Merge pull request #729 from catenax-ng/chore/update-dependencies

chore(deps):[#xxx] fix OWASP dependency errors
eclipse-tractusx · Jan 26, 2024 · e7a1d01 · e7a1d01
2 parents cec9b85 + 2042dd3
commit e7a1d01
Show file tree

Hide file tree

Showing 4 changed files with 122 additions and 96 deletions.
diff --git a/.config/owasp-suppressions.xml b/.config/owasp-suppressions.xml
@@ -28,4 +28,11 @@
         <packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal\-sdk@.*$</packageUrl>
         <vulnerabilityName>CVE-2023-22006</vulnerabilityName>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Only used in tests.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com.jayway.jsonpath/json-path@2.8.0$</packageUrl>
+        <vulnerabilityName>CVE-2023-51074</vulnerabilityName>
+    </suppress>
 </suppressions>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 - Updated license header to "Copyright (c) 2021,2024 Contributors to the Eclipse Foundation"
 - Changed lookupGlobalAssetIds to lookupShellsByBPN, which provides full object.
+- Suppressed CVE-2024-20932 from graal-sdk-21.2.0.jar because this is not applicable for IRS.
+
+### Fixed
+- Update to Spring Boot 3.1.8. This fixes the following CVEs:
+  - CVE-2023-6378 serialization vulnerability in logback
+  - CVE-2023-51074 json-path v2.8.0 stack overflow
+  - CVE-2024-22233 Spring Framework server Web DoS Vulnerability
 
 ## [4.4.0] - 2024-01-15
 ### Added