hmcts · dinesh1patel · Oct 24, 2023 · Oct 30, 2023
diff --git a/build.gradle b/build.gradle
@@ -263,7 +263,7 @@ dependencies {
   implementation group: 'com.github.ben-manes.caffeine', name: 'caffeine', version: '2.7.0'
 
   implementation group: 'commons-beanutils', name: 'commons-beanutils', version: '1.9.4'
-  implementation group: 'org.json', name: 'json', version: '20200518'
+  implementation group: 'org.json', name: 'json', version: '20230227'
 
   implementation group: 'org.projectlombok', name: 'lombok', version: versions.lombok
   annotationProcessor group: 'org.projectlombok', name: 'lombok', version: versions.lombok

diff --git a/config/owasp/suppressions.xml b/config/owasp/suppressions.xml
@@ -1,32 +1,44 @@
 <?xml version="1.0" encoding="UTF-8"?><suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-<suppress>
-<notes>Temporary Suppression
-      CVE-2022-45688 refer https://tools.hmcts.net/jira/browse/CCD-4373
-      CVE-2022-1471 refer https://tools.hmcts.net/jira/browse/CCD-4454
-      CVE-2023-20883 refer [Ticket]
-      CVE-2023-35116 refer [Ticket]
-      CVE-2023-34036 refer [Ticket]
-      CVE-2023-34034 refer [Ticket]
-      CVE-2023-20873 refer [Ticket]
-      CVE-2023-41080 refer [Ticket]
-      CVE-2023-42794 refer [Ticket]
-      CVE-2023-42795 refer [Ticket]
-      CVE-2023-45648 refer [Ticket]
-      CVE-2023-44487 refer [Ticket]
-      CVE-2023-5072 refer [Ticket]
-  </notes>
-<cve>CVE-2022-45688</cve>
-<cve>CVE-2022-1471</cve>
-<cve>CVE-2023-20883</cve>
-<cve>CVE-2023-35116</cve>
-<cve>CVE-2023-34036</cve>
-<cve>CVE-2023-34034</cve>
-<cve>CVE-2023-20873</cve>
-<cve>CVE-2023-41080</cve>
-<cve>CVE-2023-42794</cve>
-<cve>CVE-2023-42795</cve>
-<cve>CVE-2023-45648</cve>
-<cve>CVE-2023-44487</cve>
-<cve>CVE-2023-5072</cve>
-</suppress>
+<!--Please add all the false positives under the below section-->
+  <suppress>
+    <notes>False Positives
+      CVE-2023-5072 - So for versions 20231013 and later of json-java, CVE-2023-5072 is apparently a False Positive.
+    </notes>
+    <cve>CVE-2023-5072</cve>
+  </suppress>
+  <!--End of false positives section -->
+  <suppress>
+    <notes>Temporary Suppression
+        CVE-2022-1471 refer https://tools.hmcts.net/jira/browse/CCD-4454
+        CVE-2023-20883 refer [Ticket]
+        CVE-2023-35116 refer [Ticket]
+        CVE-2023-34036 refer [Ticket]
+        CVE-2023-34034 refer [Ticket]
+        CVE-2023-20873 refer [Ticket]
+        CVE-2023-41080 refer [Ticket]
+        CVE-2023-42794 refer [Ticket]
+        CVE-2023-42795 refer [Ticket]
+        CVE-2023-45648 refer [Ticket]
+        CVE-2023-44487 refer [Ticket]
+    </notes>
+    <cve>CVE-2022-1471</cve>
+    <cve>CVE-2023-20883</cve>
+    <cve>CVE-2023-35116</cve>
+    <cve>CVE-2023-34036</cve>
+    <cve>CVE-2023-34034</cve>
+    <cve>CVE-2023-20873</cve>
+    <cve>CVE-2023-41080</cve>
+    <cve>CVE-2023-42794</cve>
+    <cve>CVE-2023-42795</cve>
+    <cve>CVE-2023-45648</cve>
+    <cve>CVE-2023-44487</cve>
+  </suppress>
+  <suppress base="true">
+    <notes><![CDATA[
+        suppress various improper matches to the CPE that belongs only to pkg:maven/org.json/json
+        ]]>
+    </notes>
+    <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
+    <cpe>cpe:/a:json-java_project:json-java</cpe>
+  </suppress>
 </suppressions>