From 398f15d5dea5e83d74bdca4ad4f42c6373e1fbc9 Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Wed, 5 Oct 2022 06:31:53 +0200
Subject: [PATCH] dependency upgrades and suppress irrelevant security
 vulnerability in jackson-databind

---
 build.gradle                               | 14 +++++++-------
 etc/owasp-dependency-check-suppression.xml |  7 +++++++
 gradle.properties                          |  1 +
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/build.gradle b/build.gradle
index 0e573ba8..72217dc7 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,11 +1,11 @@
 plugins {
     id 'java'
-    id 'org.springframework.boot' version '2.7.3'
+    id 'org.springframework.boot' version '2.7.4'
     id 'io.openapiprocessor.openapi-processor' version '2022.2'
-    id 'io.spring.dependency-management' version '1.0.13.RELEASE'
+    id 'io.spring.dependency-management' version '1.0.14.RELEASE'
     id 'com.github.jk1.dependency-license-report' version '2.1'
-    id "org.owasp.dependencycheck" version "7.1.2"
-    id "com.diffplug.spotless" version "6.10.0"
+    id "org.owasp.dependencycheck" version "7.2.1"
+    id "com.diffplug.spotless" version "6.11.0"
     id 'jacoco'
     id 'info.solidsoft.pitest' version '1.9.0'
     id 'se.patrikerdes.use-latest-versions' version '0.2.18'
@@ -57,7 +57,7 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-web'
     implementation 'org.springdoc:springdoc-openapi-ui:1.6.11'
     implementation 'org.liquibase:liquibase-core'
-    implementation 'com.vladmihalcea:hibernate-types-55:2.19.0'
+    implementation 'com.vladmihalcea:hibernate-types-55:2.19.2'
     implementation 'org.openapitools:jackson-databind-nullable:0.2.3'
     implementation 'org.modelmapper:modelmapper:3.1.0'
 
@@ -75,10 +75,10 @@ dependencies {
     testImplementation 'org.testcontainers:testcontainers'
     testImplementation 'org.testcontainers:junit-jupiter'
     testImplementation 'org.testcontainers:postgresql'
-    testImplementation 'com.tngtech.archunit:archunit-junit5:1.0.0-rc1'
+    testImplementation 'com.tngtech.archunit:archunit-junit5:1.0.0'
     testImplementation 'io.rest-assured:spring-mock-mvc'
     testImplementation 'org.hamcrest:hamcrest-core:2.2'
-    testImplementation 'org.pitest:pitest-junit5-plugin:1.0.0'
+    testImplementation 'org.pitest:pitest-junit5-plugin:1.1.0'
 }
 
 dependencyManagement {
diff --git a/etc/owasp-dependency-check-suppression.xml b/etc/owasp-dependency-check-suppression.xml
index 1776882e..4c258544 100644
--- a/etc/owasp-dependency-check-suppression.xml
+++ b/etc/owasp-dependency-check-suppression.xml
@@ -7,4 +7,11 @@
         <packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl>
         <cve>CVE-2016-1000027</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+           We don't use the UNWRAP_SINGLE_VALUE_ARRAYS feature and thus are not affected.
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+        <cve>CVE-2022-42003</cve>
+    </suppress>
 </suppressions>
diff --git a/gradle.properties b/gradle.properties
index dbea849e..96a64eb1 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -2,6 +2,7 @@
 # Spring BOM overrides
 postgresql.version = 42.4.1
 snakeyaml.version = 1.32
+jackson-databind = 2.13.4
 
 # TODO: can be removed if all dependencies are JDK 16 compliant, check with `gw clean check`
 # and check output for "cannot access class ... because module jdk.compiler does not export ..."