs/build.gradle
+++ b/tessera-jaxrs/sync-jaxrs/build.gradle
@@ -4,9 +4,9 @@ plugins {
 }
 
 configurations.all {
-    resolutionStrategy {
-      force 'org.yaml:snakeyaml:1.31', 'com.fasterxml.jackson.core:jackson-databind:2.13.3'
-    }
+  resolutionStrategy {
+    force 'org.yaml:snakeyaml:1.31', 'com.fasterxml.jackson.core:jackson-databind:2.13.3'
+  }
 }
 
 dependencies {
@@ -51,7 +51,7 @@ def generatedResources = "${project.buildDir}/generated-resources/openapi"
 
 resolve {
   classpath = sourceSets.main.compileClasspath.plus(sourceSets.main.runtimeClasspath)
-    outputDir = file(generatedResources)
+  outputDir = file(generatedResources)
   outputFileName = "openapi.p2p"
   outputFormat = "JSONANDYAML"
   prettyPrint = "TRUE"

From 5a01e0177b90668cf21e21a54ba350ff45383250 Mon Sep 17 00:00:00 2001
From: Sally MacFarlane <macfarla.github@gmail.com>
Date: Tue, 6 Sep 2022 11:38:48 +1000
Subject: [PATCH 6/6] force versions of snakeyaml and databind via
 configurations

Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
---
 tessera-jaxrs/openapi/generate/build.gradle  | 6 ++++++
 tessera-jaxrs/thirdparty-jaxrs/build.gradle  | 6 ++++++
 tessera-jaxrs/transaction-jaxrs/build.gradle | 6 ++++++
 3 files changed, 18 insertions(+)

diff --git a/tessera-jaxrs/openapi/generate/build.gradle b/tessera-jaxrs/openapi/generate/build.gradle
index 9f4460218..b74aef802 100644
--- a/tessera-jaxrs/openapi/generate/build.gradle
+++ b/tessera-jaxrs/openapi/generate/build.gradle
@@ -2,6 +2,12 @@ plugins {
   id "io.swagger.core.v3.swagger-gradle-plugin"
 }
 
+configurations.all {
+  resolutionStrategy {
+    force 'org.yaml:snakeyaml:1.31', 'com.fasterxml.jackson.core:jackson-databind:2.13.3'
+  }
+}
+
 dependencies {
   compileOnly project(":tessera-jaxrs:common-jaxrs")
   compileOnly project(":tessera-jaxrs:sync-jaxrs")
diff --git a/tessera-jaxrs/thirdparty-jaxrs/build.gradle b/tessera-jaxrs/thirdparty-jaxrs/build.gradle
index 2f9f1294a..0137a4baa 100644
--- a/tessera-jaxrs/thirdparty-jaxrs/build.gradle
+++ b/tessera-jaxrs/thirdparty-jaxrs/build.gradle
@@ -3,6 +3,12 @@ plugins {
   id "java-library"
 }
 
+configurations.all {
+  resolutionStrategy {
+    force 'org.yaml:snakeyaml:1.31', 'com.fasterxml.jackson.core:jackson-databind:2.13.3'
+  }
+}
+
 dependencies {
   api 'io.swagger.core.v3:swagger-annotations'
   api "com.fasterxml.jackson.core:jackson-databind:$jacksonDatabindVersion"
diff --git a/tessera-jaxrs/transaction-jaxrs/build.gradle b/tessera-jaxrs/transaction-jaxrs/build.gradle
index 1176d5491..da8ecfa01 100644
--- a/tessera-jaxrs/transaction-jaxrs/build.gradle
+++ b/tessera-jaxrs/transaction-jaxrs/build.gradle
@@ -3,6 +3,12 @@ plugins {
   id "java-library"
 }
 
+configurations.all {
+  resolutionStrategy {
+    force 'org.yaml:snakeyaml:1.31', 'com.fasterxml.jackson.core:jackson-databind:2.13.3'
+  }
+}
+
 dependencies {
   implementation project(":tessera-jaxrs:common-jaxrs")
   implementation project(":tessera-jaxrs:jaxrs-client")