diff --git a/owasp-false-positive-warnings.xml b/owasp-false-positive-warnings.xml
index 50e88140f4bf83c356120b32d1121783da390827..e3801b29e8cd446a0f3a51d019723ec8df1604fe 100644
--- a/owasp-false-positive-warnings.xml
+++ b/owasp-false-positive-warnings.xml
@@ -1,8 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
- <suppress>
+<suppressions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"
+ xsi:schemaLocation="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd
+ https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+ <!--suppress>
<notes><![CDATA[
file name: spring-security-crypto-5.8.*.jar
+ The data serialized by the application is trusted
+ NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
<vulnerabilityName>CVE-2020-5408</vulnerabilityName>
@@ -11,6 +16,7 @@
<suppress>
<notes><![CDATA[
file name: spring-web-5.3.*.jar
+ CVE-2016-1000027 - The data serialized by the application are from authenticated users and trusted
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-(web|core)@.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
@@ -18,9 +24,11 @@
</suppress>
<suppress>
<notes><![CDATA[
- file name: smp.war: spring-core-5.3.30.jar
+ file name: smp.war: spring-core-5.3.31.jar
+ The data serialized by the application are from authenticated users and trusted
+ NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
]]></notes>
- <sha1>cd2b09bf9bdb45c3cf2b771317b6dd0d6b2f6a25</sha1>
+ <sha1>368e76f732a3c331b970f69cafec1525d27b34d3</sha1>
<cve>CVE-2016-1000027</cve>
</suppress>
<suppress>
@@ -32,6 +40,17 @@
<suppress>
<notes><![CDATA[
file name: guava-30.1-jre.jar
+ CVE-2020-8908 - we don't use com.google.common.io.Files.createTempDir()
+ CVE-2023-2976 - we don't use FileBackedOutputStream
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+ <cve>CVE-2020-8908</cve>
+ <cve>CVE-2023-2976</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ CVE-2020-8908 - we don't use com.google.common.io.Files.createTempDir()
+ CVE-2023-2976 - we don't use FileBackedOutputStream
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
<vulnerabilityName>CVE-2020-8908</vulnerabilityName>
@@ -39,7 +58,10 @@
</suppress>
<suppress>
<notes><![CDATA[
- file name: snakeyaml-1.30.jar part of spring boot - just for demo and testing
+ file name: snakeyaml-1.30.jar
+ The vulnerability is not impacting smp.war,
+ because is part of spring boot - intended only for demo and testing. Also Yaml configuration is not exposed
+ to external users.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
<cve>CVE-2022-1471</cve>
@@ -53,13 +75,18 @@
<suppress>
<notes><![CDATA[
file name: jackson-databind-2.15.2.jar
+ The vulnerability is not exploitable by SMP usage of the library.
+ NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing
+ a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<cve>CVE-2023-35116</cve>
</suppress>
<suppress>
- <notes><![CDATA[Only for demo and testing
+ <notes><![CDATA[
file name: tomcat-embed-websocket-9.0.x.jar
+ The vulnerability is not impacting smp.war,
+ because is part of spring boot - intended only for demo and testing.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed\-websocket@.*$</packageUrl>
<cve>CVE-2023-41080</cve>
@@ -67,7 +94,7 @@
<suppress>
<notes><![CDATA[
file name: dom4j-2.1.3/4.jar
- Used internally by hibernate-envers
+ Used internally by hibernate-envers not exposed to external users/attackers
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.dom4j/dom4j@.*$</packageUrl>
<cve>CVE-2023-45960</cve>
@@ -75,9 +102,9 @@
<suppress>
<notes><![CDATA[
