Vulnerability fix

.github/workflows/allow-list.xml

@@ -112,16 +112,29 @@
 	</suppress>
 	<suppress>
 		<notes>
-			We will take this on next release
+			azure-json jar is for json parsing , we dont use it
 		</notes>
-		<cve>CVE-2024-45772</cve>
+		<cve>CVE-2023-5072</cve>
+	</suppress>
+	<suppress>
+		<notes>
+			javax.json jar is non vulnerable
+		</notes>
+		<cve>CVE-2023-5072</cve>
 	</suppress>	
 	<suppress>
 		<notes>
-			We will take this on next release
+			we are not using Microsoft Teams online service for display name
 		</notes>
 		<cve>CVE-2020-10146</cve>
-	</suppress>	
+	</suppress>
+	<suppress>
+		<notes>
+			Not using file download feature with “Content-Disposition” header with a non-ASCII charset
+		</notes>
+		<cve>CVE-2025-41234</cve>
+	</suppress>
+
 
 </suppressions>
 

demos/rooms-bot/pom.xml

@@ -6,7 +6,7 @@
 	<parent>
 		<groupId>org.finos.springbot</groupId>
 		<artifactId>spring-bot</artifactId>
-		<version>10.0.2</version>
+		<version>10.0.2-SNAPSHOT</version>
 		<relativePath>../../pom.xml</relativePath>
 	</parent>
 
@@ -23,12 +23,12 @@
 	    <dependency>
 			<groupId>org.finos.springbot</groupId>
 			<artifactId>symphony-bdk-chat-workflow-spring-boot-starter</artifactId>
-			<version>10.0.2</version>
+			<version>10.0.2-SNAPSHOT</version>
 		</dependency>
 	    <dependency>
 			<groupId>org.finos.springbot</groupId>
 			<artifactId>teams-chat-workflow-spring-boot-starter</artifactId>
-			<version>10.0.2</version>
+			<version>10.0.2-SNAPSHOT</version>
 		</dependency>
 	</dependencies>
 

libs/teams/teams-chat-workflow-spring-boot-starter/pom.xml

@@ -16,6 +16,9 @@
 	<properties>
 		<maven.compiler.source>17</maven.compiler.source>
 		<maven.compiler.target>17</maven.compiler.target>
+		<azure-storage-blob.version>12.25.3</azure-storage-blob.version>
+		<httpclient.version>4.5.13</httpclient.version>
+		<tomcat-embed-core.version>10.1.42</tomcat-embed-core.version>
 	</properties>
 
 	<dependencies>
@@ -24,6 +27,18 @@
 			<artifactId>chat-workflow</artifactId>
 			<version>10.0.2-SNAPSHOT</version>
 		</dependency>
+
+		<dependency>
+			<groupId>com.microsoft.azure</groupId>
+			<artifactId>msal4j</artifactId>
+			<version>${azure-msal4j.version}</version>
+		</dependency>
+
+		<dependency>
+		    <groupId>org.apache.tomcat.embed</groupId>
+		    <artifactId>tomcat-embed-core</artifactId>
+		    <version>${tomcat-embed-core.version}</version>
+		</dependency>
 
