CCD-4975 : Fix CVE-2023-5072

build.gradle

@@ -6,6 +6,7 @@ plugins {
   id 'com.github.ben-manes.versions' version '0.20.0'
   id 'org.sonarqube' version '4.4.0.3356'
   id 'uk.gov.hmcts.java' version '0.12.40'
+  id 'org.owasp.dependencycheck' version '8.4.2' apply true
 }
 
 group = 'uk.gov.hmcts.reform.ccd'
@@ -90,8 +91,10 @@ task functional(type: Test) {
 jacocoTestReport {
   executionData(test, integration)
   reports {
-    xml.enabled = true
-    csv.enabled = false
+    //xml.enabled = true
+    //csv.enabled = false
+    xml.required = true
+    csv.required = false
     xml.destination file("${buildDir}/reports/jacoco/test/jacocoTestReport.xml")
   }
 }
@@ -138,15 +141,15 @@ repositories {
 }
 
 ext {
-  groovyVersion = '3.0.7'
+  groovyVersion = '3.0.19'
   tomcatVersion = '9.0.75!!'
   jettyVersion = '9.4.48.v20220622'
 }
 
 ext['spring-framework.version'] = '5.3.27'
 ext['spring-security.version'] = '5.7.8'
 ext['log4j2.version'] = '2.17.1'
-ext['jackson.version'] = '2.14.1'
+ext['jackson.version'] = '2.15.3'
 ext['snakeyaml.version'] = '1.32'
 
 // it is important to specify logback classic and core packages explicitly as libraries like spring boot
@@ -160,6 +163,7 @@ def versions = [
 
 
 dependencies {
+
   implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-bootstrap', version: '3.0.1'
 
   implementation group: 'com.google.guava', name: 'guava', version:'30.1-jre'
@@ -228,6 +232,18 @@ dependencies {
   implementation group: 'commons-beanutils', name: 'commons-beanutils', version: '1.9.4'
   implementation group: 'commons-io', name: 'commons-io', version: '2.8.0'
 
+  constraints {
+    implementation('org.json:json:20231013') {
+      because('Versions < 2.7 allows limited path traversal with FileNameUtils.normalize method - CVE-2021-29425')
+    }
+    implementation('json-java_project:json-java:20231013') {
+      because('Versions < 2.7 allows limited path traversal with FileNameUtils.normalize method - CVE-2021-29425')
+    }
+    implementation('java_project:json-java:20231013') {
+      because('Versions < 2.7 allows limited path traversal with FileNameUtils.normalize method - CVE-2021-29425')
+    }
+  }
+
   testImplementation group: 'org.junit.jupiter', name: 'junit-jupiter-api', version: versions.junit
   testImplementation group: 'org.junit.jupiter', name: 'junit-jupiter-params', version: versions.junit
   testRuntimeOnly group: 'org.junit.jupiter', name: 'junit-jupiter-engine', version: versions.junit
@@ -254,7 +270,7 @@ dependencies {
 
   implementation group: 'junit', name: 'junit', version: '4.13.1'
 
-  implementation group: 'net.minidev', name: 'json-smart', version: '2.4.7'
+  implementation group: 'net.minidev', name: 'json-smart', version: '2.5.0'
 
   // CCD-3511 CVE-2020-15522
   implementation group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: '1.70'
@@ -268,7 +284,8 @@ test {
 mainClassName = 'uk.gov.hmcts.reform.ccd.test.stubs.service.Application'
 
 bootJar {
-  archiveName = 'ccd-test-stubs-service.jar'
+  //archiveName = 'ccd-test-stubs-service.jar'
+  archiveFileName = 'ccd-test-stubs-service.jar'
 
   manifest {
     attributes('Implementation-Title': project.name)

dependency-check-suppressions.xml

@@ -1,7 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?><suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
   <suppress>
     <notes>Temporary Suppression
-        CVE-2022-45688 refer https://tools.hmcts.net/jira/browse/CCD-4373
         CVE-2022-1471 refer https://tools.hmcts.net/jira/browse/CCD-4454
         CVE-2023-26048 refer [Ticket]
         CVE-2023-26049 refer [Ticket]
@@ -22,9 +21,8 @@
         CVE-2023-42795 refer [Ticket]
         CVE-2023-45648 refer [Ticket]
         CVE-2023-44487 refer [Ticket]
-        CVE-2023-5072 refer [Ticket]
+        CVE-2023-36478 refer [Ticket]
     </notes>
-    <cve>CVE-2022-45688</cve>
     <cve>CVE-2022-1471</cve>
     <cve>CVE-2023-26048</cve>
     <cve>CVE-2023-26049</cve>
@@ -44,6 +42,6 @@
     <cve>CVE-2023-42795</cve>
     <cve>CVE-2023-45648</cve>
     <cve>CVE-2023-44487</cve>
-    <cve>CVE-2023-5072</cve>
+    <cve>CVE-2023-36478</cve>
   </suppress>
 </suppressions>

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.3-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.1-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists