Update vulnerable java dependencies, and reset suppressions for java (#315)

Author: DovOps

.github/gradle-cve-ignore-list.xml

@@ -1,151 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-        <notes><![CDATA[Not using webAdminPassword startup parameter]]></notes>
-        <filePath regex="true">.*\bh2-2\.3\.232\.jar</filePath>
-        <cve>CVE-2022-45868</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[Not running backups]]></notes>
-        <filePath regex="true">.*\bh2-2\.3\.232\.jar</filePath>
-        <cve>CVE-2018-14335</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[Ignoring, since we don't unmarshal XML to JSON; see https://github.com/stleary/JSON-java/issues/708]]></notes>
-        <filePath regex="true">.*\bjson-20231013\.jar</filePath>
-        <cve>CVE-2022-45688</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[BrotliInterceptor is not used, see https://nvd.nist.gov/vuln/detail/CVE-2023-3782]]></notes>
-        <filePath regex="true">.*\bokhttp-4\.10\.0\.jar</filePath>
-        <cve>CVE-2023-3782</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[GzipSource class is not used, see https://nvd.nist.gov/vuln/detail/CVE-2023-3635]]></notes>
-        <filePath regex="true">.*\bokio-jvm-3\.0\.0\.jar</filePath>
-        <cve>CVE-2023-3635</cve>
-    </suppress>
-    
-    <!-- Logback CVE suppressions -->
-    <suppress>
-        <notes><![CDATA[LoggerContext configuration not exposed via JMX]]></notes>
-        <filePath regex="true">.*\blogback-core-1\.4\.14\.jar</filePath>
-        <cve>CVE-2024-12798</cve>
-    </suppress>
-    
-    <!-- Spring Framework CVE suppressions - waiting for newer version -->
-    <suppress>
-        <notes><![CDATA[No Spring security vulnerabilities in current usage pattern]]></notes>
-        <filePath regex="true">.*\bspring-context-6\.1\.6\.jar</filePath>
-        <cve>CVE-2024-38820</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[No Spring security vulnerabilities in current usage pattern]]></notes>
-        <filePath regex="true">.*\bspring-core-6\.1\.6\.jar</filePath>
-        <cve>CVE-2024-38820</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[No Spring web vulnerabilities in current usage pattern]]></notes>
-        <filePath regex="true">.*\bspring-web-6\.1\.6\.jar</filePath>
-        <cve>CVE-2025-41234</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[No Spring web vulnerabilities in current usage pattern]]></notes>
-        <filePath regex="true">.*\bspring-web-6\.1\.6\.jar</filePath>
-        <cve>CVE-2024-38809</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[No Spring web vulnerabilities in current usage pattern]]></notes>
-        <filePath regex="true">.*\bspring-web-6\.1\.6\.jar</filePath>
-        <cve>CVE-2024-38820</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[No Spring webmvc vulnerabilities in current usage pattern]]></notes>
-        <filePath regex="true">.*\bspring-webmvc-6\.1\.6\.jar</filePath>
-        <cve>CVE-2024-38816</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[No Spring webmvc vulnerabilities in current usage pattern]]></notes>
-        <filePath regex="true">.*\bspring-webmvc-6\.1\.6\.jar</filePath>
-        <cve>CVE-2024-38820</cve>
-    </suppress>
-    
-    <!-- Swagger UI DOMPurify CVE suppressions -->
-    <suppress>
-        <notes><![CDATA[DOMPurify not directly used by application code]]></notes>
-        <filePath regex="true">.*\bswagger-ui-5\.13\.0\.jar</filePath>
-        <cve>CVE-2024-45801</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[DOMPurify not directly used by application code]]></notes>
