Skip to content

Commit 5ba9c1a

Browse files
DTSRD-6422 (#1147)
* jackson 2.22.0 * tomcat 10.1.56 * dependencycheck 12.2.2 * CVE-2026-54515 suppression * trigger build * CVE-2025-7962, CVE-2026-54399 and CVE-2026-54428 suppression
1 parent dc32574 commit 5ba9c1a

2 files changed

Lines changed: 88 additions & 11 deletions

File tree

build.gradle

Lines changed: 48 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ plugins {
1313
id 'org.springframework.boot' version '3.5.15'
1414
id "org.flywaydb.flyway" version "9.22.3"
1515
id 'au.com.dius.pact' version '4.6.17'
16-
id 'org.owasp.dependencycheck' version '12.2.0'
16+
id 'org.owasp.dependencycheck' version '12.2.2'
1717
id 'net.serenity-bdd.serenity-gradle-plugin' version '4.2.34'
1818
}
1919

@@ -32,7 +32,7 @@ def versions = [
3232
launchDarklySdk : "5.10.9",
3333
junit : '6.0.0',
3434
junitPlatform : '6.0.0',
35-
jackson : '2.20.1',
35+
jackson : '2.22.0',
3636
log4j : '2.26.0',
3737
logback : '1.5.20',
3838
logstashEncoder : '8.1',
@@ -341,14 +341,37 @@ dependencies {
341341
implementation group: 'com.github.hmcts', name: 'service-auth-provider-java-client', version: '5.3.3'
342342

343343
implementation group: 'com.auth0', name: 'java-jwt', version: '4.5.0'
344-
implementation group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-jsr310', version: '2.20.1'
345344
implementation group: 'io.jsonwebtoken', name: 'jjwt', version:'0.9.1'
346-
implementation group: 'com.fasterxml.jackson', name: 'jackson-bom', version: versions.jackson, ext: 'pom'
347-
implementation group: 'com.fasterxml.jackson.core', name: 'jackson-core', version: versions.jackson
348-
implementation group: 'com.fasterxml.jackson.core', name: 'jackson-annotations', version: '2.20'
349-
implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: versions.jackson
350-
implementation group: 'com.fasterxml.jackson', name: 'jackson-bom', version: '2.20.1', ext: 'pom'
351-
implementation group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-jsr310', version: versions.jackson
345+
implementation (group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-jsr310') {
346+
version {
347+
strictly versions.jackson
348+
}
349+
}
350+
implementation (group: 'com.fasterxml.jackson', name: 'jackson-bom', ext: 'pom') {
351+
version {
352+
strictly versions.jackson
353+
}
354+
}
355+
implementation (group: 'com.fasterxml.jackson.core', name: 'jackson-core') {
356+
version {
357+
strictly versions.jackson
358+
}
359+
}
360+
implementation (group: 'com.fasterxml.jackson.core', name: 'jackson-databind') {
361+
version {
362+
strictly versions.jackson
363+
}
364+
}
365+
implementation (group: 'com.fasterxml.jackson', name: 'jackson-bom', ext: 'pom') {
366+
version {
367+
strictly versions.jackson
368+
}
369+
}
370+
implementation (group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-jsr310') {
371+
version {
372+
strictly versions.jackson
373+
}
374+
}
352375

353376
implementation group: 'jakarta.inject', name: 'jakarta.inject-api', version: '2.0.1'
354377
implementation 'com.github.hmcts:idam-java-client:3.0.5'
@@ -491,7 +514,7 @@ dependencyManagement {
491514
mavenBom "org.springframework.cloud:spring-cloud-dependencies:${springCloudVersion}"
492515
}
493516
dependencies {
494-
dependencySet(group: 'org.apache.tomcat.embed', version: '10.1.55') {
517+
dependencySet(group: 'org.apache.tomcat.embed', version: '10.1.56') {
495518
entry 'tomcat-embed-core'
496519
entry 'tomcat-embed-el'
497520
entry 'tomcat-embed-websocket'
@@ -517,6 +540,21 @@ dependencyManagement {
517540
entry 'spring-web'
518541
entry 'spring-webmvc'
519542
}
543+
dependencySet(group: 'com.fasterxml.jackson.core', version: versions.jackson) {
544+
entry 'jackson-core'
545+
entry 'jackson-databind'
546+
}
547+
dependencySet(group: 'com.fasterxml.jackson.datatype', version: versions.jackson) {
548+
entry 'jackson-datatype-jsr310'
549+
entry 'jackson-datatype-jdk8'
550+
}
551+
dependencySet(group: 'com.fasterxml.jackson.dataformat', version: versions.jackson) {
552+
entry 'jackson-dataformat-toml'
553+
entry 'jackson-dataformat-yaml'
554+
}
555+
dependencySet(group: 'com.fasterxml.jackson.module', version: versions.jackson) {
556+
entry 'jackson-module-parameter-names'
557+
}
520558
}
521559
}
522560

@@ -553,4 +591,3 @@ rootProject.tasks.named("processFunctionalTestResources") {
553591
rootProject.tasks.named("processIntegrationTestResources") {
554592
duplicatesStrategy = 'include'
555593
}
556-

config/owasp/suppressions.xml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,42 @@
11
<?xml version="1.0" encoding="UTF-8"?><suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
2+
<suppress>
3+
<notes>
4+
<![CDATA[
5+
Reviewed 2026-07-07
6+
False positive:
7+
CVE-2026-54515 applies to jackson libraries.
8+
Affected libraries reported by dependency-check are:
9+
- jackson-databind 2.22.0
10+
Versions of used libraries are their latest respectively.
11+
]]>
12+
</notes>
13+
<cve>CVE-2026-54515</cve>
14+
</suppress>
15+
<suppress>
16+
<notes>
17+
<![CDATA[
18+
Reviewed 2026-06-18
19+
False positive:
20+
CVE-2025-7962 applies to angus-activation.
21+
Affected libraries reported by dependency-check are:
22+
- angus-activation 2.0.3
23+
Versions of used libraries are their latest respectively.
24+
]]>
25+
</notes>
26+
<cve>CVE-2025-7962</cve>
27+
</suppress>
28+
<suppress>
29+
<notes>
30+
<![CDATA[
31+
Reviewed 2026-07-07
32+
False positive:
33+
CVE-2026-54399 and CVE-2026-54428 applies to httpcore libraries.
34+
Affected libraries reported by dependency-check are:
35+
- httpcore 4.4.16
36+
Versions of used libraries are their latest respectively.
37+
]]>
38+
</notes>
39+
<cve>CVE-2026-54399</cve>
40+
<cve>CVE-2026-54428</cve>
41+
</suppress>
242
</suppressions>

0 commit comments

Comments
 (0)