PUB-2618 - Dependency updates

hmcts · Oct 8, 2024 · bf4dc5d · bf4dc5d
1 parent 4e08b5b
commit bf4dc5d
Show file tree

Hide file tree

Showing 8 changed files with 29 additions and 48 deletions.
diff --git a/build.gradle b/build.gradle
@@ -1,7 +1,7 @@
 //This is required as flyway now has a stand alone library for each database rather than being bundled together
 buildscript {
   dependencies {
-    classpath("org.flywaydb:flyway-database-postgresql:10.15.2")
+    classpath("org.flywaydb:flyway-database-postgresql:10.19.0")
   }
 }
 
@@ -11,13 +11,13 @@ plugins {
   id 'com.github.ben-manes.versions' version '0.51.0'
   id 'io.spring.dependency-management' version '1.1.6'
   id 'jacoco'
-  id 'org.springframework.boot' version '3.3.2'
+  id 'org.springframework.boot' version '3.3.3'
   id 'org.owasp.dependencycheck' version '10.0.0'
   id 'org.sonarqube' version '5.1.0.4882'
   id 'pmd'
-  id 'org.jetbrains.kotlin.jvm' version '2.0.10'
-  id 'io.freefair.lombok' version '8.6'
-  id 'org.flywaydb.flyway' version '10.17.0'
+  id 'org.jetbrains.kotlin.jvm' version '2.0.20'
+  id 'io.freefair.lombok' version '8.10.2'
+  id 'org.flywaydb.flyway' version '10.19.0'
 }
 
 application {
@@ -121,12 +121,12 @@ task smoke(type: Test) {
 
 checkstyle {
   maxWarnings = 0
-  toolVersion = '10.17.0'
+  toolVersion = '10.18.2'
   getConfigDirectory().set(new File(rootDir, 'config/checkstyle'))
 }
 
 pmd {
-  toolVersion = "7.4.0"
+  toolVersion = "7.6.0"
   sourceSets = [sourceSets.main, sourceSets.test, sourceSets.functionalTest, sourceSets.smokeTest]
   reportsDir = file("$project.buildDir/reports/pmd")
   ruleSetFiles = files("config/pmd/ruleset.xml")
@@ -181,8 +181,8 @@ dependencyCheck {
 }
 
 ext {
-  log4JVersion = "2.23.1"
-  reformLoggingVersion = "6.1.5"
+  log4JVersion = "2.24.1"
+  reformLoggingVersion = "6.1.6"
 }
 
 dependencies {
@@ -196,21 +196,21 @@ dependencies {
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-jdbc'
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-data-jpa'
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-oauth2-client'
-  implementation group: 'org.postgresql', name: 'postgresql', version: '42.7.3'
-  implementation group: 'com.azure.spring', name: 'spring-cloud-azure-starter-active-directory', version: '5.15.0'
+  implementation group: 'org.postgresql', name: 'postgresql', version: '42.7.4'
+  implementation group: 'com.azure.spring', name: 'spring-cloud-azure-starter-active-directory', version: '5.16.0'
   implementation group: 'com.squareup.okhttp3', name: 'okhttp', version: '4.12.0'
   implementation group: 'com.opencsv', name: 'opencsv', version: '5.9'
   implementation group: 'commons-validator', name: 'commons-validator', version: '1.9.0'
 
   implementation group: 'com.github.hmcts', name: 'pip-data-models', version: '2.1.30', {
     exclude group: 'org.springframework.boot', module: 'spring-boot-starter-data-jpa'
   }
-  implementation group: 'io.hypersistence', name: 'hypersistence-utils-hibernate-63', version: '3.8.2'
+  implementation group: 'io.hypersistence', name: 'hypersistence-utils-hibernate-63', version: '3.8.3'
 
   // Include the sdk as a dependency
-  implementation group: 'com.microsoft.graph', name: 'microsoft-graph', version: '6.13.0'
+  implementation group: 'com.microsoft.graph', name: 'microsoft-graph', version: '6.17.0'
   // Include Azure identity for authentication
-  implementation group: 'com.azure', name: 'azure-identity', version: '1.13.2'
+  implementation group: 'com.azure', name: 'azure-identity', version: '1.14.0'
 
   implementation group: 'org.springdoc', name: 'springdoc-openapi-starter-webmvc-ui', version: '2.6.0'
 
@@ -223,11 +223,11 @@ dependencies {
   implementation group: 'net.logstash.logback', name: 'logstash-logback-encoder', version: '8.0'
 
   // Include Azure storage blob for storing application images
-  implementation group: 'com.azure', name: 'azure-storage-blob', version: '12.27.0'
+  implementation group: 'com.azure', name: 'azure-storage-blob', version: '12.28.0'
 
