Merge pull request #430 from hmcts/PUB-2489

PUB-2489 - Update dependencies

build.gradle

@@ -1,7 +1,7 @@
 //This is required as flyway now has a stand alone library for each database rather than being bundled together
 buildscript {
   dependencies {
-    classpath("org.flywaydb:flyway-database-postgresql:10.13.0")
+    classpath("org.flywaydb:flyway-database-postgresql:10.15.2")
   }
 }
 
@@ -11,21 +11,20 @@ plugins {
   id 'com.github.ben-manes.versions' version '0.51.0'
   id 'io.spring.dependency-management' version '1.1.5'
   id 'jacoco'
-  id 'org.springframework.boot' version '3.2.5'
-  id 'org.owasp.dependencycheck' version '9.1.0'
+  id 'org.springframework.boot' version '3.2.7'
+  id 'org.owasp.dependencycheck' version '9.2.0'
   id 'org.sonarqube' version '5.0.0.4638'
   id 'pmd'
-  id 'org.jetbrains.kotlin.jvm' version '1.9.24'
+  id 'org.jetbrains.kotlin.jvm' version '2.0.0'
   id 'io.freefair.lombok' version '8.6'
-  id 'org.flywaydb.flyway' version '10.13.0'
+  id 'org.flywaydb.flyway' version '10.15.2'
 }
 
-apply plugin: 'org.owasp.dependencycheck'
-apply plugin: 'org.sonarqube'
-
-group = 'uk.gov.hmcts.reform.pip'
-mainClassName = 'uk.gov.hmcts.reform.pip.account.management.Application'
-version = '0.0.1'
+application {
+  group = 'uk.gov.hmcts.reform.pip'
+  mainClass = 'uk.gov.hmcts.reform.pip.account.management.Application'
+  version = '0.0.1'
+}
 
 java {
   toolchain {
@@ -122,12 +121,12 @@ task smoke(type: Test) {
 
 checkstyle {
   maxWarnings = 0
-  toolVersion = '10.16.0'
+  toolVersion = '10.17.0'
   getConfigDirectory().set(new File(rootDir, 'config/checkstyle'))
 }
 
 pmd {
-  toolVersion = "7.1.0"
+  toolVersion = "7.3.0"
   sourceSets = [sourceSets.main, sourceSets.test, sourceSets.functionalTest, sourceSets.smokeTest]
   reportsDir = file("$project.buildDir/reports/pmd")
   ruleSetFiles = files("config/pmd/ruleset.xml")
@@ -183,7 +182,7 @@ dependencyCheck {
 
 ext {
   log4JVersion = "2.23.1"
-  reformLoggingVersion = "6.1.4"
+  reformLoggingVersion = "6.1.5"
 }
 
 dependencies {
@@ -198,22 +197,22 @@ dependencies {
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-data-jpa'
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-oauth2-client'
   implementation group: 'org.postgresql', name: 'postgresql', version: '42.7.3'
-  implementation group: 'com.azure.spring', name: 'spring-cloud-azure-starter-active-directory', version: '5.12.0'
+  implementation group: 'com.azure.spring', name: 'spring-cloud-azure-starter-active-directory', version: '5.13.0'
   implementation group: 'com.squareup.okhttp3', name: 'okhttp', version: '4.12.0'
   implementation group: 'com.opencsv', name: 'opencsv', version: '5.9'
-  implementation group: 'commons-validator', name: 'commons-validator', version: '1.8.0'
+  implementation group: 'commons-validator', name: 'commons-validator', version: '1.9.0'
 
-  implementation group: 'com.github.hmcts', name: 'pip-data-models', version: '2.1.28', {
+  implementation group: 'com.github.hmcts', name: 'pip-data-models', version: '2.1.29', {
     exclude group: 'org.springframework.boot', module: 'spring-boot-starter-data-jpa'
   }
-  implementation group: 'io.hypersistence', name: 'hypersistence-utils-hibernate-63', version: '3.7.5'
+  implementation group: 'io.hypersistence', name: 'hypersistence-utils-hibernate-63', version: '3.8.0'
 
   // Include the sdk as a dependency
-  implementation group: 'com.microsoft.graph', name: 'microsoft-graph', version: '6.9.0'
+  implementation group: 'com.microsoft.graph', name: 'microsoft-graph', version: '6.13.0'
   // Include Azure identity for authentication
-  implementation group: 'com.azure', name: 'azure-identity', version: '1.12.1'
+  implementation group: 'com.azure', name: 'azure-identity', version: '1.13.0'
 
-  implementation group: 'org.springdoc', name: 'springdoc-openapi-starter-webmvc-ui', version: '2.5.0'
+  implementation group: 'org.springdoc', name: 'springdoc-openapi-starter-webmvc-ui', version: '2.6.0'
 
   implementation group: 'com.github.hmcts.java-logging', name: 'logging', version: reformLoggingVersion
   implementation group: 'com.github.hmcts.java-logging', name: 'logging-appinsights', version: reformLoggingVersion
@@ -224,11 +223,11 @@ dependencies {
   implementation group: 'net.logstash.logback', name: 'logstash-logback-encoder', version: '7.4'
 
   // Include Azure storage blob for storing application images
-  implementation group: 'com.azure', name: 'azure-storage-blob', version: '12.25.4'
+  implementation group: 'com.azure', name: 'azure-storage-blob', version: '12.26.1'
 
