From 03f38218ffb5edb4e9857046a3d5ad18372c1d74 Mon Sep 17 00:00:00 2001
From: Jaro Hartmann <jaro.hartmann@doubleslash.de>
Date: Wed, 11 Oct 2023 15:57:05 +0200
Subject: [PATCH 1/6] chore(dependencies): Add minio dependency to root pom
 dependency management

---
 irs-api/pom.xml          |  9 ---------
 irs-common/pom.xml       | 15 ++++-----------
 irs-policy-store/pom.xml | 15 ++++-----------
 pom.xml                  | 22 ++++++++++++++++++++++
 4 files changed, 30 insertions(+), 31 deletions(-)

diff --git a/irs-api/pom.xml b/irs-api/pom.xml
index 7033434d67..cfd4b1a70f 100644
--- a/irs-api/pom.xml
+++ b/irs-api/pom.xml
@@ -45,19 +45,10 @@
         <dependency>
             <groupId>io.minio</groupId>
             <artifactId>minio</artifactId>
-            <version>${minio.version}</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.bouncycastle</groupId>
-                    <artifactId>bcprov-jdk15on</artifactId>
-                </exclusion>
-            </exclusions>
         </dependency>
-        <!-- Update snappy-java manually to avoid vulnerability CVE-2023-43642; can be removed after Minio updates their dependency -->
         <dependency>
             <groupId>org.xerial.snappy</groupId>
             <artifactId>snappy-java</artifactId>
-            <version>1.1.10.5</version>
         </dependency>
         <dependency>
             <groupId>com.squareup.okhttp3</groupId>
diff --git a/irs-common/pom.xml b/irs-common/pom.xml
index 2c9ea7fe49..1473cbe828 100644
--- a/irs-common/pom.xml
+++ b/irs-common/pom.xml
@@ -60,17 +60,10 @@
         <dependency>
             <groupId>io.minio</groupId>
             <artifactId>minio</artifactId>
-            <version>${minio.version}</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.core</groupId>
-                    <artifactId>jackson-databind</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.bouncycastle</groupId>
-                    <artifactId>bcprov-jdk15on</artifactId>
-                </exclusion>
-            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.xerial.snappy</groupId>
+            <artifactId>snappy-java</artifactId>
         </dependency>
         <dependency>
             <groupId>com.squareup.okio</groupId>
diff --git a/irs-policy-store/pom.xml b/irs-policy-store/pom.xml
index 7b124de253..cafb6ea7bf 100644
--- a/irs-policy-store/pom.xml
+++ b/irs-policy-store/pom.xml
@@ -37,17 +37,10 @@
         <dependency>
             <groupId>io.minio</groupId>
             <artifactId>minio</artifactId>
-            <version>${minio.version}</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.core</groupId>
-                    <artifactId>jackson-databind</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.bouncycastle</groupId>
-                    <artifactId>bcprov-jdk15on</artifactId>
-                </exclusion>
-            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.xerial.snappy</groupId>
+            <artifactId>snappy-java</artifactId>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
diff --git a/pom.xml b/pom.xml
index a6320a3c1c..e9e209dce3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -89,6 +89,7 @@
         <maven-assembly-plugin.version>3.3.0</maven-assembly-plugin.version>
         <maven-gpg-plugin.version>3.1.0</maven-gpg-plugin.version>
         <license-tool-plugin.version>0.0.1-SNAPSHOT</license-tool-plugin.version>
+        <snappy-java.version>1.1.10.5</snappy-java.version>
     </properties>
 
     <dependencyManagement>
@@ -98,6 +99,27 @@
                 <artifactId>micrometer-registry-prometheus</artifactId>
                 <version>${micrometer.version}</version>
             </dependency>
+            <dependency>
+                <groupId>io.minio</groupId>
+                <artifactId>minio</artifactId>
+                <version>${minio.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.bouncycastle</groupId>
+                        <artifactId>bcprov-jdk15on</artifactId>
+                    </exclusion>
+                    <exclusion>
+                        <artifactId>snappy-java</artifactId>
+                        <groupId>org.xerial.snappy</groupId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
+            <!-- Update snappy-java manually to avoid vulnerability CVE-2023-43642; can be removed after Minio updates their dependency -->
+            <dependency>
+                <groupId>org.xerial.snappy</groupId>
+                <artifactId>snappy-java</artifactId>
+                <version>${snappy-java.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 