file name: bdmsl-webapp.war: dom4j-2.1.3.jar
- Used internally by hibernate-envers
+ Used internally by hibernate-envers not exposed to external users/attackers
]]></notes>
<sha1>a75914155a9f5808963170ec20653668a2ffd2fd</sha1>
<cve>CVE-2023-45960</cve>
- </suppress>
+ </suppress -->
</suppressions>
diff --git a/pom.xml b/pom.xml
index 66d48b55d83ce33bd75dbe634df22f91c44c7088..d0df99bde97c3a33cfef193c345a07bede2256d3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -38,24 +38,22 @@
<maven.compiler.source>1.8</maven.compiler.source>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<edelivery.ssl-auth.version>1.15-SNAPSHOT</edelivery.ssl-auth.version>
- <edelivery.dynamic-discovery-client.version>2.1-SNAPSHOT</edelivery.dynamic-discovery-client.version>
+ <edelivery.dynamic-discovery-client.version>2.1.1-SNAPSHOT</edelivery.dynamic-discovery-client.version>
<bdmsl-api.version>4.3</bdmsl-api.version>
<!-- plugin versions -->
- <plugin.build-helper-maven-plugin.version>1.9.1</plugin.build-helper-maven-plugin.version>
- <plugin.dependency-check-maven.version>8.4.2</plugin.dependency-check-maven.version>
+ <plugin.dependency-check-maven.version>9.0.3</plugin.dependency-check-maven.version>
<plugin.jacoco-maven-plugin.version>0.8.11</plugin.jacoco-maven-plugin.version>
- <plugin.license-maven-plugin.version>2.0.0</plugin.license-maven-plugin.version>
+ <plugin.license-maven-plugin.version>2.3.0</plugin.license-maven-plugin.version>
<plugin.maven-antrun-plugin.version>3.1.0</plugin.maven-antrun-plugin.version>
<plugin.maven-assembly-plugin.version>3.6.0</plugin.maven-assembly-plugin.version>
- <plugin.maven-bundle-plugin.version>3.0.0</plugin.maven-bundle-plugin.version>
- <plugin.maven-clean-plugin.version>3.3.1</plugin.maven-clean-plugin.version>
+ <plugin.maven-clean-plugin.version>3.3.2</plugin.maven-clean-plugin.version>
<plugin.maven-compiler-plugin.version>3.11.0</plugin.maven-compiler-plugin.version>
- <plugin.maven-dependency-plugin.version>3.6.0</plugin.maven-dependency-plugin.version>
+ <plugin.maven-dependency-plugin.version>3.6.1</plugin.maven-dependency-plugin.version>
<plugin.maven-failsafe-plugin.version>3.1.2</plugin.maven-failsafe-plugin.version>
<plugin.maven-jar-plugin.version>3.3.0</plugin.maven-jar-plugin.version>
<plugin.maven-release-plugin.version>3.0.1</plugin.maven-release-plugin.version>
<plugin.maven-resources-plugin.version>3.3.1</plugin.maven-resources-plugin.version>
- <plugin.maven-surefire-plugin.version>3.1.2</plugin.maven-surefire-plugin.version>
+ <plugin.maven-surefire-plugin.version>3.2.2</plugin.maven-surefire-plugin.version>
<plugin.maven-war-plugin.version>3.4.0</plugin.maven-war-plugin.version>
@@ -65,11 +63,11 @@
<commons-beanutils.version>1.9.4</commons-beanutils.version>
<commons-collections.version>3.2.2</commons-collections.version>
- <commons-io.version>2.14.0</commons-io.version>
- <commons-lang3.version>3.13.0</commons-lang3.version>
+ <commons-io.version>2.15.0</commons-io.version>
+ <commons-lang3.version>3.14.0</commons-lang3.version>
<commons-fileupload.version>1.5</commons-fileupload.version>
- <commons-net.version>3.9.0</commons-net.version>
- <commons-validator.version>1.7</commons-validator.version>
+ <commons-net.version>3.10.0</commons-net.version>
+ <commons-validator.version>1.8.0</commons-validator.version>
<cxf-xjc-runtime.version>3.3.2</cxf-xjc-runtime.version>
<cxf.version>3.5.7</cxf.version>
<ehcache.version>2.10.9.2</ehcache.version>
@@ -91,29 +89,26 @@
<jakarta.xml.bind-api.version>2.3.3</jakarta.xml.bind-api.version>
