From e153fd3a89afdd4e257a659df2d4cd57208d35e2 Mon Sep 17 00:00:00 2001
From: Kremi Nenkova <kremi.nenkova@gmail.com>
Date: Wed, 11 Oct 2023 10:58:04 +0100
Subject: [PATCH 1/4] Tidy up suppressions and suppress CVE-2023-4586 (all
 netty versions are vulnerable atm)

---
 config/owasp/suppressions.xml | 70 ++---------------------------------
 1 file changed, 4 insertions(+), 66 deletions(-)

diff --git a/config/owasp/suppressions.xml b/config/owasp/suppressions.xml
index bfa913fb7..8a55a03e3 100644
--- a/config/owasp/suppressions.xml
+++ b/config/owasp/suppressions.xml
@@ -1,77 +1,15 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-  <suppress until="2030-01-01">
-    <notes><![CDATA[
-     Suppressing as it's a false positive (see: https://pivotal.io/security/cve-2018-1258)
-   ]]></notes>
-    <gav regex="true">^org\.springframework\.security:spring-security-crypto:5.[0-9].[0-9].RELEASE</gav>
-    <cpe>cpe:/a:pivotal_software:spring_security</cpe>
-    <cve>CVE-2018-1258</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-        CVE is a json vulnerability for Node projects. False positive reported at https://github.com/jeremylong/DependencyCheck/issues/2794
-    ]]></notes>
-    <cve>CVE-2020-10663</cve>
-    <cve>CVE-2020-7712</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-        Needs review
-    ]]></notes>
-    <gav regex="true">^org\.springframework\.boot:spring-boot-starter-oauth2-resource-server:2.7.[0-9]</gav>
-    <cve>CVE-2018-1258</cve>
-    <cve>CVE-2021-22112</cve>
-    <cve>CVE-2022-22976</cve>
-    <cve>CVE-2022-22978</cve>
-  </suppress>
-  <!-- false positive CVEs from the dependency check plugin -->
-  <suppress>
-    <gav regex="true">^.*spring-.*$</gav>
-    <cve>CVE-2016-1000027</cve>
-    <cve>CVE-2022-22976</cve>
-    <cve>CVE-2022-22978</cve>
-    <cve>CVE-2022-31690</cve>
-    <cve>CVE-2022-31692</cve>
-  </suppress>
-  <suppress>
-    <gav regex="true">^.*tomcat-.*$</gav>
-    <cve>CVE-2022-34305</cve>
-  </suppress>
   <suppress>
     <gav regex="true">^.*jackson-databind.*$</gav>
-    <cve>CVE-2022-42003</cve>
     <cve>CVE-2023-35116</cve>
   </suppress>
-  <!-- False positive: https://github.com/jeremylong/DependencyCheck/issues/5213  -->
-  <suppress>
-    <packageUrl regex="true">^pkg:maven/org\.latencyutils/LatencyUtils@.*$</packageUrl>
-    <cve>CVE-2021-4277</cve>
-  </suppress>
-  <!-- False positive:  https://github.com/jeremylong/DependencyCheck/issues/5233  -->
-  <suppress>
-    <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
-    <cve>CVE-2021-4235</cve>
-    <cve>CVE-2022-3064</cve>
-  </suppress>
-  <suppress>
-    <packageUrl regex="true">^pkg:maven/commons\-fileupload/commons\-fileupload@.*$</packageUrl>
-    <cve>CVE-2021-37533</cve>
-  </suppress>
-  <suppress>
-    <packageUrl regex="true">^pkg:maven/commons\-io/commons\-io@.*$</packageUrl>
-    <cve>CVE-2021-37533</cve>
-  </suppress>
-  <suppress>
-    <packageUrl regex="true">^pkg:maven/org\.postgresql/postgresql@.*$</packageUrl>
-    <cve>CVE-2022-41946</cve>
-  </suppress>
-  <suppress>
-    <gav regex="true">^.*commons-fileupload.*$</gav>
-    <cve>CVE-2023-24998</cve>
-  </suppress>
   <suppress>
     <packageUrl regex="true">^.*org\.json.*$</packageUrl>
     <cve>CVE-2022-45688</cve>
   </suppress>
+  <suppress>
+    <packageUrl regex="true">^.*netty.*$</packageUrl>
+    <cve>CVE-2023-4586</cve>
+  </suppress>
 </suppressions>

From a977df42a340be2a7ff68bc889640dca13468eec Mon Sep 17 00:00:00 2001
From: Kremi Nenkova <kremi.nenkova@gmail.com>
Date: Wed, 11 Oct 2023 11:05:54 +0100
Subject: [PATCH 2/4] Suppress CVE-2023-4586

---
 config/owasp/suppressions.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/owasp/suppressions.xml b/config/owasp/suppressions.xml
index 8a55a03e3..7ad50e43b 100644
--- a/config/owasp/suppressions.xml
+++ b/config/owasp/suppressions.xml
@@ -9,7 +9,7 @@
     <cve>CVE-2022-45688</cve>
   </suppress>
   <suppress>
-    <packageUrl regex="true">^.*netty.*$</packageUrl>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl>
     <cve>CVE-2023-4586</cve>
   </suppress>
 </suppressions>

From 48bb0c322b1278b57ed13d834eeae37538edee76 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 11 Oct 2023 10:11:47 +0000
Subject: [PATCH 3/4] Update dependency com.google.guava:guava to v32.1.3-jre

---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index c5798eca7..a374bfcb0 100644
--- a/build.gradle
+++ b/build.gradle
@@ -171,7 +171,7 @@ dependencyManagement {
   dependencies {
     dependency group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: '1.70'
     // CVE-2018-10237 - Unbounded memory allocation
-    dependencySet(group: 'com.google.guava', version: '32.1.2-jre') {
+    dependencySet(group: 'com.google.guava', version: '32.1.3-jre') {
       entry 'guava'
     }
   }

From b9dcc80d3255a175ee906cdcc23ac007cf9eb22f Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 11 Oct 2023 10:29:25 +0000
Subject: [PATCH 4/4] Update dependency
 com.github.hmcts:service-auth-provider-java-client to v5.1.1

---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index a374bfcb0..317205805 100644
--- a/build.gradle
+++ b/build.gradle
@@ -209,7 +209,7 @@ dependencies {
   implementation 'com.google.guava:guava'
   implementation 'io.opentelemetry:opentelemetry-api:1.31.0'
   implementation group: 'org.apache.activemq', name: 'artemis-jms-server', version: '2.31.0'
-  implementation group: 'com.github.hmcts', name: 'service-auth-provider-java-client', version: '5.1.0'
+  implementation group: 'com.github.hmcts', name: 'service-auth-provider-java-client', version: '5.1.1'
 
   // CVE fix
   implementation 'org.yaml:snakeyaml:2.2'