From 2261e2548c40ccc713ceb7a7fe3f0cd82a125044 Mon Sep 17 00:00:00 2001
From: Jaro Hartmann <jaro.hartmann@doubleslash.de>
Date: Wed, 11 Oct 2023 15:59:10 +0200
Subject: [PATCH 2/6] chore(dependencies): Remove manual graalvm update since
 the vulnerability is in every version

---
 irs-api/pom.xml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/irs-api/pom.xml b/irs-api/pom.xml
index cfd4b1a70f..9c546a88f4 100644
--- a/irs-api/pom.xml
+++ b/irs-api/pom.xml
@@ -161,16 +161,12 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <!-- Update jsoup manually to avoid a vulnerability; can be removed after jsonschemafriend updates their dependency -->
         <dependency>
             <groupId>org.jsoup</groupId>
             <artifactId>jsoup</artifactId>
             <version>${jsoup.version}</version>
         </dependency>
-        <dependency>
-            <groupId>org.graalvm.sdk</groupId>
-            <artifactId>graal-sdk</artifactId>
-            <version>${graal-sdk.version}</version>
-        </dependency>
 
         <dependency>
             <groupId>org.eclipse.tractusx.irs</groupId>

From c917e9119af6cd8b76905071d1295e089e7f90db Mon Sep 17 00:00:00 2001
From: Jaro Hartmann <jaro.hartmann@doubleslash.de>
Date: Wed, 11 Oct 2023 15:59:51 +0200
Subject: [PATCH 3/6] chore(dependencies): Suppress CVE CVE-2023-22006: This
 vulnerability does not apply to Java deployments that load and run only
 trusted code. This is not exploitable in IRS.

---
 .config/owasp-suppressions.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.config/owasp-suppressions.xml b/.config/owasp-suppressions.xml
index 4f117ce003..10e4ea68e4 100644
--- a/.config/owasp-suppressions.xml
+++ b/.config/owasp-suppressions.xml
@@ -42,4 +42,11 @@
         <gav regex="true">org\.eclipse\.jetty\.toolchain:jetty\-jakarta\-websocket\-api.*</gav>
         <vulnerabilityName regex="true">.*</vulnerabilityName>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+        This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code. This is not exploitable in IRS.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal\-sdk@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-22006</vulnerabilityName>
+    </suppress>
 </suppressions>
\ No newline at end of file

From 9668d76956ba143b9d5e3d947927b8650c5cde52 Mon Sep 17 00:00:00 2001
From: Jaro Hartmann <jaro.hartmann@doubleslash.de>
Date: Wed, 11 Oct 2023 16:02:23 +0200
Subject: [PATCH 4/6] chore(dependencies): Manually update EDC dependency jetty
 websocket

---
 irs-edc-client/pom.xml | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/irs-edc-client/pom.xml b/irs-edc-client/pom.xml
index 665605bcd7..640da1a559 100644
--- a/irs-edc-client/pom.xml
+++ b/irs-edc-client/pom.xml
@@ -133,23 +133,14 @@
                     <groupId>org.eclipse.edc</groupId>
                 </exclusion>
                 <exclusion>
-                    <artifactId>jetty-xml</artifactId>
-                    <groupId>org.eclipse.jetty</groupId>
-                </exclusion>
-                <exclusion>
-                    <artifactId>jetty-http</artifactId>
-                    <groupId>org.eclipse.jetty</groupId>
+                    <artifactId>websocket-jakarta-server</artifactId>
+                    <groupId>org.eclipse.jetty.websocket</groupId>
                 </exclusion>
             </exclusions>
         </dependency>
         <dependency>
-            <artifactId>jetty-http</artifactId>
-            <groupId>org.eclipse.jetty</groupId>
-            <version>11.0.16</version>
-        </dependency>
-        <dependency>
-            <artifactId>jetty-xml</artifactId>
-            <groupId>org.eclipse.jetty</groupId>
+            <groupId>org.eclipse.jetty.websocket</groupId>
+            <artifactId>websocket-jakarta-server</artifactId>
             <version>11.0.16</version>
         </dependency>
         <dependency>

