[RDCC-6234] Address CVEs in all Reference Data repositories - Judicial Reference Data (#499)

* [RDCC-6234] Address CVEs in all Reference Data repositories - Judicial Reference Data

* [RDCC-6234] Address CVEs in all Reference Data repositories - Judicial Reference Data

* [RDCC-6234] Address CVEs in all Reference Data repositories - Judicial Reference Data

* [RDCC-6234] Address CVEs in all Reference Data repositories - Judicial Reference Data

* [RDCC-6234] Address CVEs in all Reference Data repositories - Judicial Reference Data

Author: manukundloo-hmcts

build.gradle

@@ -301,7 +301,6 @@ dependencies {
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-security', version: versions.springBoot
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-web', version: versions.springBoot
     implementation group: 'org.springframework.security', name: 'spring-security-core', version: '5.7.5'
-    implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-bootstrap', version: '3.0.2'
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-cache', version: versions.springBoot
 
     implementation group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: '1.70'
@@ -365,7 +364,11 @@ dependencies {
     implementation "io.github.openfeign:feign-httpclient:11.0"
     implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: versions.log4j
 
-    
+    implementation group: 'com.nimbusds', name: 'lang-tag', version: '1.7'
+    implementation group: 'org.json', name: 'json', version: '20230227'
+
+
+
 
     testImplementation ('com.github.hmcts:rd-commons-lib:v0.0.13'){
         exclude group: 'org.springframework.boot', module: 'spring-boot-starter-web'
@@ -453,6 +456,12 @@ dependencyManagement {
             entry 'tomcat-embed-el'
             entry 'tomcat-embed-websocket'
         }
+
+        //CVE-2021-22044
+        dependencySet(group: 'org.springframework.cloud', version: '3.1.5') {
+            entry 'spring-cloud-starter-openfeign'
+            entry 'spring-cloud-openfeign-core'
+        }
     }
 }
 

config/owasp/suppressions.xml

@@ -1,44 +1,17 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress until="2023-12-16">
-        <notes><![CDATA[
-   file name: lang-tag-1.4.4.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.nimbusds/lang\-tag@.*$</packageUrl>
-        <cve>CVE-2020-23171</cve>
-    </suppress>
-    <suppress until="2023-05-16">
-        <notes><![CDATA[
-   file name: spring-core-5.3.18.jar
-   ]]></notes>
-        <cve>CVE-2016-1000027</cve>
-    </suppress>
-    <suppress until="2023-12-30">
-    <notes><![CDATA[
-   file name: tomcat-embed-core-9.0.63.jar
-   ]]></notes>
-        <cve>CVE-2022-34305</cve>
-        <cve>CVE-2021-37533</cve>
-    </suppress>
+
     <suppress until="2023-12-30">
     <notes>cucumber:datatable pom contains com.googlecode.java-diff-utils:diffutils which has the CVE vulnerability, no fix has been released yet for this</notes>
     <cve>CVE-2021-4277</cve>
   </suppress>
-      <suppress>
-        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
-        <cve>CVE-2021-4235</cve>
-        <cve>CVE-2022-3064</cve>
-        <cve>CVE-2021-22044</cve>
-    </suppress>
+
     <suppress>
-        <notes>CVE-2022-22978 suppression (false positive), because spring security already at (5.7.5) this is higher than the vulnerable versions
-            (5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4)
-            https://tanzu.vmware.com/security/cve-2022-22978</notes>
-        <cve>CVE-2022-22978</cve>
-        <cve>CVE-2022-22976</cve>
-        <cve>CVE-2021-22044</cve>
-    </suppress>   
+        <cve>CVE-2022-45688</cve>
+    </suppress>
+
     <suppress>
-     <cve>CVE-2022-45688</cve>
+        <notes>commons-fileupload</notes>
+        <cve>CVE-2023-24998</cve>
     </suppress>
 </suppressions>