   // Include Flyway for database migrations
-  implementation group: 'org.flywaydb', name: 'flyway-core', version: '10.13.0'
-  implementation group: 'org.flywaydb', name: 'flyway-database-postgresql', version: '10.13.0'
+  implementation group: 'org.flywaydb', name: 'flyway-core', version: '10.15.2'
+  implementation group: 'org.flywaydb', name: 'flyway-database-postgresql', version: '10.15.2'
 
   // Force upgrade snakeyaml version for CVE-2022-38752
   implementation( group: 'org.yaml', name: 'snakeyaml').version {
@@ -237,20 +236,20 @@ dependencies {
 
   runtimeOnly("org.springframework.boot:spring-boot-properties-migrator")
 
-  testImplementation(platform('org.junit:junit-bom:5.10.2'))
+  testImplementation(platform('org.junit:junit-bom:5.10.3'))
   testImplementation group: 'org.springframework.boot', name: 'spring-boot-starter-test'
   testImplementation group: 'org.springframework.security', name: 'spring-security-test'
   testImplementation group: 'com.squareup.okhttp3', name: 'mockwebserver', version: '4.12.0'
-  testImplementation group: 'io.github.hakky54', name: 'logcaptor', version: '2.9.2'
+  testImplementation group: 'io.github.hakky54', name: 'logcaptor', version: '2.9.3'
   testImplementation group: 'io.zonky.test', name: 'embedded-database-spring-test', version: '2.5.1'
   testImplementation group: 'org.awaitility', name: 'awaitility', version: '4.2.1'
   testImplementation group: 'org.apiguardian', name: 'apiguardian-api', version: '1.1.2'
   testImplementation group: 'org.mockito', name: 'mockito-inline', version: '5.2.0'
-  testImplementation group: 'com.github.hmcts', name: 'fortify-client', version: '1.4.1', classifier: 'all'
+  testImplementation group: 'com.github.hmcts', name: 'fortify-client', version: '1.4.3', classifier: 'all'
 }
 
 task fortifyScan(type: JavaExec)  {
-  main = "uk.gov.hmcts.fortifyclient.FortifyClientMainApp"
+  mainClass = "uk.gov.hmcts.fortifyclient.FortifyClientMainApp"
   classpath += sourceSets.test.runtimeClasspath
   jvmArgs = ['--add-opens=java.base/java.lang.reflect=ALL-UNNAMED']
 }

charts/pip-account-management/Chart.yaml

@@ -2,12 +2,12 @@ name: pip-account-management
 apiVersion: v2
 appVersion: "1.0"
 home: https://github.com/hmcts/pip-account-management
-version: 0.0.44
+version: 0.0.45
 description: Publishing & Information Account Management
 maintainers:
   - name: HMCTS PIP Team
 dependencies:
   - name: java
-    version: 5.2.0
+    version: 5.2.1
     repository: 'https://hmctspublic.azurecr.io/helm/v1/repo/'
 

config/owasp/suppressions.xml

@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
   <suppress>
-    <notes><![CDATA[file name: spring-cloud-azure-starter-active-directory-5.12.0.jar]]></notes>
-    <packageUrl regex="true">^pkg:maven/com.azure.spring/spring-cloud-azure-starter-active-directory@5.12.0</packageUrl>
+    <notes><![CDATA[file name: spring-cloud-azure-starter-active-directory-5.13.0.jar]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.azure\.spring/spring\-cloud\-azure\-starter\-active\-directory@.*$</packageUrl>
     <cve>CVE-2021-42306</cve>
   </suppress>
   <suppress>
@@ -14,20 +14,14 @@
     <notes><![CDATA[file name: azure-identity-1.12.1.jar]]></notes>
     <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@.*$</packageUrl>
     <cve>CVE-2023-36415</cve>
-    <cve>CVE-2024-35255</cve>
   </suppress>
   <suppress>
     <notes>Vulnerability pulled in by azure-identity</notes>
-    <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j.*$</packageUrl>
     <cve>CVE-2024-35255</cve>
   </suppress>
   <suppress>
     <notes>This vulnerability exists in various com.azure dependencies pulled in by the latest spring-cloud-azure-starter-active-directory</notes>
     <packageUrl regex="true">^pkg:maven/com\.azure/azure.*$</packageUrl>
     <cve>CVE-2023-36052</cve>
   </suppress>
-  <suppress>
-    <notes>This vulnerability exists across azure identity and microsoft authentication libraries </notes>
-    <cve>CVE-2024-35255</cve>
-  </suppress>
 </suppressions>

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.8-all.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

infrastructure/.terraform-version

@@ -1 +1 @@
-1.8.3
+1.9.1

infrastructure/providers.tf

@@ -3,7 +3,7 @@ terraform {
 
   required_providers {
     azurerm = {
-      version = "3.105.0"
+      version = "3.110.0"
     }
     postgresql = {
       source  = "cyrilgdn/postgresql"

src/main/java/uk/gov/hmcts/reform/pip/account/management/service/AccountService.java

@@ -329,7 +329,7 @@ public Pair<CreationEnum, Object> addUserWithSuppliedPassword(AzureAccount azure
 
         if (!processedAzureAccounts.get(CreationEnum.CREATED_ACCOUNTS).isEmpty()) {
             List<AzureAccount> createdAzureAccounts = processedAzureAccounts.get(CreationEnum.CREATED_ACCOUNTS).stream()
-                .map(a -> (AzureAccount) a)
+                .map(AzureAccount.class::cast)
                 .toList();
 
             PiUser user = createdAccountToPiUser(createdAzureAccounts.get(0));