From c8040504ac329e4e37b54c88ef69124e20e1cd91 Mon Sep 17 00:00:00 2001
From: Susan Hert <susanh@labkey.com>
Date: Thu, 30 Nov 2023 12:10:23 -0800
Subject: [PATCH] CVE-2023-46589: Update tomcat (and spring) versions (#631)

---
 dependencyCheckSuppression.xml | 17 +++++++++++++++++
 gradle.properties              |  6 +++---
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index fc59a054dc..4e5304545d 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -1,5 +1,22 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+
+    <!-- We do not include logback with our embedded tomcat distributions -->
+    <suppress>
+       <notes><![CDATA[
+       file name: logback-classic-1.2.12.jar
+       ]]></notes>
+       <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-classic@.*$</packageUrl>
+       <vulnerabilityName>CVE-2023-6378</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        file name: logback-core-1.2.12.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-6378</vulnerabilityName>
+    </suppress>
+
     <!-- Prevent match against unrelated "rengine" at https://github.com/yogeshojha/rengine -->
     <suppress>
         <notes><![CDATA[
diff --git a/gradle.properties b/gradle.properties
index 5a5ae298e0..124ae6dbd7 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -100,7 +100,7 @@ apacheDirectoryVersion=2.1.3
 apacheMinaVersion=2.2.1
 
 # Keep in sync with springBootTomcatVersion below
-apacheTomcatVersion=9.0.82
+apacheTomcatVersion=9.0.83
 
 # (mothership) -> json-path -> json-smart -> accessor-smart
 # (core) -> graalvm
@@ -276,10 +276,10 @@ slf4jLog4jApiVersion=2.0.7
 # This is a dependency for HTSJDK. Force to avoid a deserialization problem. Remove once HTSJDK bumps its preferred version
 snappyJavaVersion=1.1.10.4
 
-springBootVersion=2.7.17
+springBootVersion=2.7.18
 # This MUST match the Tomcat version dictated by springBootVersion
 # Also, keep this in sync with apacheTomcatVersion above
-springBootTomcatVersion=9.0.82
+springBootTomcatVersion=9.0.83
 
 springVersion=5.3.28