<jstl.version>1.2</jstl.version>
<junit.version>4.13.2</junit.version>
- <junit-jupiter.version>5.10.0</junit-jupiter.version>
+ <junit-jupiter.version>5.10.1</junit-jupiter.version>
<junit-platform-surefire-provider.version>1.3.2</junit-platform-surefire-provider.version>
<junitparams.version>1.1.1</junitparams.version>
<!-- Use logback 1.2.x because is the one used by springboot 5.7. Changing to 1.3+ will break springboot logging. -->
<slf4j.version>1.7.36</slf4j.version>
- <logback.version>1.2.12</logback.version>
+ <logback.version>1.2.13</logback.version>
<mysql.jdbc.version>8.2.0</mysql.jdbc.version>
<metro.version>2.2.1-1</metro.version>
<mockito.version>4.11.0</mockito.version>
- <orika.version>1.5.4</orika.version>
<servlet-api.version>3.0.1</servlet-api.version>
<spring-modules-jakarta-commons.version>0.8</spring-modules-jakarta-commons.version>
<spring-boot.version>2.7.18</spring-boot.version>
- <spring-boot.tomcat.version>9.0.82</spring-boot.tomcat.version>
+ <spring-boot.tomcat.version>9.0.83</spring-boot.tomcat.version>
<spring.security.version>5.8.8</spring.security.version>
- <spring.version>5.3.30</spring.version>
+ <spring.version>5.3.31</spring.version>
<xmlunit.version>2.9.1</xmlunit.version>
<!-- plugins -->
<plugin.frontend-maven-plugin.version>1.15.0</plugin.frontend-maven-plugin.version>
- <plugin.exec-maven-plugin.version>1.6.0</plugin.exec-maven-plugin.version>
-
<sonar.jacoco.remotePort>${jacocoRemotePort}</sonar.jacoco.remotePort>
<sonar.jacoco.remoteAddress>${jacocoRemoteAddress}</sonar.jacoco.remoteAddress>
@@ -145,6 +140,9 @@
</release.arguments>
<project.scm.id>edelivery-scm</project.scm.id>
</properties>
+ <prerequisites>
+ <maven>3.6.0</maven>
+ </prerequisites>
<scm>
<developerConnection>scm:git:https://ec.europa.eu/digital-building-blocks/code/scm/edelivery/smp.git
@@ -359,6 +357,10 @@
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpkix-jdk15on</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -428,13 +430,13 @@
<version>${aspectj.version}</version>
</dependency>
<dependency>
- <groupId>ma.glasnost.orika</groupId>
- <artifactId>orika-core</artifactId>
- <version>${orika.version}</version>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-classic</artifactId>
+ <version>${logback.version}</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
- <artifactId>logback-classic</artifactId>
+ <artifactId>logback-core</artifactId>
<version>${logback.version}</version>
</dependency>
<dependency>
@@ -699,11 +701,6 @@
<artifactId>sonar-maven-plugin</artifactId>
<version>${plugin.sonar-maven-plugin.version}</version>
</plugin>
- <plugin>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>build-helper-maven-plugin</artifactId>
- <version>${plugin.build-helper-maven-plugin.version}</version>
- </plugin>
<plugin>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-codegen-plugin</artifactId>
@@ -749,11 +746,6 @@
<artifactId>maven-compiler-plugin</artifactId>
<version>${plugin.maven-compiler-plugin.version}</version>
</plugin>
- <plugin>
- <groupId>org.apache.felix</groupId>
- <artifactId>maven-bundle-plugin</artifactId>
- <version>${plugin.maven-bundle-plugin.version}</version>
- </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
@@ -764,11 +756,6 @@
<artifactId>frontend-maven-plugin</artifactId>
<version>${plugin.frontend-maven-plugin.version}</version>
</plugin>
- <plugin>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>exec-maven-plugin</artifactId>
- <version>${plugin.exec-maven-plugin.version}</version>
- </plugin>
</plugins>
</pluginManagement>
<plugins>