PUB-2133 - Updated version of spring boot (#407)

* PUB-2133 - Updated version of spring boot * PUB-2133 - Updated suppressions * Updated suppressions * Updated data models
hmcts · Jan 22, 2024 · f90fce4 · f90fce4
1 parent 81b9072
commit f90fce4
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 16 deletions.
diff --git a/build.gradle b/build.gradle
@@ -4,7 +4,7 @@ plugins {
   id 'pmd'
   id 'jacoco'
   id 'io.spring.dependency-management' version '1.1.4'
-  id 'org.springframework.boot' version '3.0.13'
+  id 'org.springframework.boot' version '3.2.1'
   id 'org.owasp.dependencycheck' version '9.0.5'
   id 'com.github.ben-manes.versions' version '0.50.0'
   id 'org.sonarqube' version '4.4.1.3373'
@@ -165,7 +165,7 @@ dependencies {
   implementation group: 'net.logstash.logback', name: 'logstash-logback-encoder', version: '7.4'
 
   implementation group: 'uk.gov.service.notify', name: 'notifications-java-client', version: '4.1.1-RELEASE'
-  implementation group: 'com.github.hmcts', name: 'pip-data-models', version: '2.1.16', {
+  implementation group: 'com.github.hmcts', name: 'pip-data-models', version: '2.1.17', {
     exclude group: 'org.springframework.boot', module: 'spring-boot-starter-data-jpa'
   }
 
@@ -176,11 +176,6 @@ dependencies {
   implementation group: 'org.redisson', name: 'redisson', version: '3.24.3'
   implementation group: 'com.giffing.bucket4j.spring.boot.starter', name: 'bucket4j-spring-boot-starter', version: '0.10.0'
 
-  // Force upgrade snakeyaml version for CVE-2022-1471
-  implementation( group: 'org.yaml', name: 'snakeyaml').version {
-    strictly("2.0")
-  }
-
   testImplementation group: 'org.springframework.security', name: 'spring-security-test'
 
   testImplementation(platform('org.junit:junit-bom:5.10.1'))
@@ -195,7 +190,7 @@ dependencies {
   testImplementation group: 'com.squareup.okhttp3', name: 'okhttp-tls', version: '4.12.0'
   testImplementation group: 'org.apache.pdfbox', name: 'pdfbox', version: '3.0.1'
   testImplementation group: 'com.redis', name: 'testcontainers-redis', version: '1.7.0'
-  testImplementation group: 'org.testcontainers', name: 'junit-jupiter', version: '1.19.3'
+  testImplementation group: 'org.testcontainers', name: 'junit-jupiter'
   testImplementation group: 'io.github.hakky54', name: 'logcaptor', version: '2.9.1'
 }
 

diff --git a/config/owasp/suppressions.xml b/config/owasp/suppressions.xml
@@ -9,7 +9,7 @@
   </suppress>
   <suppress>
     <notes>The vulnerability exists in the latest version of lib too. Need to wait for new version with the fix</notes>
-    <packageUrl regex="true">^pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.3</packageUrl>
+    <packageUrl regex="true">^pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.3</packageUrl>
     <cve>CVE-2023-35116</cve>
   </suppress>
   <suppress>
@@ -22,9 +22,4 @@
     <packageUrl regex="true">^pkg:maven/com\.azure/azure.*$</packageUrl>
     <cve>CVE-2023-36052</cve>
   </suppress>
-  <suppress>
-    <notes>Suppression for logback. Pulled in by the latest spring boot v3.0.13</notes>
-    <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback.*@1.4.11$</packageUrl>
-    <cve>CVE-2023-6378</cve>
-  </suppress>
 </suppressions>
diff --git a/src/main/java/uk/gov/hmcts/reform/pip/publication/services/config/SpringSecurityConfig.java b/src/main/java/uk/gov/hmcts/reform/pip/publication/services/config/SpringSecurityConfig.java
@@ -4,6 +4,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -25,7 +26,7 @@ public class SpringSecurityConfig {
     @Bean
     @SuppressWarnings("PMD.SignatureDeclareThrowsException")
     public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
-        http.apply(AadResourceServerHttpSecurityConfigurer.aadResourceServer());
+        http.with(AadResourceServerHttpSecurityConfigurer.aadResourceServer(), Customizer.withDefaults());
         http.csrf(AbstractHttpConfigurer::disable);
         return http.build();
     }

diff --git a/.../uk/gov/hmcts/reform/pip/publication/services/configuration/SpringSecurityConfigTest.java b/.../uk/gov/hmcts/reform/pip/publication/services/configuration/SpringSecurityConfigTest.java
@@ -24,7 +24,7 @@ void testSpringSecurityConfigCreation() throws Exception {
 
         springSecurityConfig.apiFilterChain(httpSecurity);
 
-        verify(httpSecurity, times(1)).apply(any(AadResourceServerHttpSecurityConfigurer.class));
+        verify(httpSecurity, times(1)).with(any(AadResourceServerHttpSecurityConfigurer.class), any());
         verify(httpSecurity, times(1)).csrf(any());
     }