 		<!-- teams -->
 		<dependency>
@@ -32,110 +47,38 @@
 			<version>${teams.version}</version>
 			<scope>compile</scope>
 		</dependency>
-		
+
 		<dependency>
-	        <groupId>com.microsoft.bot</groupId>
-	        <artifactId>bot-azure</artifactId>
-	        <version>${teams.version}</version>
-	        <scope>compile</scope>
-	        <exclusions>
-	        	<!-- this is already included by spring -->
+			<groupId>com.microsoft.bot</groupId>
+			<artifactId>bot-azure</artifactId>
+			<version>${teams.version}</version>
+			<scope>compile</scope>
+			<exclusions>
 	        	<exclusion>
 	        		<groupId>org.json</groupId>
 	        		<artifactId>json</artifactId>
 	        	</exclusion>
-	        	<exclusion>
-	        		<groupId>com.azure</groupId>
-	        		<artifactId>azure-storage-blob</artifactId>
-	        	</exclusion>
-	        	<exclusion>
-	        		<groupId>com.google.guava</groupId>
-	        		<artifactId>guava</artifactId>
-	        	</exclusion>
-	        	<exclusion>
-	        		<groupId>org.apache.httpcomponents</groupId>
-	        		<artifactId>httpclient</artifactId>
-	        	</exclusion>
 	        </exclusions>
-      	</dependency>
-
-      	<dependency>
-			<groupId>com.microsoft.azure</groupId>
-			<artifactId>msal4j</artifactId>
-			<version>${azure-msal4j.version}</version>
-		</dependency>
-
-		<dependency>
-			<groupId>com.microsoft.bot</groupId>
-			<artifactId>bot-builder</artifactId>
-			<version>${teams.version}</version>
-			<scope>compile</scope>
-			<exclusions>
-				<exclusion>
-					<groupId>com.squareup.okio</groupId>
-					<artifactId>okio-jvm</artifactId>
-				</exclusion>
-				<exclusion>
-					<groupId>com.google.guava</groupId>
-					<artifactId>guava</artifactId>
-				</exclusion>
-				<exclusion>
-					<groupId>com.nimbusds</groupId>
-					<artifactId>nimbus-jose-jwt</artifactId>
-				</exclusion>
-			</exclusions>
-		</dependency>
-
-		<dependency>
-			<groupId>io.netty</groupId>
-			<artifactId>netty-codec-http</artifactId>
-			<version>${netty-codec.version}</version>
 		</dependency>
 
-		<dependency>
-			<groupId>io.netty</groupId>
-			<artifactId>netty-handler</artifactId>
-			<version>${netty-handler.version}</version>
-		</dependency>
-
 		<dependency>
 			<groupId>com.azure</groupId>
-	  		<artifactId>azure-storage-blob</artifactId>
-	  		<version>12.25.3</version> <!-- Replace with property -->
-	  		<exclusions>	  			
-	  			<exclusion>
-	  				<groupId>com.azure</groupId>
-	  				<artifactId>azure-core-http-netty</artifactId>
-	  			</exclusion>
-	  		</exclusions>
+			<artifactId>azure-storage-blob</artifactId>
+			<version>${azure-storage-blob.version}</version>
 		</dependency>
-		
+
 		<dependency>
 			<groupId>com.azure</groupId>
-	  		<artifactId>azure-core-http-netty</artifactId>	
-	  		<version>${azure-core-http-netty.version}</version>
+			<artifactId>azure-core-http-netty</artifactId>
+			<version>${azure-core-http-netty.version}</version>
 		</dependency>
 
-		<dependency>
-			<groupId>com.nimbusds</groupId>
-			<artifactId>nimbus-jose-jwt</artifactId>	
-	  		<version>9.37.2</version>	<!-- Replace with property -->
-		</dependency>
-
 		<dependency>
 			<groupId>org.apache.httpcomponents</groupId>
-	    	<artifactId>httpclient</artifactId>
-	    	<version>4.5.13</version> <!-- Replace with property -->
+			<artifactId>httpclient</artifactId>
+			<version>${httpclient.version}</version> <!-- Replace with property -->
 		</dependency>
-
-		<!-- removed Vulnerability in bot connector(4.14.3) ->
-		 okttp(3.12.2) -> change version of okio jvm to 3.4.0 -->
-		<dependency>
-			<groupId>com.squareup.okio</groupId>
-			<artifactId>okio-jvm</artifactId>
-			<version>${okio-jvm.version}</version>	
-		</dependency>	
-
+
 		<!-- for parsing html sent to bot -->
 		<dependency>
 			<groupId>org.jsoup</groupId>
@@ -149,20 +92,22 @@
 			<artifactId>js</artifactId>
 			<version>${graalvm.version}</version>
 		</dependency>
-
-		<!-- for templating xml/html @work
-		thymeleaf.spring5 doesn't support in spring 3.x.x' -->
+
+
+		<!-- for templating xml/html @work thymeleaf.spring5 doesn't support in 
+			spring 3.x.x' -->
+
 		<dependency>
-		    <groupId>org.springframework.boot</groupId>
-		    <artifactId>spring-boot-starter-thymeleaf</artifactId>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-thymeleaf</artifactId>
 		</dependency>
-		
+
 		<dependency>
 			<groupId>com.google.guava</groupId>
-	        <artifactId>guava</artifactId>
-	        <version>${guava.version}</version>
+			<artifactId>guava</artifactId>
+			<version>${guava.version}</version>
 		</dependency>
-		
+
 
