Merge pull request #377 from hmcts/PUB-2206-Dependency-Updates

PUB-2206 - Dependency Updates

Author: ChrisS1512

build.gradle

@@ -1,16 +1,16 @@
 plugins {
   id 'application'
   id 'checkstyle'
-  id 'com.github.ben-manes.versions' version '0.48.0'
+  id 'com.github.ben-manes.versions' version '0.49.0'
   id 'io.spring.dependency-management' version '1.1.3'
   id 'jacoco'
   id 'org.springframework.boot' version '3.0.12'
-  id 'org.owasp.dependencycheck' version '8.4.0'
+  id 'org.owasp.dependencycheck' version '8.4.2'
   id 'org.sonarqube' version '4.4.1.3373'
   id 'pmd'
-  id 'org.jetbrains.kotlin.jvm' version '1.9.10'
-  id 'io.freefair.lombok' version '8.3'
-  id 'org.flywaydb.flyway' version '9.22.1'
+  id 'org.jetbrains.kotlin.jvm' version '1.9.20'
+  id 'io.freefair.lombok' version '8.4'
+  id 'org.flywaydb.flyway' version '9.22.3'
 }
 
 apply plugin: 'org.owasp.dependencycheck'
@@ -129,7 +129,7 @@ pmd {
 }
 
 jacoco {
-  toolVersion = "0.8.10"
+  toolVersion = "0.8.11"
 }
 
 jacocoTestReport {
@@ -192,21 +192,21 @@ dependencies {
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-data-jpa'
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-oauth2-client'
   implementation group: 'org.postgresql', name: 'postgresql', version: '42.6.0'
-  implementation group: 'com.azure.spring', name: 'spring-cloud-azure-starter-active-directory', version: '5.5.0'
-  implementation group: 'com.squareup.okhttp3', name: 'okhttp', version: '4.11.0'
+  implementation group: 'com.azure.spring', name: 'spring-cloud-azure-starter-active-directory', version: '5.7.0'
+  implementation group: 'com.squareup.okhttp3', name: 'okhttp', version: '4.12.0'
   implementation group: 'com.opencsv', name: 'opencsv', version: '5.8'
   implementation group: 'commons-validator', name: 'commons-validator', version: '1.7'
 
-  implementation group: 'com.github.hmcts', name: 'pip-data-models', version: '2.1.9', {
+  implementation group: 'com.github.hmcts', name: 'pip-data-models', version: '2.1.11', {
     exclude group: 'org.springframework.boot', module: 'spring-boot-starter-data-jpa'
   }
 
   implementation group: 'com.vladmihalcea', name: 'hibernate-types-60', version: '2.21.1'
 
   // Include the sdk as a dependency
-  implementation group: 'com.microsoft.graph', name: 'microsoft-graph', version: '5.72.0'
+  implementation group: 'com.microsoft.graph', name: 'microsoft-graph', version: '5.75.0'
   // Include Azure identity for authentication
-  implementation group: 'com.azure', name: 'azure-identity', version: '1.10.1'
+  implementation group: 'com.azure', name: 'azure-identity', version: '1.11.0'
 
   implementation group: 'org.springdoc', name: 'springdoc-openapi-starter-webmvc-ui', version: '2.2.0'
 
@@ -215,10 +215,10 @@ dependencies {
   implementation group: 'net.logstash.logback', name: 'logstash-logback-encoder', version: '7.4'
 
   // Include Azure storage blob for storing application images
-  implementation group: 'com.azure', name: 'azure-storage-blob', version: '12.24.0'
+  implementation group: 'com.azure', name: 'azure-storage-blob', version: '12.25.0'
 
   // Include Flyway for database migrations
-  implementation group: 'org.flywaydb', name: 'flyway-core', version: '9.22.1'
+  implementation group: 'org.flywaydb', name: 'flyway-core', version: '9.22.3'
 
   // Force upgrade snakeyaml version for CVE-2022-38752
   implementation( group: 'org.yaml', name: 'snakeyaml').version {
@@ -227,11 +227,11 @@ dependencies {
 
   runtimeOnly("org.springframework.boot:spring-boot-properties-migrator")
 
-  testImplementation(platform('org.junit:junit-bom:5.10.0'))
+  testImplementation(platform('org.junit:junit-bom:5.10.1'))
   testImplementation group: 'org.springframework.boot', name: 'spring-boot-starter-test'
   testImplementation group: 'org.springframework.security', name: 'spring-security-test'
   testImplementation "io.zonky.test:embedded-database-spring-test:2.3.0"
-  testImplementation group: 'com.squareup.okhttp3', name: 'mockwebserver', version: '4.11.0'
+  testImplementation group: 'com.squareup.okhttp3', name: 'mockwebserver', version: '4.12.0'
   testImplementation group: 'io.github.hakky54', name: 'logcaptor', version: '2.9.0'
   testImplementation group: 'io.zonky.test', name: 'embedded-database-spring-test', version: '2.3.0'
   testImplementation group: 'org.awaitility', name: 'awaitility', version: '4.2.0'

config/owasp/suppressions.xml

@@ -1,28 +1,22 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
   <suppress>
-    <notes><![CDATA[file name: spring-cloud-azure-starter-active-directory-5.5.0.jar]]></notes>
-    <packageUrl regex="true">^pkg:maven/com.azure.spring/spring-cloud-azure-starter-active-directory@5.5.0</packageUrl>
+    <notes><![CDATA[file name: spring-cloud-azure-starter-active-directory-5.7.0.jar]]></notes>
+    <packageUrl regex="true">^pkg:maven/com.azure.spring/spring-cloud-azure-starter-active-directory@5.7.0</packageUrl>
     <cve>CVE-2021-42306</cve>
   </suppress>
   <suppress>
     <notes>The vulnerability exists in the latest version of lib too. Need to wait for new version with the fix</notes>
     <packageUrl regex="true">^pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.3</packageUrl>
     <cve>CVE-2023-35116</cve>
   </suppress>
-  <suppress>
-    <notes>Pulled in by okhttp (which we're already on the latest version of)</notes>
-    <packageUrl regex="true">^pkg:maven/com.squareup.okio/okio-jvm@3.2.0</packageUrl>
-    <cve>CVE-2023-3635</cve>
-  </suppress>
   <suppress>
     <notes>Suppression for netty. Pulled in by springboot on latest version</notes>
     <cve>CVE-2023-4586</cve>
   </suppress>
   <suppress>
     <notes><![CDATA[file name: azure-identity-1.10.0.jar]]></notes>
     <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@.*$</packageUrl>
-    <cve>CVE-2023-36414</cve>
     <cve>CVE-2023-36415</cve>
   </suppress>
 </suppressions>

infrastructure/.terraform-version

@@ -1 +1 @@
-1.5.7
+1.6.3

infrastructure/providers.tf

@@ -3,7 +3,7 @@ terraform {
 
   required_providers {
     azurerm = {
-      version = "3.75.0"
+      version = "3.79.0"
     }
     postgresql = {
       source  = "cyrilgdn/postgresql"