Merge pull request #582 from catenax-ng/chore/update-dependencies

Chore/update dependencies
catenax-ng · Oct 11, 2023 · 9198633 · 9198633
2 parents a947a38 + 8da4aa9
commit 9198633
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 92 deletions.
diff --git a/.config/owasp-suppressions.xml b/.config/owasp-suppressions.xml
@@ -1,26 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-        <notes><![CDATA[
-        Transitive dependency of OkHttp. CVE is only relevant for Gradle builds, not relevant for IRS.
-        ]]></notes>
-        <gav regex="true">org\.jetbrains\.kotlin:.*</gav>
-        <vulnerabilityName>CVE-2022-24329</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Vulnerability method not in IRS codebase (Files.createTempDir from guava).
-        ]]></notes>
-        <gav regex="true">com\.google\.guava:guava.*</gav>
-        <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Vulnerability method not in IRS codebase (Files.createTempDir from guava).
-        ]]></notes>
-        <gav regex="true">com\.google\.guava:guava.*</gav>
-        <vulnerabilityName>CVE-2023-2976</vulnerabilityName>
-    </suppress>
     <suppress>
         <notes><![CDATA[
         Vulnerability is a false positive.
@@ -42,4 +21,11 @@
         <gav regex="true">org\.eclipse\.jetty\.toolchain:jetty\-jakarta\-websocket\-api.*</gav>
         <vulnerabilityName regex="true">.*</vulnerabilityName>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+        This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code. This is not exploitable in IRS.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal\-sdk@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-22006</vulnerabilityName>
+    </suppress>
 </suppressions>
diff --git a/DEPENDENCIES b/DEPENDENCIES
@@ -278,40 +278,24 @@ maven/mavencentral/org.eclipse.edc/validator-spi/0.1.3, Apache-2.0, approved, te
 maven/mavencentral/org.eclipse.edc/web-spi/0.1.3, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.jetty.toolchain/jetty-jakarta-servlet-api/5.0.2, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty.toolchain/jetty-jakarta-websocket-api/2.0.0, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-client/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-client/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-common/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-common/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-server/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-server/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-client/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-client/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-common/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-common/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-server/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-server/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty.websocket/websocket-servlet/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty.websocket/websocket-servlet/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-alpn-client/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-alpn-client/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-annotations/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-annotations/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-client/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-client/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-http/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-io/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-jndi/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-jndi/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-plus/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-plus/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-security/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-security/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-server/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-server/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-servlet/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-servlet/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-util/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-webapp/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-webapp/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-xml/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.tractusx.irs/irs-api/0.0.2-SNAPSHOT, Apache-2.0, approved, automotive.tractusx
@@ -346,12 +330,8 @@ maven/mavencentral/org.glassfish.jersey.media/jersey-media-multipart/3.1.2, EPL-
 maven/mavencentral/org.glassfish.jersey.media/jersey-media-multipart/3.1.3, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey
 maven/mavencentral/org.glassfish/jakarta.json/2.0.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jsonp
 maven/mavencentral/org.graalvm.js/js/21.2.0, UPL-1.0 AND (MPL-2.0 AND LicenseRef-MIT-style) AND (BSD-3-Clause AND UPL-1.0) AND (GPL-2.0-only WITH Classpath-exception-2.0 AND UPL-1.0)  AND (UPL-1.0 AND LicenseRef-Permission-Notice), approved, #10176
-maven/mavencentral/org.graalvm.polyglot/polyglot/23.1.0, UPL-1.0, approved, #10918
 maven/mavencentral/org.graalvm.regex/regex/21.2.0, UPL-1.0 AND (Unicode-TOU AND UPL-1.0), approved, #10181
-maven/mavencentral/org.graalvm.sdk/collections/23.1.0, UPL-1.0, approved, #10920
-maven/mavencentral/org.graalvm.sdk/graal-sdk/23.1.0, UPL-1.0, approved, #10914
-maven/mavencentral/org.graalvm.sdk/nativeimage/23.1.0, UPL-1.0, approved, #10921
-maven/mavencentral/org.graalvm.sdk/word/23.1.0, UPL-1.0, approved, #10917
+maven/mavencentral/org.graalvm.sdk/graal-sdk/21.2.0, UPL-1.0, approved, clearlydefined
 maven/mavencentral/org.graalvm.truffle/truffle-api/21.2.0, UPL-1.0, approved, #10219
 maven/mavencentral/org.hamcrest/hamcrest-core/2.2, BSD-3-Clause, approved, clearlydefined
 maven/mavencentral/org.hamcrest/hamcrest/2.2, BSD-3-Clause, approved, clearlydefined
@@ -403,6 +383,7 @@ maven/mavencentral/org.opentest4j/opentest4j/1.2.0, Apache-2.0, approved, clearl
 maven/mavencentral/org.ow2.asm/asm-commons/9.5, BSD-3-Clause, approved, #7553
 maven/mavencentral/org.ow2.asm/asm-tree/9.5, BSD-3-Clause, approved, #7555
 maven/mavencentral/org.ow2.asm/asm/9.3, BSD-3-Clause, approved, clearlydefined
+maven/mavencentral/org.ow2.asm/asm/9.5, BSD-3-Clause, approved, #7554
 maven/mavencentral/org.projectlombok/lombok/1.18.30, MIT AND LicenseRef-Public-Domain, approved, CQ23907
 maven/mavencentral/org.rnorth.duct-tape/duct-tape/1.0.8, MIT, approved, clearlydefined
 maven/mavencentral/org.scala-lang.modules/scala-java8-compat_2.13/1.0.0, Apache-2.0, approved, clearlydefined
@@ -465,7 +446,6 @@ maven/mavencentral/org.typelevel/spire-macros_2.13/0.17.0, MIT, approved, clearl
 maven/mavencentral/org.unbescape/unbescape/1.1.6.RELEASE, Apache-2.0, approved, CQ18904
 maven/mavencentral/org.webjars/swagger-ui/5.2.0, Apache-2.0, approved, #10221
 maven/mavencentral/org.wiremock/wiremock-standalone/3.2.0, MIT AND Apache-2.0, approved, #10919
-maven/mavencentral/org.xerial.snappy/snappy-java/1.1.10.1, Apache-2.0 AND (Apache-2.0 AND BSD-3-Clause), approved, #9098
 maven/mavencentral/org.xerial.snappy/snappy-java/1.1.10.5, Apache-2.0 AND (Apache-2.0 AND BSD-3-Clause), approved, #9098
 maven/mavencentral/org.xmlunit/xmlunit-core/2.9.1, Apache-2.0, approved, #6272
 maven/mavencentral/org.yaml/snakeyaml/1.33, Apache-2.0, approved, clearlydefined

