FACT-1979 CVE/Dependencies Updates (#3332)

RuthKirby · hmcts-jenkins-a-to-c[bot] · web-flow · commit 5304fb2d8f11 · 2024-09-24T15:15:11.000+01:00
* - puts flyway version into property

* - updates with new flyway and postgresql version properties

* - updates google guava

* - updates commons-lang3

* - updates commons-email

* - updates chart dependencies

* Bumping chart version/ fixing aliases

* - fix commons email version

* - updates azurerm version

* - updates terraform version

* - updates azure servicebus version

* - updates spring versions

* - tries to remove jackson databind suppression

* - updates azure storage blob version
- tries to remove azure suppression

* - updates test to look for new latest azure storage version

* - puts back suppression of azure

* - updates azurite version

* - updates test to check for latest azure storage version

* - removes dependabot yaml

* - reverts azure blob storage version

* - updates spring cloud starter version

---------

Co-authored-by: hmcts-jenkins-a-to-c &lt;62422075+hmcts-jenkins-a-to-c[bot]@users.noreply.github.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
diff --git a/build.gradle b/build.gradle
@@ -1,7 +1,11 @@
 buildscript {
+  ext {
+    flywayVersion = '10.17.3'
+    postgresqlVersion = '42.7.4'
+  }
   dependencies {
-    classpath("org.postgresql:postgresql:42.7.3")
-    classpath("org.flywaydb:flyway-database-postgresql:10.13.0")
+    classpath("org.postgresql:postgresql:$postgresqlVersion") // must be compatible with flyway version
+    classpath("org.flywaydb:flyway-database-postgresql:$flywayVersion") // flyway dependency/plugin versions must always match
   }
 }
 
@@ -11,8 +15,8 @@ plugins {
   id 'pmd'
   id 'jacoco'
   id 'io.spring.dependency-management' version '1.1.6'
-  id 'org.flywaydb.flyway' version '10.13.0'
-  id 'org.springframework.boot' version '3.2.7'
+  id 'org.flywaydb.flyway' version "$flywayVersion"
+  id 'org.springframework.boot' version '3.3.3'
   id 'org.owasp.dependencycheck' version '9.1.0'
   id 'com.github.ben-manes.versions' version '0.51.0'
   id 'org.sonarqube' version '4.4.1.3373'
@@ -234,7 +238,9 @@ def versions = [
   junitPlatform: '1.9.2',
   mockitoJupiter: '3.3.3',
   reformLogging: '6.0.1',
-  apiguardian     : '1.1.2'
+  apiguardian     : '1.1.2',
+  flyway: "$flywayVersion",
+  postgresql: "$postgresqlVersion"
 ]
 
 
@@ -262,14 +268,17 @@ dependencies {
     exclude group: 'javax.mail', module: 'mailapi'
   }
 
-  runtimeOnly group: 'org.flywaydb', name: 'flyway-database-postgresql', version: '10.13.0'
+  runtimeOnly group: 'org.flywaydb', name: 'flyway-database-postgresql', version: versions.flyway
+  implementation group: 'org.flywaydb', name: 'flyway-core', version: versions.flyway
+
+  implementation group: 'org.postgresql', name: 'postgresql', version: versions.postgresql
 
   implementation group: 'net.javacrumbs.shedlock', name: 'shedlock-spring', version: '5.14.0'
   implementation group: 'net.javacrumbs.shedlock', name: 'shedlock-provider-jdbc', version: '5.14.0'
 
   implementation group: 'com.azure', name: 'azure-storage-blob', version: '12.25.4'
 
-  implementation group: 'com.azure', name: 'azure-messaging-servicebus', version: '7.14.7'
+  implementation group: 'com.azure', name: 'azure-messaging-servicebus', version: '7.17.3'
 
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-web'
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-actuator'
@@ -281,14 +290,12 @@ dependencies {
   implementation group: 'org.springframework.boot', name: 'spring-boot-starter-activemq'
 
 
-  implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-openfeign', version: '4.1.0'
+  implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-openfeign', version: '4.1.3'
   implementation group: 'io.github.openfeign', name: 'feign-httpclient', version: '13.3'
   implementation group: 'io.github.openfeign', name: 'feign-jackson', version: '13.3'
 
   implementation group: 'com.github.java-json-tools', name: 'json-schema-validator', version: '2.2.14', withoutJavaxMailApi
 
-  implementation group: 'org.flywaydb', name: 'flyway-core', version: '10.13.0'
-  implementation group: 'org.postgresql', name: 'postgresql', version: '42.7.3'
   // review following dependency after integrating db structure
   implementation group: 'io.hypersistence', name: 'hypersistence-utils-hibernate-63', version: '3.8.2'
 
@@ -308,10 +315,10 @@ dependencies {
   implementation group: 'com.github.hmcts', name: 'idam-java-client', version: '3.0.3'
   implementation group: 'com.github.hmcts', name: 'ccd-case-document-am-client', version: '1.59'
 
-  implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-bootstrap', version: '3.1.8'
+  implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-bootstrap', version: '3.1.9'
 
