Merge pull request #6001 from espoon-voltti/fix-owasp

Päivitetään kirjastoja -> korjaa OWASP-hälyn

service/evaka-bom/build.gradle.kts

@@ -10,7 +10,7 @@ dependencies {
     constraints {
         api("ch.qos.logback.access:tomcat:2.0.2")
         api(
-            "org.apache.tomcat:tomcat-catalina:10.1.26"
+            "org.apache.tomcat:tomcat-catalina:10.1.31"
         ) // ch.qos.logback.access:tomcat breaks on runtime without this
         api("com.auth0:java-jwt:4.4.0")
         api("com.github.kagkarlsson:db-scheduler:15.0.0")
@@ -64,7 +64,7 @@ dependencies {
     api(enforcedPlatform("org.eclipse.jetty:jetty-bom:11.0.20"))
     api(platform("org.jdbi:jdbi3-bom:3.47.0"))
     api(platform(libs.kotlin.bom))
-    api(platform("org.junit:junit-bom:5.11.0"))
+    api(platform("org.junit:junit-bom:5.11.3"))
     api(platform(libs.spring.boot.dependencies))
     api(platform("org.springframework:spring-framework-bom:6.1.14")) // only needed for CVE fix
     api(platform("software.amazon.awssdk:bom:2.29.1"))

service/gradle/libs.versions.toml

@@ -15,7 +15,7 @@ ktlint = "1.4.0"
 ktlint-gradle = "12.1.0"
 mockito = "5.14.0"
 owasp = "11.1.0"
-spring-boot = "3.3.2"
+spring-boot = "3.3.5"
 versions = "0.51.0"
 
 [libraries]

service/owasp-suppressions.xml

@@ -7,18 +7,6 @@ SPDX-License-Identifier: LGPL-2.1-or-later
 -->
 
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-        <notes><![CDATA[
-        Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
-        ]]></notes>
-        <cve>CVE-2023-38286</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Hostname verification is not enabled by default in Netty 4.x. AWS SDK v2 uses Netty 4.x, but explicitly enables hostname verification.
-       ]]></notes>
-        <cve>CVE-2023-4586</cve>
-    </suppress>
     <suppress>
         <notes><![CDATA[
         Misidentification. The checkstyle reporter for Ktlint version x.y is not the same as the actual checkstyle library version x.y.
@@ -30,39 +18,14 @@ SPDX-License-Identifier: LGPL-2.1-or-later
        <notes><![CDATA[
        Misidentification
        ]]></notes>
-       <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat-jaspic-api@10\.1\.26$</packageUrl>
+       <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat-jaspic-api@10\.1\.31$</packageUrl>
        <cpe>cpe:/a:apache:tomcat:3.0</cpe>
     </suppress>
     <suppress>
         <notes><![CDATA[
         Misidentification
         ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat-jsp-api@10\.1\.26$</packageUrl>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat-jsp-api@10\.1\.31$</packageUrl>
         <cpe>cpe:/a:apache:tomcat:3.1</cpe>
     </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Misidentification: flyway-database-postgresql != postgresql
-       ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.flywaydb/flyway\-database\-postgresql@.*$</packageUrl>
-        <cpe>cpe:/a:postgresql:postgresql</cpe>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        This vulnerability only affects "simple query mode", which is not the default and we don't use it.
-       ]]></notes>
-        <cve>CVE-2024-1597</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Misidentification: Glassfish JAXB library != GlassFish Java EE server
-       ]]></notes>
-        <cve>CVE-2024-9329</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Affects only old Spring versions (5.3.x), and we're already using 6.1.x
-       ]]></notes>
-        <cve>CVE-2024-38828</cve>
-    </suppress>
 </suppressions>