diff --git a/irs-api/pom.xml b/irs-api/pom.xml
@@ -45,19 +45,10 @@
         <dependency>
             <groupId>io.minio</groupId>
             <artifactId>minio</artifactId>
-            <version>${minio.version}</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.bouncycastle</groupId>
-                    <artifactId>bcprov-jdk15on</artifactId>
-                </exclusion>
-            </exclusions>
         </dependency>
-        <!-- Update snappy-java manually to avoid vulnerability CVE-2023-43642; can be removed after Minio updates their dependency -->
         <dependency>
             <groupId>org.xerial.snappy</groupId>
             <artifactId>snappy-java</artifactId>
-            <version>1.1.10.5</version>
         </dependency>
         <dependency>
             <groupId>com.squareup.okhttp3</groupId>
@@ -170,16 +161,12 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <!-- Update jsoup manually to avoid a vulnerability; can be removed after jsonschemafriend updates their dependency -->
         <dependency>
             <groupId>org.jsoup</groupId>
             <artifactId>jsoup</artifactId>
             <version>${jsoup.version}</version>
         </dependency>
-        <dependency>
-            <groupId>org.graalvm.sdk</groupId>
-            <artifactId>graal-sdk</artifactId>
-            <version>${graal-sdk.version}</version>
-        </dependency>
 