From 6440ad5f6f685d1d1cea90a108edca409fa33554 Mon Sep 17 00:00:00 2001
From: Jaro Hartmann <jaro.hartmann@doubleslash.de>
Date: Wed, 11 Oct 2023 16:02:51 +0200
Subject: [PATCH 5/6] chore(dependencies): Update DEPENDENCIES

---
 DEPENDENCIES | 24 ++----------------------
 1 file changed, 2 insertions(+), 22 deletions(-)

diff --git a/DEPENDENCIES b/DEPENDENCIES
index 60f4003ef5..23338023a7 100644
--- a/DEPENDENCIES
+++ b/DEPENDENCIES
@@ -278,40 +278,24 @@ maven/mavencentral/org.eclipse.edc/validator-spi/0.1.3, Apache-2.0, approved, te
 maven/mavencentral/org.eclipse.edc/web-spi/0.1.3, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.jetty.toolchain/jetty-jakarta-servlet-api/5.0.2, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty.toolchain/jetty-jakarta-websocket-api/2.0.0, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-client/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-client/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-common/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-common/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-server/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-server/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-client/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-client/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-common/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-common/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-server/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-server/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty.websocket/websocket-servlet/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty.websocket/websocket-servlet/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-alpn-client/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-alpn-client/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-annotations/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-annotations/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-client/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-client/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-http/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-io/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-jndi/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-jndi/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-plus/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-plus/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-security/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-security/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-server/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-server/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-servlet/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-servlet/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-util/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.jetty/jetty-webapp/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-webapp/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-xml/11.0.16, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.tractusx.irs/irs-api/0.0.2-SNAPSHOT, Apache-2.0, approved, automotive.tractusx
@@ -346,12 +330,8 @@ maven/mavencentral/org.glassfish.jersey.media/jersey-media-multipart/3.1.2, EPL-
 maven/mavencentral/org.glassfish.jersey.media/jersey-media-multipart/3.1.3, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey
 maven/mavencentral/org.glassfish/jakarta.json/2.0.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jsonp
 maven/mavencentral/org.graalvm.js/js/21.2.0, UPL-1.0 AND (MPL-2.0 AND LicenseRef-MIT-style) AND (BSD-3-Clause AND UPL-1.0) AND (GPL-2.0-only WITH Classpath-exception-2.0 AND UPL-1.0)  AND (UPL-1.0 AND LicenseRef-Permission-Notice), approved, #10176
-maven/mavencentral/org.graalvm.polyglot/polyglot/23.1.0, UPL-1.0, approved, #10918
 maven/mavencentral/org.graalvm.regex/regex/21.2.0, UPL-1.0 AND (Unicode-TOU AND UPL-1.0), approved, #10181
-maven/mavencentral/org.graalvm.sdk/collections/23.1.0, UPL-1.0, approved, #10920
-maven/mavencentral/org.graalvm.sdk/graal-sdk/23.1.0, UPL-1.0, approved, #10914
-maven/mavencentral/org.graalvm.sdk/nativeimage/23.1.0, UPL-1.0, approved, #10921
-maven/mavencentral/org.graalvm.sdk/word/23.1.0, UPL-1.0, approved, #10917
+maven/mavencentral/org.graalvm.sdk/graal-sdk/21.2.0, UPL-1.0, approved, clearlydefined
 maven/mavencentral/org.graalvm.truffle/truffle-api/21.2.0, UPL-1.0, approved, #10219
 maven/mavencentral/org.hamcrest/hamcrest-core/2.2, BSD-3-Clause, approved, clearlydefined
 maven/mavencentral/org.hamcrest/hamcrest/2.2, BSD-3-Clause, approved, clearlydefined
@@ -403,6 +383,7 @@ maven/mavencentral/org.opentest4j/opentest4j/1.2.0, Apache-2.0, approved, clearl
 maven/mavencentral/org.ow2.asm/asm-commons/9.5, BSD-3-Clause, approved, #7553
 maven/mavencentral/org.ow2.asm/asm-tree/9.5, BSD-3-Clause, approved, #7555
 maven/mavencentral/org.ow2.asm/asm/9.3, BSD-3-Clause, approved, clearlydefined
+maven/mavencentral/org.ow2.asm/asm/9.5, BSD-3-Clause, approved, #7554
 maven/mavencentral/org.projectlombok/lombok/1.18.30, MIT AND LicenseRef-Public-Domain, approved, CQ23907
 maven/mavencentral/org.rnorth.duct-tape/duct-tape/1.0.8, MIT, approved, clearlydefined
 maven/mavencentral/org.scala-lang.modules/scala-java8-compat_2.13/1.0.0, Apache-2.0, approved, clearlydefined
@@ -465,7 +446,6 @@ maven/mavencentral/org.typelevel/spire-macros_2.13/0.17.0, MIT, approved, clearl
 maven/mavencentral/org.unbescape/unbescape/1.1.6.RELEASE, Apache-2.0, approved, CQ18904
 maven/mavencentral/org.webjars/swagger-ui/5.2.0, Apache-2.0, approved, #10221
 maven/mavencentral/org.wiremock/wiremock-standalone/3.2.0, MIT AND Apache-2.0, approved, #10919
-maven/mavencentral/org.xerial.snappy/snappy-java/1.1.10.1, Apache-2.0 AND (Apache-2.0 AND BSD-3-Clause), approved, #9098
 maven/mavencentral/org.xerial.snappy/snappy-java/1.1.10.5, Apache-2.0 AND (Apache-2.0 AND BSD-3-Clause), approved, #9098
 maven/mavencentral/org.xmlunit/xmlunit-core/2.9.1, Apache-2.0, approved, #6272
 maven/mavencentral/org.yaml/snakeyaml/1.33, Apache-2.0, approved, clearlydefined