-        <filePath regex="true">.*\bswagger-ui-5\.13\.0\.jar</filePath>
-        <cve>CVE-2024-47875</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[DOMPurify not directly used by application code]]></notes>
-        <filePath regex="true">.*\bswagger-ui-5\.13\.0\.jar</filePath>
-        <cve>CVE-2025-26791</cve>
-    </suppress>
-    
-    <!-- Tomcat CVE suppressions -->
-    <suppress>
-        <notes><![CDATA[Tomcat embedded usage does not expose vulnerable endpoints]]></notes>
-        <filePath regex="true">.*\btomcat-embed-core-10\.1\.20\.jar</filePath>
-        <cve>CVE-2025-49124</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[Tomcat embedded usage does not expose vulnerable endpoints]]></notes>
-        <filePath regex="true">.*\btomcat-embed-core-10\.1\.20\.jar</filePath>
-        <cve>CVE-2025-49125</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[Tomcat embedded usage does not expose vulnerable endpoints]]></notes>
-        <filePath regex="true">.*\btomcat-embed-core-10\.1\.20\.jar</filePath>
-        <cve>CVE-2024-38286</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[Tomcat embedded usage does not expose vulnerable endpoints]]></notes>
-        <filePath regex="true">.*\btomcat-embed-core-10\.1\.20\.jar</filePath>
-        <cve>CVE-2025-46701</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[Tomcat embedded usage does not expose vulnerable endpoints]]></notes>
-        <filePath regex="true">.*\btomcat-embed-core-10\.1\.20\.jar</filePath>
-        <cve>CVE-2025-48988</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[Tomcat embedded usage does not expose vulnerable endpoints]]></notes>
-        <filePath regex="true">.*\btomcat-embed-core-10\.1\.20\.jar</filePath>
-        <cve>CVE-2025-24813</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[Tomcat embedded usage does not expose vulnerable endpoints]]></notes>
-        <filePath regex="true">.*\btomcat-embed-core-10\.1\.20\.jar</filePath>
-        <cve>CVE-2025-31651</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[Tomcat embedded usage does not expose vulnerable endpoints]]></notes>
-        <filePath regex="true">.*\btomcat-embed-core-10\.1\.20\.jar</filePath>
-        <cve>CVE-2024-52316</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[Tomcat embedded usage does not expose vulnerable endpoints]]></notes>
-        <filePath regex="true">.*\btomcat-embed-core-10\.1\.20\.jar</filePath>
-        <cve>CVE-2024-34750</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[Tomcat embedded usage does not expose vulnerable endpoints]]></notes>
-        <filePath regex="true">.*\btomcat-embed-core-10\.1\.20\.jar</filePath>
-        <cve>CVE-2025-31650</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[Tomcat embedded usage does not expose vulnerable endpoints]]></notes>
-        <filePath regex="true">.*\btomcat-embed-core-10\.1\.20\.jar</filePath>
-        <cve>CVE-2024-54677</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[Tomcat embedded usage does not expose vulnerable endpoints]]></notes>
-        <filePath regex="true">.*\btomcat-embed-core-10\.1\.20\.jar</filePath>
-        <cve>CVE-2024-50379</cve>
-    </suppress>
+   <suppress>
+      <notes><![CDATA[
+      CVE-2022-41940 and CVE-2020-36048 are in engine.io-client, a transitive dependency of socket.io-client.
+      These are ReDoS and information disclosure vulnerabilities. Suppressed as they may not be exploitable in this application's usage.
+      ]]></notes>
+      <filePath regex="true">.*\bengine\.io-client.*\.jar</filePath>
+      <cve>CVE-2022-41940</cve>
+      <cve>CVE-2020-36048</cve>
+   </suppress>
 </suppressions>