 
-  implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.14.0'
+  implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.17.0'
   implementation group: 'commons-io', name: 'commons-io', version: '2.16.1'
   // only used in uk.gov.hmcts.reform.bulkscanprocessor.validation.OcrValidator
   // single import: io.vavr.control.Try
@@ -322,7 +329,7 @@ dependencies {
 
   implementation group: 'io.github.resilience4j', name: 'resilience4j-spring-boot2', version: '2.2.0'
   implementation group: 'com.launchdarkly', name: 'launchdarkly-java-server-sdk', version: '7.5.0'
-  implementation group: 'com.google.guava', name: 'guava', version: '33.2.1-jre'
+  implementation group: 'com.google.guava', name: 'guava', version: '33.3.0-jre'
 
 
   testImplementation libraries.junit5
@@ -334,9 +341,9 @@ dependencies {
   testImplementation group: 'com.icegreen', name: 'greenmail', version: '1.6.15', {
     exclude group: 'junit', module: 'junit'
   }
-  testImplementation group: 'org.apache.commons', name: 'commons-email', version: '1.5'
+  testImplementation group: 'org.apache.commons', name: 'commons-email', version: '1.6.0'
   testImplementation group: 'io.github.netmikey.logunit', name: 'logunit-core', version: '2.0.0'
-  testImplementation group: 'com.github.hmcts', name: 'fortify-client', version: '1.4.3', classifier: 'all', {
+  testImplementation group: 'com.github.hmcts', name: 'fortify-client', version: '1.4.4', classifier: 'all', {
     exclude group: 'commons-io', module: 'commons-io'
     exclude group: 'org.apache.commons', module: 'commons-lang3'
   }
@@ -346,14 +353,14 @@ dependencies {
 
   integrationTestImplementation sourceSets.main.runtimeClasspath
   integrationTestImplementation sourceSets.test.runtimeClasspath
-  integrationTestImplementation group: 'org.springframework.cloud', name: 'spring-cloud-contract-wiremock', version: '4.1.1', {
+  integrationTestImplementation group: 'org.springframework.cloud', name: 'spring-cloud-contract-wiremock', version: '4.1.4', {
     exclude group: 'com.github.tomakehurst', module: 'wiremock-jre8-standalone'
   }
   integrationTestImplementation group: 'org.wiremock', name: 'wiremock-standalone', version: '3.4.2'
   integrationTestImplementation group: 'org.testcontainers', name: 'postgresql', version: '1.19.7', {
     exclude group: 'junit', module: 'junit'
   }
-  integrationTestImplementation group: 'org.testcontainers', name: 'junit-jupiter', version: '1.19.7'
+  integrationTestImplementation group: 'org.testcontainers', name: 'junit-jupiter', version: '1.20.1'
   integrationTestImplementation group: 'com.revinate', name: 'assertj-json', version: '1.2.0'
 
   functionalTestImplementation sourceSets.main.runtimeClasspath
diff --git a/charts/bulk-scan-processor/Chart.yaml b/charts/bulk-scan-processor/Chart.yaml
@@ -1,20 +1,20 @@
 name: bulk-scan-processor
 apiVersion: v2
 home: https://github.com/hmcts/bulk-scan-processor
-version: 1.0.28
+version: 1.0.29
 description: HMCTS Bulk scan processor service
 maintainers:
   - name: HMCTS BSP Team
     email: bspteam@hmcts.net
 dependencies:
   - name: java
-    version: 5.2.0
+    version: 5.2.1
     repository: https://hmctspublic.azurecr.io/helm/v1/repo/
   - name: servicebus
-    version: 1.0.6
+    version: 1.0.7
     repository: https://hmctspublic.azurecr.io/helm/v1/repo/
     condition: servicebus.enabled
   - name: blobstorage
-    version: 2.0.1
+    version: 2.0.2
     repository: https://hmctspublic.azurecr.io/helm/v1/repo/
     condition: blobstorage.enabled
diff --git a/config/owasp/suppressions.xml b/config/owasp/suppressions.xml
@@ -1,8 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
   <suppress>
-    <notes>Wait until a version exists that fixes these; they are all related</notes>
-    <cve>CVE-2023-35116</cve>
+    <notes>Wait for newer version of Azure Messaging Servicebus</notes>
     <cve>CVE-2023-36052</cve>
   </suppress>
 </suppressions>
diff --git a/infrastructure/.terraform-version b/infrastructure/.terraform-version
@@ -1 +1 @@
-1.6.6
+1.9.0
diff --git a/infrastructure/state.tf b/infrastructure/state.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.106.0"
+      version = "3.110.0"
     }
     azuread = {
       source  = "hashicorp/azuread"

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`azurerm = {`
`6`	`6`	`source = "hashicorp/azurerm"`
`7`		`- version = "3.106.0"`
	`7`	`+ version = "3.110.0"`
`8`	`8`	`}`
`9`	`9`	`azuread = {`
`10`	`10`	`source = "hashicorp/azuread"`