FACT-1975 - CVE Updates Sept (#2608)

* - removes commented out dependencies

* - update dependencies

* - tries to remove jackson CVE suppression

* - updates dependencies

* - updates helm dependency

* - tries to remove netty cve suppression

* - tries to remove logback cve suppression

* - tries to remove azure cli cve suppression

* - updates service auth, tries to remove http client cve suppression

* - updates suppression note

* - creates flyway version property

* - puts postgresql version into property

build.gradle

@@ -1,9 +1,13 @@
 import org.flywaydb.gradle.task.FlywayMigrateTask
 
 buildscript {
+  ext {
+    flywayVersion = '10.17.3'
+    postgresqlVersion = '42.7.4'
+  }
   dependencies {
-    classpath("org.postgresql:postgresql:42.7.3")
-    classpath("org.flywaydb:flyway-database-postgresql:10.13.0")
+    classpath("org.postgresql:postgresql:$postgresqlVersion") // must be compatible with flyway version
+    classpath("org.flywaydb:flyway-database-postgresql:$flywayVersion") // flyway dependency/plugin versions must always match
   }
 }
 
@@ -13,9 +17,9 @@ plugins {
   id 'pmd'
   id 'jacoco'
   id 'io.spring.dependency-management' version '1.1.6'
-  id 'org.flywaydb.flyway' version '10.13.0'
-  id 'org.springframework.boot' version '3.2.3'
-  id 'org.owasp.dependencycheck' version '9.0.8'
+  id 'org.flywaydb.flyway' version "$flywayVersion"
+  id 'org.springframework.boot' version '3.3.3'
+  id 'org.owasp.dependencycheck' version '10.0.4'
   id 'com.github.ben-manes.versions' version '0.51.0'
   id 'org.sonarqube' version '5.0.0.4638'
   id 'info.solidsoft.pitest' version '1.15.0'
@@ -213,13 +217,15 @@ repositories {
 
 def versions = [
   bouncycastle: '1.78.1',
-  junit: '5.10.3',
-  junitPlatform: '1.10.3',
+  junit: '5.11.0',
+  junitPlatform: '1.11.0',
   reformLogging: '6.1.4',
   springfoxSwagger: '2.9.2',
   pact_version: '4.6.7',
-  service_auth: '5.1.3',
-  pdfbox: '3.0.2'
+  service_auth: '5.2.0',
+  pdfbox: '3.0.2',
+  flyway: "$flywayVersion",
+  postgresql: "$postgresqlVersion"
 ]
 
 configurations.all {
@@ -255,10 +261,8 @@ dependencies {
     exclude group: 'junit', module: 'junit'
   }
   implementation group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'
-//  implementation group: 'javax.activation', name: 'activation', version: '1.1.1'
   implementation group: 'org.eclipse.jetty', name: 'jetty-util', version: '12.0.12'
   implementation group: 'org.eclipse.jetty', name: 'jetty-server', version: '12.0.12'
-//  implementation group: 'javax.servlet', name: 'javax.servlet-api', version: '3.1.0'
   implementation group: 'org.apache.httpcomponents.client5', name: 'httpclient5', version: '5.3.1'
   implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-openfeign', version: '4.1.3'
   implementation group: 'org.springframework.boot', name: 'spring-boot-properties-migrator'
@@ -271,12 +275,12 @@ dependencies {
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-batch'
   implementation group: 'org.springframework.boot', name: 'spring-boot-configuration-processor'
 
-  runtimeOnly group: 'org.flywaydb', name: 'flyway-database-postgresql', version: '10.13.0'
-  implementation group: 'org.flywaydb', name: 'flyway-core', version: '10.13.0'
-  implementation group: 'org.postgresql', name: 'postgresql', version: '42.7.3'
+  runtimeOnly group: 'org.flywaydb', name: 'flyway-database-postgresql', version: versions.flyway
+  implementation group: 'org.flywaydb', name: 'flyway-core', version: versions.flyway
+  implementation group: 'org.postgresql', name: 'postgresql', version: versions.postgresql
 
-  implementation group: 'net.javacrumbs.shedlock', name: 'shedlock-provider-jdbc-template', version: '5.14.0'
-  implementation group: 'net.javacrumbs.shedlock', name: 'shedlock-spring', version: '5.14.0'
+  implementation group: 'net.javacrumbs.shedlock', name: 'shedlock-provider-jdbc-template', version: '5.15.1'
+  implementation group: 'net.javacrumbs.shedlock', name: 'shedlock-spring', version: '5.15.1'
 
   implementation group: 'org.springdoc', name: 'springdoc-openapi-starter-webmvc-ui', version: '2.6.0'
 