         <dependency>
             <groupId>org.eclipse.tractusx.irs</groupId>

diff --git a/irs-common/pom.xml b/irs-common/pom.xml
@@ -60,17 +60,10 @@
         <dependency>
             <groupId>io.minio</groupId>
             <artifactId>minio</artifactId>
-            <version>${minio.version}</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.core</groupId>
-                    <artifactId>jackson-databind</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.bouncycastle</groupId>
-                    <artifactId>bcprov-jdk15on</artifactId>
-                </exclusion>
-            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.xerial.snappy</groupId>
+            <artifactId>snappy-java</artifactId>
         </dependency>
         <dependency>
             <groupId>com.squareup.okio</groupId>

diff --git a/irs-edc-client/pom.xml b/irs-edc-client/pom.xml
@@ -133,23 +133,14 @@
                     <groupId>org.eclipse.edc</groupId>
                 </exclusion>
                 <exclusion>
-                    <artifactId>jetty-xml</artifactId>
-                    <groupId>org.eclipse.jetty</groupId>
-                </exclusion>
-                <exclusion>
-                    <artifactId>jetty-http</artifactId>
-                    <groupId>org.eclipse.jetty</groupId>
+                    <artifactId>websocket-jakarta-server</artifactId>
+                    <groupId>org.eclipse.jetty.websocket</groupId>
                 </exclusion>
             </exclusions>
         </dependency>
         <dependency>
-            <artifactId>jetty-http</artifactId>
-            <groupId>org.eclipse.jetty</groupId>
-            <version>11.0.16</version>
-        </dependency>
-        <dependency>
-            <artifactId>jetty-xml</artifactId>
-            <groupId>org.eclipse.jetty</groupId>
+            <groupId>org.eclipse.jetty.websocket</groupId>
+            <artifactId>websocket-jakarta-server</artifactId>
             <version>11.0.16</version>
         </dependency>
         <dependency>

diff --git a/irs-policy-store/pom.xml b/irs-policy-store/pom.xml
@@ -37,17 +37,10 @@
         <dependency>
             <groupId>io.minio</groupId>
             <artifactId>minio</artifactId>
-            <version>${minio.version}</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.core</groupId>
-                    <artifactId>jackson-databind</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.bouncycastle</groupId>
-                    <artifactId>bcprov-jdk15on</artifactId>
-                </exclusion>
-            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.xerial.snappy</groupId>
+            <artifactId>snappy-java</artifactId>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>

diff --git a/pom.xml b/pom.xml
@@ -89,6 +89,7 @@
         <maven-assembly-plugin.version>3.3.0</maven-assembly-plugin.version>
         <maven-gpg-plugin.version>3.1.0</maven-gpg-plugin.version>
         <license-tool-plugin.version>0.0.1-SNAPSHOT</license-tool-plugin.version>
+        <snappy-java.version>1.1.10.5</snappy-java.version>
     </properties>
 
     <dependencyManagement>
@@ -98,6 +99,27 @@
                 <artifactId>micrometer-registry-prometheus</artifactId>
                 <version>${micrometer.version}</version>
             </dependency>
+            <dependency>
+                <groupId>io.minio</groupId>
+                <artifactId>minio</artifactId>
+                <version>${minio.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.bouncycastle</groupId>
+                        <artifactId>bcprov-jdk15on</artifactId>
+                    </exclusion>
+                    <exclusion>
+                        <artifactId>snappy-java</artifactId>
+                        <groupId>org.xerial.snappy</groupId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
+            <!-- Update snappy-java manually to avoid vulnerability CVE-2023-43642; can be removed after Minio updates their dependency -->
+            <dependency>
+                <groupId>org.xerial.snappy</groupId>
+                <artifactId>snappy-java</artifactId>
+                <version>${snappy-java.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>