Update available dependencies for fic CVE issues.

reportportal · Aug 23, 2024 · d88aebb · d88aebb
1 parent c92bc1a
commit d88aebb
Showing 1 changed file with 14 additions and 14 deletions.
diff --git a/build.gradle b/build.gradle
@@ -21,6 +21,7 @@ repositories {
     }
 }
 
+ext['spring-boot.version'] = '2.5.15'
 //https://nvd.nist.gov/vuln/detail/CVE-2020-10683 (dom4j 2.1.3 version dependency) AND https://nvd.nist.gov/vuln/detail/CVE-2019-14900
 ext['hibernate.version'] = '5.4.18.Final'
 //https://nvd.nist.gov/vuln/detail/CVE-2020-10693
@@ -53,11 +54,11 @@ dependencies {
     implementation 'org.apache.tomcat.embed:tomcat-embed-el:9.0.86'
     implementation 'org.apache.tomcat.embed:tomcat-embed-websocket:9.0.86'
     //Fix CVE-2020-15522
-    implementation 'org.bouncycastle:bcprov-jdk15on:1.69'
+    implementation 'org.bouncycastle:bcprov-jdk18on:1.78.1'
     //Fix CVE-2015-7501, CVE-2015-4852
     implementation 'org.apache.commons:commons-collections4:4.4'
     //Fix CVE-2018-10237
-    implementation 'com.google.guava:guava:31.1-jre'
+    implementation 'com.google.guava:guava:32.0.0-android'
     //Fix CVE-2020-13956
     implementation 'org.apache.httpcomponents:httpclient:4.5.14'
     //Fix CVE-2022-40152
@@ -70,26 +71,24 @@ dependencies {
     //Fix CVE-2023-34050
     implementation 'org.springframework.amqp:spring-amqp:2.4.17'
     //Fix CVE-2023-40827, CVE-2023-40828, CVE-2023-40826
-    implementation 'org.springframework:spring-webmvc:5.3.33'
-    implementation 'org.springframework:spring-web:5.3.33'
+    implementation 'org.springframework:spring-webmvc:5.3.39'
+    implementation 'org.springframework:spring-web:5.3.39'
 
     ///// Security
     //https://nvd.nist.gov/vuln/detail/CVE-2020-5407 AND https://nvd.nist.gov/vuln/detail/CVE-2020-5408
-    implementation 'org.springframework.security:spring-security-core:5.8.5'
-    implementation 'org.springframework.security:spring-security-config:5.8.5'
-    implementation 'org.springframework.security:spring-security-web:5.8.5'
-    //
-
+    implementation 'org.springframework.security:spring-security-core:5.8.14'
+    implementation 'org.springframework.security:spring-security-config:5.8.14'
+    implementation 'org.springframework.security:spring-security-web:5.8.14'
     implementation 'org.springframework.security:spring-security-oauth2-client'
     //Fix CVE-2023-1370
     implementation 'net.minidev:json-smart:2.4.10'
     //Fix CVE-2022-22969
     implementation 'org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE'
-    implementation 'org.springframework.security:spring-security-jwt:1.0.11.RELEASE'
+    implementation 'org.springframework.security:spring-security-jwt:1.1.1.RELEASE'
     implementation 'org.springframework.security:spring-security-ldap'
     // TODO: consider migration to spring-security-saml2-service-provider
     implementation 'org.springframework.security.extensions:spring-security-saml2-core:2.0.0.M31'
-//  Temporary fix of https://nvd.nist.gov/vuln/detail/CVE-2019-12400
+    //Temporary fix of https://nvd.nist.gov/vuln/detail/CVE-2019-12400
     implementation 'org.apache.santuario:xmlsec:3.0.3'
     //Fix CVE-2015-7501, CVE-2015-4852
     implementation 'org.apache.commons:commons-collections4:4.4'
@@ -104,10 +103,11 @@ dependencies {
     implementation 'io.springfox:springfox-swagger2'
     implementation 'org.apache.commons:commons-compress:1.26.0'
     implementation 'org.cryptacular:cryptacular:1.1.4'
-    // TODO: snakeyaml 2.0 supported by Spring Boot 3 only
-    implementation 'org.yaml:snakeyaml:1.33'
+    // TODO: snakeyaml 2.0 supported by Spring Boot 2.7 and 3.X only
+    // We don't user application.yml, so it's safe to use 2.2
+    implementation 'org.yaml:snakeyaml:2.2'
     implementation 'org.hibernate:hibernate-core:5.4.24.Final'
-    implementation 'org.springframework:spring-core:5.3.30'
+    implementation 'org.springframework:spring-core:5.3.39'
     implementation "com.rabbitmq:http-client:5.2.0"
 
     // Lombok