account-service/build.gradle

@@ -7,7 +7,7 @@
 
 plugins {
   id 'java'
-  id 'org.springframework.boot' version '3.5.3'
+  id 'org.springframework.boot' version '3.5.7'
   id 'io.spring.dependency-management' version '1.1.7'
 }
 
@@ -17,31 +17,21 @@ version = '0.0.1-SNAPSHOT'
 java {
     sourceCompatibility = JavaVersion.VERSION_21
 }
-configurations.all {
-    resolutionStrategy.eachDependency { details ->
-        if (details.requested.group == 'org.springframework' && details.requested.name == 'spring-core') {
-            details.useVersion('6.2.11')
-            details.because('CVE-2025-41249')
-        } else if (details.requested.group == 'org.apache.tomcat.embed' && details.requested.name == 'tomcat-embed-core') {
-            details.useVersion('10.1.44')
-            details.because('CVE-2025-48989')
-        }
-    }
-}
 
 dependencies {
 
     implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
     implementation 'org.springframework.boot:spring-boot-starter-web'
-    implementation 'com.h2database:h2:2.3.232'
+    implementation 'com.h2database:h2:2.4.240'
 
-    implementation ('org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.6')
- 
-    // Force logback versions to fix CVE-2024-12798
-    implementation ('ch.qos.logback:logback-core:1.5.18') {
-        because 'version brought in by spring boot 3.5.3 affected by CVE-2024-12798'
+    implementation ('org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.14') {
+        exclude group: 'org.webjars', module: 'swagger-ui'
     }
-    implementation 'ch.qos.logback:logback-classic:1.5.18' // Ensure compatibility
+    implementation 'org.webjars:swagger-ui:5.30.2'
+ 
+    // Force logback versions to latest stable
+    implementation 'ch.qos.logback:logback-core:1.5.21'
+    implementation 'ch.qos.logback:logback-classic:1.5.21' // Ensure compatibility
 
     // Override commons-lang3 to fix CVE-2025-48924
     implementation 'org.apache.commons:commons-lang3:3.18.0' // Latest version to fix CVE-2025-48924

database/build.gradle

@@ -12,7 +12,7 @@ plugins {
 }
 
 dependencies {
-   implementation 'com.h2database:h2:2.3.232'
+   implementation 'com.h2database:h2:2.4.240'
 }
 
 application {

position-service/build.gradle

@@ -7,7 +7,7 @@
 
 plugins {
   id 'java'
-  id 'org.springframework.boot' version '3.5.3'
+  id 'org.springframework.boot' version '3.5.7'
   id 'io.spring.dependency-management' version '1.1.7'
 }
 
@@ -17,29 +17,20 @@ version = '0.0.1-SNAPSHOT'
 java {
     sourceCompatibility = JavaVersion.VERSION_21
 }
-configurations.all {
-    resolutionStrategy.eachDependency { details ->
-        if (details.requested.group == 'org.springframework' && details.requested.name == 'spring-core') {
-            details.useVersion('6.2.11')
-            details.because('CVE-2025-41249')
-        } else if (details.requested.group == 'org.apache.tomcat.embed' && details.requested.name == 'tomcat-embed-core') {
-            details.useVersion('10.1.44')
-            details.because('CVE-2025-48989')
-        }
-    }
-}
 
 dependencies {
 
     implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
     implementation 'org.springframework.boot:spring-boot-starter-web'
-    implementation 'com.h2database:h2:2.3.232'
-    implementation ('org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.6') 
-	
-    implementation ('ch.qos.logback:logback-core:1.5.18') {
-        because 'version brought in by spring boot 3.5.3 affected by CVE-2024-12798'
+    implementation 'com.h2database:h2:2.4.240'
+    implementation ('org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.14') {
+        exclude group: 'org.webjars', module: 'swagger-ui'
     }
-    implementation 'ch.qos.logback:logback-classic:1.5.18' // Ensure compatibility
+    implementation 'org.webjars:swagger-ui:5.30.2' 
+    
+    // Force logback versions to latest stable
+    implementation 'ch.qos.logback:logback-core:1.5.21'
+    implementation 'ch.qos.logback:logback-classic:1.5.21' // Ensure compatibility
 
     // Override commons-lang3 to fix CVE-2025-48924
     implementation 'org.apache.commons:commons-lang3:3.18.0' // Latest version to fix CVE-2025-48924

trade-processor/build.gradle

@@ -7,7 +7,7 @@
 
 plugins {
   id 'java'
-  id 'org.springframework.boot' version '3.5.3'
+  id 'org.springframework.boot' version '3.5.7'
   id 'io.spring.dependency-management' version '1.1.7'
 }
 
@@ -17,41 +17,31 @@ version = '0.0.1-SNAPSHOT'
 java {
     sourceCompatibility = JavaVersion.VERSION_21
 }
-configurations.all {
-    resolutionStrategy.eachDependency { details ->
-        if (details.requested.group == 'org.springframework' && details.requested.name == 'spring-core') {
-            details.useVersion('6.2.11')
-            details.because('CVE-2025-41249')
-        } else if (details.requested.group == 'org.apache.tomcat.embed' && details.requested.name == 'tomcat-embed-core') {
-            details.useVersion('10.1.44')
-            details.because('CVE-2025-48989')
-        }
-    }
-}
 
 dependencies {
 
     implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
     implementation 'org.springframework.boot:spring-boot-starter-web'
-    implementation 'com.h2database:h2:2.3.232'
+    implementation 'com.h2database:h2:2.4.240'
 
