Merge branch 'master' into SIDM-8901-caseworkers

build.gradle

@@ -171,7 +171,7 @@ dependencyManagement {
   dependencies {
     dependency group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: '1.70'
     // CVE-2018-10237 - Unbounded memory allocation
-    dependencySet(group: 'com.google.guava', version: '32.1.2-jre') {
+    dependencySet(group: 'com.google.guava', version: '32.1.3-jre') {
       entry 'guava'
     }
   }
@@ -209,7 +209,7 @@ dependencies {
   implementation 'com.google.guava:guava'
   implementation 'io.opentelemetry:opentelemetry-api:1.31.0'
   implementation group: 'org.apache.activemq', name: 'artemis-jms-server', version: '2.31.0'
-  implementation group: 'com.github.hmcts', name: 'service-auth-provider-java-client', version: '5.1.0'
+  implementation group: 'com.github.hmcts', name: 'service-auth-provider-java-client', version: '5.1.1'
 
   // CVE fix
   implementation 'org.yaml:snakeyaml:2.2'

config/owasp/suppressions.xml

@@ -1,77 +1,15 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-  <suppress until="2030-01-01">
-    <notes><![CDATA[
-     Suppressing as it's a false positive (see: https://pivotal.io/security/cve-2018-1258)
-   ]]></notes>
-    <gav regex="true">^org\.springframework\.security:spring-security-crypto:5.[0-9].[0-9].RELEASE</gav>
-    <cpe>cpe:/a:pivotal_software:spring_security</cpe>
-    <cve>CVE-2018-1258</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-        CVE is a json vulnerability for Node projects. False positive reported at https://github.com/jeremylong/DependencyCheck/issues/2794
-    ]]></notes>
-    <cve>CVE-2020-10663</cve>
-    <cve>CVE-2020-7712</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-        Needs review
-    ]]></notes>
-    <gav regex="true">^org\.springframework\.boot:spring-boot-starter-oauth2-resource-server:2.7.[0-9]</gav>
-    <cve>CVE-2018-1258</cve>
-    <cve>CVE-2021-22112</cve>
-    <cve>CVE-2022-22976</cve>
-    <cve>CVE-2022-22978</cve>
-  </suppress>
-  <!-- false positive CVEs from the dependency check plugin -->
-  <suppress>
-    <gav regex="true">^.*spring-.*$</gav>
-    <cve>CVE-2016-1000027</cve>
-    <cve>CVE-2022-22976</cve>
-    <cve>CVE-2022-22978</cve>
-    <cve>CVE-2022-31690</cve>
-    <cve>CVE-2022-31692</cve>
-  </suppress>
-  <suppress>
-    <gav regex="true">^.*tomcat-.*$</gav>
-    <cve>CVE-2022-34305</cve>
-  </suppress>
   <suppress>
     <gav regex="true">^.*jackson-databind.*$</gav>
-    <cve>CVE-2022-42003</cve>
     <cve>CVE-2023-35116</cve>
   </suppress>
-  <!-- False positive: https://github.com/jeremylong/DependencyCheck/issues/5213  -->
-  <suppress>
-    <packageUrl regex="true">^pkg:maven/org\.latencyutils/LatencyUtils@.*$</packageUrl>
-    <cve>CVE-2021-4277</cve>
-  </suppress>
-  <!-- False positive:  https://github.com/jeremylong/DependencyCheck/issues/5233  -->
-  <suppress>
-    <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
-    <cve>CVE-2021-4235</cve>
-    <cve>CVE-2022-3064</cve>
-  </suppress>
-  <suppress>
-    <packageUrl regex="true">^pkg:maven/commons\-fileupload/commons\-fileupload@.*$</packageUrl>
-    <cve>CVE-2021-37533</cve>
-  </suppress>
-  <suppress>
-    <packageUrl regex="true">^pkg:maven/commons\-io/commons\-io@.*$</packageUrl>
-    <cve>CVE-2021-37533</cve>
-  </suppress>
-  <suppress>
-    <packageUrl regex="true">^pkg:maven/org\.postgresql/postgresql@.*$</packageUrl>
-    <cve>CVE-2022-41946</cve>
-  </suppress>
-  <suppress>
-    <gav regex="true">^.*commons-fileupload.*$</gav>
-    <cve>CVE-2023-24998</cve>
-  </suppress>
   <suppress>
     <packageUrl regex="true">^.*org\.json.*$</packageUrl>
     <cve>CVE-2022-45688</cve>
   </suppress>
+  <suppress>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl>
+    <cve>CVE-2023-4586</cve>
+  </suppress>
 </suppressions>