Merge pull request #201 from companieshouse/feature/test-failures

bvrmvenkata · web-flow · commit 7cf86bc6766d · 2025-09-01T16:17:49.000+01:00
verifying build and dependency-check
diff --git a/pom.xml b/pom.xml
@@ -15,8 +15,8 @@
     <properties>
         <java.version>21</java.version>
         <start-class>uk.gov.companieshouse.pscdataapi.PscDataApiApplication</start-class>
-        <spring-boot-dependencies.version>3.4.5</spring-boot-dependencies.version>
-        <spring-boot-maven-plugin.version>3.4.5</spring-boot-maven-plugin.version>
+        <spring-boot-dependencies.version>3.4.9</spring-boot-dependencies.version>
+        <spring-boot-maven-plugin.version>3.4.9</spring-boot-maven-plugin.version>
         <maven.compiler.source>${java.version}</maven.compiler.source>
         <maven.compiler.target>${java.version}</maven.compiler.target>
         <maven-compiler-plugin.version>3.14.0</maven-compiler-plugin.version>
@@ -28,15 +28,16 @@
         <jacoco-maven-plugin.version>0.8.13</jacoco-maven-plugin.version>
         <commons.io.version>2.19.0</commons.io.version>
         <org.mapstruct.version>1.6.3</org.mapstruct.version>
-        <tomcat-embed-core.version>11.0.8</tomcat-embed-core.version>
+        <tomcat-embed-core.version>11.0.10</tomcat-embed-core.version>
         <spring-web.version>6.2.8</spring-web.version>
         <spring-security-core.version>6.5.1</spring-security-core.version>
-
+        <gson.version>2.13.1</gson.version>
+        <commons-lang3.version>3.18.0</commons-lang3.version>
         <!-- Internal -->
-        <structured-logging.version>3.0.20</structured-logging.version>
-        <private-api-sdk-java.version>4.0.347</private-api-sdk-java.version>
+        <structured-logging.version>3.0.40</structured-logging.version>
+        <private-api-sdk-java.version>4.0.350</private-api-sdk-java.version>
         <api-sdk-java.version>6.4.4</api-sdk-java.version>
-        <api-security-java.version>2.0.8</api-security-java.version>
+        <api-security-java.version>2.0.13</api-security-java.version>
 
         <!-- tests -->
         <io-cucumber.version>7.22.0</io-cucumber.version>
@@ -107,12 +108,33 @@
             <groupId>uk.gov.companieshouse</groupId>
             <artifactId>structured-logging</artifactId>
             <version>${structured-logging.version}</version>
+            <exclusions>
+                <!-- excluding commons-lang3 to address CVE-2025-48924 transitive dependency  -->
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-lang3</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <!-- included commons-lang3-3.18.0 to address CVE-2025-48924 -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>${commons-lang3.version}</version>
         </dependency>
         <dependency>
             <groupId>uk.gov.companieshouse</groupId>
             <artifactId>private-api-sdk-java</artifactId>
             <version>${private-api-sdk-java.version}</version>
+            <exclusions>
+                <!-- Excluding to address CVE-2025-48989 tomcat-embed-core pulled transitively-->
+                <exclusion>
+                    <groupId>org.apache.tomcat.embed</groupId>
+                    <artifactId>tomcat-embed-core</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
+
         <dependency>
             <groupId>uk.gov.companieshouse</groupId>
             <artifactId>api-sdk-java</artifactId>
@@ -127,8 +149,18 @@
                     <groupId>org.xmlunit</groupId>
                     <artifactId>xmlunit-core</artifactId>
                 </exclusion>
+                <!-- Excluding to address CVE-2025-53864 gson pulled transitively-->
+                <exclusion>
+                    <groupId>com.google.code.gson</groupId>
+                    <artifactId>gson</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>com.google.code.gson</groupId>
+            <artifactId>gson</artifactId>
+            <version>${gson.version}</version>
+        </dependency>
         <dependency>
             <groupId>uk.gov.companieshouse</groupId>
             <artifactId>api-security-java</artifactId>
diff --git a/src/main/java/uk/gov/companieshouse/pscdataapi/interceptor/AuthenticationHelperImpl.java b/src/main/java/uk/gov/companieshouse/pscdataapi/interceptor/AuthenticationHelperImpl.java
@@ -6,7 +6,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
-import org.apache.commons.lang.ArrayUtils;
+import org.apache.commons.lang3.ArrayUtils;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/src/main/java/uk/gov/companieshouse/pscdataapi/util/DateUtils.java b/src/main/java/uk/gov/companieshouse/pscdataapi/util/DateUtils.java
@@ -4,7 +4,7 @@
 
 import java.time.OffsetDateTime;
 import java.time.format.DateTimeFormatter;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 
 public final class DateUtils {
 