   // Include Flyway for database migrations
-  implementation group: 'org.flywaydb', name: 'flyway-core', version: '10.17.0'
-  implementation group: 'org.flywaydb', name: 'flyway-database-postgresql', version: '10.17.0'
+  implementation group: 'org.flywaydb', name: 'flyway-core', version: '10.19.0'
+  implementation group: 'org.flywaydb', name: 'flyway-database-postgresql', version: '10.19.0'
 
   // Force upgrade snakeyaml version for CVE-2022-38752
   implementation( group: 'org.yaml', name: 'snakeyaml').version {
@@ -236,16 +236,16 @@ dependencies {
 
   runtimeOnly("org.springframework.boot:spring-boot-properties-migrator")
 
-  testImplementation(platform('org.junit:junit-bom:5.10.3'))
+  testImplementation(platform('org.junit:junit-bom:5.11.2'))
   testImplementation group: 'org.springframework.boot', name: 'spring-boot-starter-test'
   testImplementation group: 'org.springframework.security', name: 'spring-security-test'
   testImplementation group: 'com.squareup.okhttp3', name: 'mockwebserver', version: '4.12.0'
   testImplementation group: 'io.github.hakky54', name: 'logcaptor', version: '2.9.3'
   testImplementation group: 'io.zonky.test', name: 'embedded-database-spring-test', version: '2.5.1'
-  testImplementation group: 'org.awaitility', name: 'awaitility', version: '4.2.1'
+  testImplementation group: 'org.awaitility', name: 'awaitility', version: '4.2.2'
   testImplementation group: 'org.apiguardian', name: 'apiguardian-api', version: '1.1.2'
   testImplementation group: 'org.mockito', name: 'mockito-inline', version: '5.2.0'
-  testImplementation group: 'com.github.hmcts', name: 'fortify-client', version: '1.4.3', classifier: 'all'
+  testImplementation group: 'com.github.hmcts', name: 'fortify-client', version: '1.4.4', classifier: 'all'
 }
 
 task fortifyScan(type: JavaExec)  {

diff --git a/config/owasp/suppressions.xml b/config/owasp/suppressions.xml
@@ -1,27 +1,3 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-  <suppress>
-    <notes><![CDATA[file name: spring-cloud-azure-starter-active-directory-5.13.0.jar]]></notes>
-    <packageUrl regex="true">^pkg:maven/com\.azure\.spring/spring\-cloud\-azure\-starter\-active\-directory@.*$</packageUrl>
-    <cve>CVE-2021-42306</cve>
-  </suppress>
-  <suppress>
-    <notes>The vulnerability exists in the latest version of lib too. Need to wait for new version with the fix</notes>
-    <packageUrl regex="true">^pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.4</packageUrl>
-    <cve>CVE-2023-35116</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[file name: azure-identity-1.12.1.jar]]></notes>
-    <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@.*$</packageUrl>
-    <cve>CVE-2023-36415</cve>
-  </suppress>
-  <suppress>
-    <notes>Vulnerability pulled in by azure-identity</notes>
-    <cve>CVE-2024-35255</cve>
-  </suppress>
-  <suppress>
-    <notes>This vulnerability exists in various com.azure dependencies pulled in by the latest spring-cloud-azure-starter-active-directory</notes>
-    <packageUrl regex="true">^pkg:maven/com\.azure/azure.*$</packageUrl>
-    <cve>CVE-2023-36052</cve>
-  </suppress>
 </suppressions>
diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.9-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-all.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

diff --git a/gradlew b/gradlew
@@ -15,6 +15,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+# SPDX-License-Identifier: Apache-2.0
+#
 
 ##############################################################################
 #
@@ -84,7 +86,8 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
+' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum

diff --git a/gradlew.bat b/gradlew.bat
@@ -13,6 +13,8 @@
 @rem See the License for the specific language governing permissions and
 @rem limitations under the License.
 @rem
+@rem SPDX-License-Identifier: Apache-2.0
+@rem
 
 @if "%DEBUG%"=="" @echo off
 @rem ##########################################################################

diff --git a/infrastructure/.terraform-version b/infrastructure/.terraform-version
@@ -1 +1 @@
-1.9.4
+1.9.7
diff --git a/infrastructure/providers.tf b/infrastructure/providers.tf
@@ -3,7 +3,7 @@ terraform {
 
   required_providers {
     azurerm = {
-      version = "3.114.0"
+      version = "4.3.0"
     }
     postgresql = {
       source  = "cyrilgdn/postgresql"