From 8da4aa9e5ac215edd5f472769f8d174d6ac77d99 Mon Sep 17 00:00:00 2001
From: Jaro Hartmann <jaro.hartmann@doubleslash.de>
Date: Wed, 11 Oct 2023 16:08:07 +0200
Subject: [PATCH 6/6] chore(dependencies): Remove outdated suppressions

---
 .config/owasp-suppressions.xml | 21 ---------------------
 1 file changed, 21 deletions(-)

diff --git a/.config/owasp-suppressions.xml b/.config/owasp-suppressions.xml
index 10e4ea68e4..d77ddac247 100644
--- a/.config/owasp-suppressions.xml
+++ b/.config/owasp-suppressions.xml
@@ -1,26 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-        <notes><![CDATA[
-        Transitive dependency of OkHttp. CVE is only relevant for Gradle builds, not relevant for IRS.
-        ]]></notes>
-        <gav regex="true">org\.jetbrains\.kotlin:.*</gav>
-        <vulnerabilityName>CVE-2022-24329</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Vulnerability method not in IRS codebase (Files.createTempDir from guava).
-        ]]></notes>
-        <gav regex="true">com\.google\.guava:guava.*</gav>
-        <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Vulnerability method not in IRS codebase (Files.createTempDir from guava).
-        ]]></notes>
-        <gav regex="true">com\.google\.guava:guava.*</gav>
-        <vulnerabilityName>CVE-2023-2976</vulnerabilityName>
-    </suppress>
     <suppress>
         <notes><![CDATA[
         Vulnerability is a false positive.