 		<!-- for testing -->
 		<dependency>

pom.xml

@@ -53,31 +53,19 @@
 		<maven.compiler.source>17</maven.compiler.source>
 		<maven.compiler.target>17</maven.compiler.target>
 		<java.version>17</java.version>
-
 		<!-- this must match the version from the spring boot pom -->
-		<jackson-databind.version>2.16.2</jackson-databind.version>
-		<jackson.version>2.16.2</jackson.version>
-		<jackson-annotations.version>2.16.2</jackson-annotations.version>
-		<corenlp.version>4.4.0</corenlp.version>
-		<sutime-models.version>1.3.5</sutime-models.version>
 		<rometools.version>1.15.0</rometools.version>
+		<sutime-models.version>1.3.5</sutime-models.version>
 		<teams.version>4.14.3</teams.version>
-		<azure-storage-blob.version>12.20.1</azure-storage-blob.version>
-		<okio-jvm.version>3.4.0</okio-jvm.version>
 		<guava.version>32.1.0-jre</guava.version>
 		<jsoup.version>1.17.2</jsoup.version>
 		<graalvm.version>23.0.3</graalvm.version>
 		<symphony-bdk.version>3.0.0</symphony-bdk.version>
-		<!--<mimepull.version>1.9.15</mimepull.version>-->
-		<!--<thymeleaf.version>2.7.0</thymeleaf.version>-->	
 		<azure-core-http-netty.version>1.15.11</azure-core-http-netty.version>	
-		<nimbus-jose-jwt.version>9.9.1</nimbus-jose-jwt.version>	
 		<httpclient.version>4.5.13</httpclient.version>			
 		<corenlp.version>4.5.7</corenlp.version>
-		<azure-storage-blob.version>12.25.3</azure-storage-blob.version>
-		<netty-handler.version>4.1.115.Final</netty-handler.version>
-		<netty-codec.version>4.1.115.Final</netty-codec.version>
 		<azure-msal4j.version>1.16.1</azure-msal4j.version>
+		<protonpack.version>1.16</protonpack.version>
 	</properties>
 
 	<licenses>
@@ -219,31 +207,7 @@
 
 	<dependencyManagement>
 		<dependencies>
-			<!-- SpringBoot 2.7.0 pulls 1.10 version of below lib which is compiled with Java11 and hence causes errors
-			<dependency>
-				<groupId>org.jvnet.mimepull</groupId>
-				<artifactId>mimepull</artifactId>
-				<version>${mimepull.version}</version>
-			</dependency>
- 			-->
-			<dependency>
-				<groupId>com.fasterxml.jackson.core</groupId>
-				<artifactId>jackson-databind</artifactId>
-				<version>${jackson-databind.version}</version>
-			</dependency>
 
-			<dependency>
-				<groupId>com.fasterxml.jackson.core</groupId>
-				<artifactId>jackson-core</artifactId>
-				<version>${jackson.version}</version>
-			</dependency>
-
-			<dependency>
-				<groupId>com.fasterxml.jackson.core</groupId>
-				<artifactId>jackson-annotations</artifactId>
-				<version>${jackson-annotations.version}</version>
-			</dependency>
-
 			<dependency>
 				<groupId>org.springframework.boot</groupId>
 				<artifactId>spring-boot-dependencies</artifactId>
@@ -265,17 +229,8 @@
 			<dependency>
 			    <groupId>com.codepoetics</groupId>
 			    <artifactId>protonpack</artifactId>
-			    <version>1.16</version>
-			</dependency>
-
-			<!-- fixing CVE-2022-1471.  If we upgrade to a new version of spring-boot-dependencies this 
-			  may no longer be needed -->
-			<dependency>
-			    <groupId>org.yaml</groupId>
-			    <artifactId>snakeyaml</artifactId>
-			    <version>2.2</version>
-			</dependency> 
-
+			    <version>${protonpack.version}</version>
+			</dependency>			
 
 		</dependencies>
 	</dependencyManagement>