@@ -290,7 +294,6 @@ dependencies {
   implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-netflix-hystrix', version: '2.2.10.RELEASE'
   implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-bootstrap', version: '4.1.4'
   implementation group: 'io.github.openfeign', name: 'feign-httpclient', version: '13.3'
-//  implementation group: 'io.github.openfeign', name: 'feign-hc5', version: '13.2'
 
   implementation group: 'com.hierynomus', name: 'sshj', version: '0.38.0'
   implementation group: 'org.apache.pdfbox', name: 'pdfbox', version: versions.pdfbox
@@ -304,7 +307,7 @@ dependencies {
   implementation group: 'org.bouncycastle', name: 'bcpkix-jdk18on', version: versions.bouncycastle
   implementation group: 'org.bouncycastle', name: 'bcpg-jdk18on', version: versions.bouncycastle
 
-  implementation group: 'com.azure', name: 'azure-storage-blob', version: '12.27.0'
+  implementation group: 'com.azure', name: 'azure-storage-blob', version: '12.27.1'
 
   implementation group: 'io.github.resilience4j', name: 'resilience4j-spring-boot3', version: '2.2.0'
 
@@ -325,19 +328,19 @@ dependencies {
   testImplementation 'org.apache.commons:commons-email2-jakarta:2.0.0-M2-SNAPSHOT'
 //  testImplementation group: 'org.apache.commons', name: 'commons-email', version: '1.6.0'
 // the snapshot version of commons-email for jakarta
-  testImplementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.15.0'
+  testImplementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.17.0'
   testImplementation group: 'org.apache.pdfbox', name: 'pdfbox-io', version: versions.pdfbox
   testImplementation group: 'org.apache.pdfbox', name: 'preflight', version: versions.pdfbox, withoutJunit4
   testImplementation group: 'com.github.tomakehurst', name: 'wiremock-jre8-standalone', version: '3.0.1', withoutJunit4
-  testImplementation group: 'com.github.hmcts', name: 'fortify-client', version: '1.4.3', classifier: 'all'
+  testImplementation group: 'com.github.hmcts', name: 'fortify-client', version: '1.4.4', classifier: 'all'
   testImplementation group: 'io.github.hakky54', name: 'logcaptor', version: '2.9.3'
 
   integrationTestImplementation sourceSets.main.runtimeClasspath
   integrationTestImplementation sourceSets.test.runtimeClasspath
   integrationTestImplementation group: 'org.apache.sshd', name: 'sshd-scp', version: '2.13.2'
   integrationTestImplementation group: 'org.apache.sshd', name: 'sshd-sftp', version: '2.13.2'
   integrationTestImplementation group: 'org.testcontainers', name: 'postgresql', version: '1.19.3'
-  integrationTestImplementation group: 'org.awaitility', name: 'awaitility', version: '4.2.1', withoutJunit4
+  integrationTestImplementation group: 'org.awaitility', name: 'awaitility', version: '4.2.2', withoutJunit4
 
   smokeTestImplementation sourceSets.main.runtimeClasspath
   smokeTestImplementation sourceSets.test.runtimeClasspath

charts/rpe-send-letter-service/Chart.yaml

@@ -1,12 +1,12 @@
 name: rpe-send-letter-service
 apiVersion: v2
 home: https://github.com/hmcts/send-letter-service
-version: 0.4.24
+version: 0.4.25
 description: HMCTS Send letter service
 maintainers:
   - name: HMCTS BSP Team
     email: [email protected]
 dependencies:
   - name: java
-    version: 5.2.0
+    version: 5.2.1
     repository: https://hmctspublic.azurecr.io/helm/v1/repo/

config/owasp/suppressions.xml

@@ -1,32 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress until="2024-09-29">
-        <notes>Suppression for jackson-databind. Pulled in by springboot on latest version. No fix as of 20/06/24.</notes>
-        <packageUrl regex="true">^pkg:maven/com.fasterxml.jackson.core/jackson-databind@.*$</packageUrl>
-        <cve>CVE-2023-35116</cve>
-    </suppress>
-    <suppress>
-        <notes>Suppression for netty. Pulled in by springboot on latest version. No fix as of 20/06/24.</notes>
-        <cve>CVE-2023-4586</cve>
-    </suppress>
-    <suppress>
-        <notes>Logback, No fix as of 20/06/24</notes>
-        <cve>CVE-2023-6378</cve>
-    </suppress>
-    <suppress>
-        <notes>Logback, No fix as of 20/06/24</notes>
-        <cve>CVE-2023-6481</cve>
-    </suppress>
-    <suppress>
-        <notes>Azure Cli, No fix as of 20/06/24</notes>
-        <cve>CVE-2023-36052</cve>
-    </suppress>
-    <suppress>
-        <notes>Apache Http Client being brought in transitively by service-auth-provider-java-client. No fix as of 20/06/24. </notes>
-        <cve>CVE-2020-13956</cve>
-    </suppress>
     <suppress>
-        <notes>Bouncy castle waiting for com.github.hmcts.rpe-pdf-service jdk15on needs to be jdk18on</notes>
+        <notes>Bouncy castle waiting for com.github.hmcts.rpe-pdf-service (hasn't had new release since 2017) jdk15on needs to be jdk18on</notes>
         <cve>CVE-2023-33202</cve>
         <cve>CVE-2020-15522</cve>
         <cve>CVE-2017-13098</cve>