Merge pull request #645 from hmcts/PAY-6203

davejones74 · web-flow · commit a262e33749f1 · 2024-05-03T10:47:56.000+01:00
PAY-6203/PAY-6197: Fix CVE-2022-1471/CVE-2022-0839
diff --git a/build.gradle b/build.gradle
@@ -66,7 +66,7 @@ allprojects {
             dependency 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.12.0'
             dependency 'com.google.guava:guava:30.1-jre'
 
-            dependency 'org.liquibase:liquibase-core:3.7.0'
+            dependency 'org.liquibase:liquibase-core:4.27.0'
             dependency 'org.postgresql:postgresql:42.3.2'
 
             dependency 'commons-beanutils:commons-beanutils:1.9.3'
diff --git a/cve-resolution-strategy.gradle b/cve-resolution-strategy.gradle
@@ -14,7 +14,7 @@ configurations.all {
                 CVE-2017-18640, CVE-2022-41854
             * */
             if(det.requested.name == 'snakeyaml'){
-                det.useVersion '1.32'
+                det.useVersion '2.2'
             }
 
             /*
diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml
@@ -8,12 +8,6 @@
         </notes>
         <cve>CVE-2022-45688</cve>
     </suppress>
-    <suppress until="2023-11-30">
-        <notes>
-            Liquibase core needs major version latest of liquibase-core. Version 4.2.2 not resolving current CVE issue
-        </notes>
-        <cve>CVE-2022-0839</cve>
-    </suppress>
     <suppress until="2023-11-30">
         <notes>
             This applies to spring-security-config-5.4.10, spring-security-crypto-5.4.10 and spring-security-web-5.4.10.
@@ -30,12 +24,6 @@
         </notes>
         <cve>CVE-2021-42550</cve>
     </suppress>
-    <suppress until="2023-11-30">
-        <notes>
-            SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.
-        </notes>
-        <cve>CVE-2022-1471</cve>
-    </suppress>
     <suppress until="2023-11-30">
         <notes>
             Jackson-databind version 2.12.7.1 in combination with postgres has interface changes in DBUtils that cause unit tests to fail.
@@ -172,12 +160,6 @@
         </notes>
         <cve>CVE-2022-083</cve>
     </suppress>
-    <suppress>
-        <notes>
-            SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.
-        </notes>
-        <cve>CVE-2022-1471</cve>
-    </suppress>
 
     <suppress>
         <notes>

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ configurations.all {`
`14`	`14`	`CVE-2017-18640, CVE-2022-41854`
`15`	`15`	`* */`
`16`	`16`	`if(det.requested.name == 'snakeyaml'){`
`17`		`- det.useVersion '1.32'`
	`17`	`+ det.useVersion '2.2'`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`/*`