-    implementation ('org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.6')
+    implementation ('org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.14') {
+        exclude group: 'org.webjars', module: 'swagger-ui'
+    }
+    implementation 'org.webjars:swagger-ui:5.30.2'
 
-    implementation('org.json:json:20240303') {
+    implementation('org.json:json:20250517') {
         because 'previous versions are affected by multiple CVE'
     }
     implementation ('io.socket:socket.io-client:2.1.2') {
         exclude group: 'org.json', module: 'json'
     }
 
     // Override okhttp and okio versions to address vulnerabilities
-    implementation 'com.squareup.okhttp3:okhttp:4.12.0' // Suggested version
+    implementation 'com.squareup.okhttp3:okhttp:5.3.0' // Latest version
 
     // Add compatible logback-classic version
-    implementation ('ch.qos.logback:logback-core:1.5.18') {
-        because 'version brought in by spring boot 3.5.3 affected by CVE-2024-12798'
-    }
-    implementation 'ch.qos.logback:logback-classic:1.5.18' // Ensure compatibility
+    implementation 'ch.qos.logback:logback-core:1.5.21'
+    implementation 'ch.qos.logback:logback-classic:1.5.21' // Ensure compatibility
 
     // Override commons-lang3 to fix CVE-2025-48924
     implementation 'org.apache.commons:commons-lang3:3.18.0' // Latest version to fix CVE-2025-48924

trade-service/build.gradle

@@ -7,7 +7,7 @@
 
 plugins {
   id 'java'
-  id 'org.springframework.boot' version '3.5.3'
+  id 'org.springframework.boot' version '3.5.7'
   id 'io.spring.dependency-management' version '1.1.7'
 }
 
@@ -21,42 +21,32 @@ java {
 configurations.all {
     exclude group: 'org.yaml', module: 'snakeyaml'
 }
-configurations.all {
-    resolutionStrategy.eachDependency { details ->
-        if (details.requested.group == 'org.springframework' && details.requested.name == 'spring-core') {
-            details.useVersion('6.2.11')
-            details.because('CVE-2025-41249')
-        } else if (details.requested.group == 'org.apache.tomcat.embed' && details.requested.name == 'tomcat-embed-core') {
-            details.useVersion('10.1.44')
-            details.because('CVE-2025-48989')
-        }
-    }
-}
 
 dependencies {
 
     implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
     implementation 'org.springframework.boot:spring-boot-starter-web'
-    implementation 'com.h2database:h2:2.3.232'
+    implementation 'com.h2database:h2:2.4.240'
 
-    implementation ('org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.6')
-
-    // Add compatible logback-classic version
-    implementation ('ch.qos.logback:logback-core:1.5.18') {
-        because 'version brought in by spring boot 3.5.3 affected by CVE-2024-12798'
+    implementation ('org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.14') {
+        exclude group: 'org.webjars', module: 'swagger-ui'
     }
-    implementation 'ch.qos.logback:logback-classic:1.5.18' // Ensure compatibility
+    implementation 'org.webjars:swagger-ui:5.30.2'
+
+    // Force logback versions to latest stable
+    implementation 'ch.qos.logback:logback-core:1.5.21'
+    implementation 'ch.qos.logback:logback-classic:1.5.21' // Ensure compatibility
 
     // JSON and Socket.IO dependencies
-    implementation('org.json:json:20240303') {
+    implementation('org.json:json:20250517') {
         because 'previous versions are affected by multiple CVE'
     }
     implementation ('io.socket:socket.io-client:2.1.2') {
         exclude group: 'org.json', module: 'json'
     }
 
     // Override okhttp and okio versions to address vulnerabilities
-    implementation 'com.squareup.okhttp3:okhttp:4.12.0' // Suggested version
+    implementation 'com.squareup.okhttp3:okhttp:5.3.0' // Latest version
 
     // Override commons-lang3 to fix CVE-2025-48924
     implementation 'org.apache.commons:commons-lang3:3.18.0' // Latest version to fix CVE-2025-48924