From 1dfc14e2ae794d7a9c1cd25301a1c1560f89b96f Mon Sep 17 00:00:00 2001
From: Felix Dittrich <31076102+f11h@users.noreply.github.com>
Date: Wed, 21 Jun 2023 12:36:29 +0200
Subject: [PATCH] Feat: Dependency Update (#219)

* update dependencies

* update pom and suppressions

* add jackson overide

* Set Jackson BOM

* Remove Exclusions

---------

Co-authored-by: Gordon Grund <gordon.grund@t-systems.com>
---
 .gitignore             |  1 +
 owasp/suppressions.xml |  4 ++++
 pom.xml                | 49 ++++++++++++++++++++++++++----------------
 3 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/.gitignore b/.gitignore
index f5d73387..b9e6e2a0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -44,3 +44,4 @@ build/
 
 certs/*
 .DS_Store
+pom.xml.versionsBackup
diff --git a/owasp/suppressions.xml b/owasp/suppressions.xml
index 431c3754..0a2adce2 100644
--- a/owasp/suppressions.xml
+++ b/owasp/suppressions.xml
@@ -30,4 +30,8 @@
         <notes>False positive</notes>
         <cve>CVE-2018-14335</cve>
     </suppress>
+    <suppress>
+        <notes>No fix available, still analyzed</notes>
+        <cve>CVE-2023-35116</cve>
+    </suppress>
 </suppressions>
diff --git a/pom.xml b/pom.xml
index a8e82bef..427925c7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
+<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xmlns="http://maven.apache.org/POM/4.0.0"
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
 
     <modelVersion>4.0.0</modelVersion>
@@ -7,7 +8,7 @@
     <parent>
         <groupId>org.springframework.cloud</groupId>
         <artifactId>spring-cloud-starter-parent</artifactId>
-        <version>2022.0.2</version>
+        <version>2022.0.3</version>
         <relativePath/>
     </parent>
 
@@ -43,19 +44,19 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <!-- dependencies -->
-        <dgclib.version>2.0.0</dgclib.version>
+        <dgc.lib.version>2.0.2</dgc.lib.version>
         <owasp.version>8.0.2</owasp.version>
-        <springdoc.version>1.6.14</springdoc.version>
-        <mapstruct.version>1.5.3.Final</mapstruct.version>
-        <bcpkix.version>1.72</bcpkix.version>
-        <semver4j.version>4.1.1</semver4j.version>
-        <json-schema.version>1.14.1</json-schema.version>
-        <shedlock.version>5.1.0</shedlock.version>
+        <springdoc.version>2.1.0</springdoc.version>
+        <mapstruct.version>1.5.5.Final</mapstruct.version>
+        <bcpkix.version>1.74</bcpkix.version>
+        <semver4j.version>4.3.0</semver4j.version>
+        <json-schema.version>1.14.2</json-schema.version>
+        <shedlock.version>5.4.0</shedlock.version>
         <!-- plugins -->
-        <plugin.maven-assembly.version>3.4.2</plugin.maven-assembly.version>
-        <plugin.checkstyle.version>3.2.1</plugin.checkstyle.version>
+        <plugin.maven-assembly.version>3.6.0</plugin.maven-assembly.version>
+        <plugin.checkstyle.version>3.3.0</plugin.checkstyle.version>
         <plugin.sonar.version>3.9.1.2184</plugin.sonar.version>
-        <plugin.jacoco.version>0.8.8</plugin.jacoco.version>
+        <plugin.jacoco.version>0.8.10</plugin.jacoco.version>
         <plugin.os-maven.version>1.7.1</plugin.os-maven.version>
         <!-- license -->
         <license.projectName>EU Digital Green Certificate Gateway Service / dgc-gateway</license.projectName>
@@ -127,11 +128,23 @@
         </repository>
     </distributionManagement>
 
+    <dependencyManagement>
+        <dependencies>
+            <!-- Explicit Definition of Jackson Versions because of active CVE -->
+            <dependency>
+                <groupId>com.fasterxml.jackson</groupId>
+                <artifactId>jackson-bom</artifactId>
+                <version>2.15.2</version>
+                <scope>import</scope>
+                <type>pom</type>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
     <dependencies>
         <dependency>
             <groupId>eu.europa.ec.dgc</groupId>
             <artifactId>dgc-lib</artifactId>
-            <version>${dgclib.version}</version>
+            <version>${dgc.lib.version}</version>
         </dependency>
         <dependency>
             <groupId>org.semver4j</groupId>
@@ -147,10 +160,6 @@
             <groupId>com.mysql</groupId>
             <artifactId>mysql-connector-j</artifactId>
         </dependency>
-        <dependency>
-            <groupId>com.fasterxml.jackson.core</groupId>
-            <artifactId>jackson-databind</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-data-jpa</artifactId>
@@ -180,6 +189,10 @@
                     <groupId>commons-fileupload</groupId>
                     <artifactId>commons-fileupload</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcpkix-jdk15on</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <!-- Explicit inclusion because of CVE-2023-24998 -->
@@ -213,7 +226,7 @@
         </dependency>
         <dependency>
             <groupId>org.springdoc</groupId>
-            <artifactId>springdoc-openapi-ui</artifactId>
+            <artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
             <version>${springdoc.version}</version>
         </dependency>
         <dependency>