From 9e7797f01f188deb67b7c1675067d9fde0a1ad83 Mon Sep 17 00:00:00 2001 From: Andrew Bell <115623869+andybharness@users.noreply.github.com> Date: Fri, 8 Aug 2025 13:27:59 +0100 Subject: [PATCH] fix: [FFM-12578]: Fixes various CVEs --- build.gradle | 9 +++++++++ gradle/wrapper/gradle-wrapper.properties | 2 +- settings.gradle | 4 ++-- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index 9a3f404b..8c1a228d 100644 --- a/build.gradle +++ b/build.gradle @@ -38,6 +38,15 @@ allprojects { sourceCompatibility = JavaVersion.VERSION_1_8 } + configurations.configureEach { + resolutionStrategy { + // version overrides for CVE fixes + force 'org.apache.commons:commons-lang3:3.18.0' // CVE-2025-48924 + force "ch.qos.logback:logback-classic:1.3.15" // CVE-2024-12798, CVE-2024-12801 + force 'com.google.code.gson:gson:2.13.1' // CVE-2025-53864 + } + } + apply plugin: 'java-library' apply plugin: 'org.owasp.dependencycheck' } diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 0d188cae..48b43d35 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-9.0.0-rc-3-all.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-9.0.0-all.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME diff --git a/settings.gradle b/settings.gradle index 54b75ed3..354a66d1 100644 --- a/settings.gradle +++ b/settings.gradle @@ -40,8 +40,8 @@ dependencyResolutionManagement { version('openapi.generator', '4.3.1') version('spotless', '7.1.0') version('depsize', '0.2.0') - version('spotbugs', '6.1.5') - version('depcheck', '9.0.7') + version('spotbugs', '6.2.3') + version('depcheck', '12.1.3') version('maven.publish', '0.33.0') } }