FACT-1831 CVE fixes (#2558)

* try fix bouncycastle * remove note * removing jdk15on * poked * diff bouncycastle fix * update resolution version * trying different approach for CVE-2023-33202 * 70 to 77 * should be working like this? * trying 18on * updated suppressions * trying finrem fix * adding more cves
hmcts · Jun 24, 2024 · 455c4b5 · 455c4b5
1 parent 13f2060
commit 455c4b5
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 16 deletions.
diff --git a/build.gradle b/build.gradle
@@ -206,7 +206,7 @@ repositories {
 }
 
 def versions = [
-  bouncycastle: '1.70',
+  bouncycastle: '1.78.1',
   junit: '5.10.2',
   junitPlatform: '1.10.2',
   reformLogging: '6.1.4',
@@ -235,6 +235,12 @@ dependencyManagement {
     dependencySet(group: 'commons-fileupload', version: '1.5') {
       entry 'commons-fileupload'
     }
+    //CVE-2023-33202
+    dependencySet(group: 'org.bouncycastle', version: '1.78.1') {
+      entry 'bcprov-jdk18on'
+      entry 'bcpkix-jdk18on'
+      entry 'bcpg-jdk18on'
+    }
   }
 }
 
@@ -286,9 +292,10 @@ dependencies {
 
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-data-jpa'
   implementation group: 'io.hypersistence', name: 'hypersistence-utils-hibernate-63', version: '3.7.3'
-  implementation group: 'org.bouncycastle', name: 'bcprov-jdk15on', version: versions.bouncycastle
-  implementation group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: versions.bouncycastle
-  implementation group: 'org.bouncycastle', name: 'bcpg-jdk15on', version: versions.bouncycastle
+
+  implementation group: 'org.bouncycastle', name: 'bcprov-jdk18on', version: versions.bouncycastle
+  implementation group: 'org.bouncycastle', name: 'bcpkix-jdk18on', version: versions.bouncycastle
+  implementation group: 'org.bouncycastle', name: 'bcpg-jdk18on', version: versions.bouncycastle
 
   implementation group: 'com.azure', name: 'azure-storage-blob', version: '12.25.1'
 
@@ -341,9 +348,9 @@ dependencies {
   contractTestImplementation group: 'com.github.hmcts', name: 'service-auth-provider-java-client', version: versions.service_auth
   contractTestImplementation group: 'org.springframework.boot', name: 'spring-boot-starter-data-jpa'
 
-  contractTestImplementation group: 'org.bouncycastle', name: 'bcprov-jdk15on', version: versions.bouncycastle
-  contractTestImplementation group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: versions.bouncycastle
-  contractTestImplementation group: 'org.bouncycastle', name: 'bcpg-jdk15on', version: versions.bouncycastle
+  contractTestImplementation group: 'org.bouncycastle', name: 'bcprov-jdk18on', version: versions.bouncycastle
+  contractTestImplementation group: 'org.bouncycastle', name: 'bcpkix-jdk18on', version: versions.bouncycastle
+  contractTestImplementation group: 'org.bouncycastle', name: 'bcpg-jdk18on', version: versions.bouncycastle
 
   contractTestImplementation group: 'com.github.hmcts.rpe-pdf-service', name: 'pdf-generator', version: '1.0.2'
 

diff --git a/config/owasp/suppressions.xml b/config/owasp/suppressions.xml
@@ -1,31 +1,36 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <suppress until="2024-09-29">
+        <notes>Suppression for jackson-databind. Pulled in by springboot on latest version. No fix as of 20/06/24.</notes>
         <packageUrl regex="true">^pkg:maven/com.fasterxml.jackson.core/jackson-databind@.*$</packageUrl>
         <cve>CVE-2023-35116</cve>
     </suppress>
     <suppress>
-        <notes>Suppression for netty. Pulled in by springboot on latest version</notes>
+        <notes>Suppression for netty. Pulled in by springboot on latest version. No fix as of 20/06/24.</notes>
         <cve>CVE-2023-4586</cve>
     </suppress>
     <suppress>
-        <notes>Logback, waiting for fix</notes>
+        <notes>Logback, No fix as of 20/06/24</notes>
         <cve>CVE-2023-6378</cve>
     </suppress>
     <suppress>
-        <notes>Logback, waiting for fix</notes>
+        <notes>Logback, No fix as of 20/06/24</notes>
         <cve>CVE-2023-6481</cve>
     </suppress>
     <suppress>
-        <notes>Bouncy castle, wait for fix</notes>
-        <cve>CVE-2023-33202</cve>
-    </suppress>
-    <suppress>
-        <notes>Azure Cli, wait for fix</notes>
+        <notes>Azure Cli, No fix as of 20/06/24</notes>
         <cve>CVE-2023-36052</cve>
     </suppress>
     <suppress>
-        <notes>Apache Http Client being brought in transitively by service-auth-provider-java-client, wait for fix</notes>
+        <notes>Apache Http Client being brought in transitively by service-auth-provider-java-client. No fix as of 20/06/24. </notes>
         <cve>CVE-2020-13956</cve>
     </suppress>
+    <suppress>
+        <notes>Bouncy castle waiting for com.github.hmcts.rpe-pdf-service jdk15on needs to be jdk18on</notes>
+        <cve>CVE-2023-33202</cve>
+        <cve>CVE-2020-15522</cve>
+        <cve>CVE-2017-13098</cve>
+        <cve>CVE-2018-1000180</cve>
+        <cve>CVE-2020-26939</cve>
+    </suppress>
 </suppressions>