Merge pull request #688 from hmcts/RDCC-6429

build.gradle

@@ -484,7 +484,7 @@ dependencies {
   testImplementation group: 'ch.qos.logback', name: 'logback-core', version: '1.2.10'
 
 
-  implementation group: 'org.apache.poi', name: 'poi-ooxml', version: '4.1.2'
+  implementation group: 'org.apache.poi', name: 'poi-ooxml', version: versions.poi
   //Fix for CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090
   implementation group: 'org.apache.commons', name: 'commons-compress', version: '1.21'
 
@@ -532,6 +532,11 @@ dependencyManagement {
     dependencySet(group: 'commons-fileupload', version: '1.5') {
       entry 'commons-fileupload'
     }
+    //CVE-2021-22044
+    dependencySet(group: 'org.springframework.cloud', version: '3.1.5') {
+      entry 'spring-cloud-starter-openfeign'
+      entry 'spring-cloud-openfeign-core'
+    }
   }
 }
 

config/owasp/suppressions.xml

@@ -1,68 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-  <suppress until="2023-05-16">
-    <notes><![CDATA[
-   file name: jakarta.el-3.0.3.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.glassfish/jakarta\.el@.*$</packageUrl>
-    <cve>CVE-2021-28170</cve>
-  </suppress>
-  <suppress until="2023-05-16">
-    <notes><![CDATA[
-   file name: lang-tag-1.4.4.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/com\.nimbusds/lang\-tag@.*$</packageUrl>
-    <cve>CVE-2020-23171</cve>
-  </suppress>
   <suppress until="2023-09-24">
-    <packageUrl regex="true">^pkg:maven/org\.apache\.poi.*$</packageUrl>
-    <cve>CVE-2022-26336</cve>
-  </suppress>
-  <suppress until="2023-05-16">
-    <notes><![CDATA[
-    file name: spring-core-5.3.18.jar
-    ]]></notes>
-    <cve>CVE-2016-1000027</cve>
-  </suppress>
-  <suppress until="2023-12-30">
-    <notes><![CDATA[
-    file name: tomcat-embed-core-9.0.63.jar
-    ]]></notes>
-    <cve>CVE-2022-34305</cve>
+     <packageUrl regex="true">^pkg:maven/org\.apache\.poi.*$</packageUrl>
+     <cve>CVE-2022-26336</cve>
   </suppress>
-  <suppress until="2023-12-30">
-    <notes><![CDATA[
-    file name: fasterxml:jackson-databind.jar
-    ]]></notes>
-    <cve>CVE-2022-42003</cve>
-    <cve>CVE-2022-42004</cve>
-    <cve>CVE-2021-37533</cve>
-  </suppress>
-  <suppress until="2024-01-01">
-    <notes><![CDATA[
-   netty 4.1.85
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/io\.netty/netty-.+@.*$</packageUrl>
-    <cve>CVE-2022-41881</cve>
-</suppress>
-  <suppress until="2023-12-30">
-    <notes>cucumber:datatable pom contains com.googlecode.java-diff-utils:diffutils which has the CVE vulnerability, no fix has been released yet for this</notes>
-    <cve>CVE-2021-4277</cve>
-  </suppress>
-      <suppress>
-        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
-        <cve>CVE-2021-4235</cve>
-        <cve>CVE-2022-3064</cve>
-    </suppress>
-    <suppress>
-        <notes>CVE-2022-22978 suppression (false positive), because spring security already at (5.7.5) this is higher than the vulnerable versions
-            (5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4)
-            https://tanzu.vmware.com/security/cve-2022-22978</notes>
-        <cve>CVE-2022-22978</cve>
-        <cve>CVE-2022-22976</cve>
-        <cve>CVE-2021-22044</cve>
-    </suppress>
-    <suppress>
+  <suppress>
      <cve>CVE-2022-45688</cve>
-    </suppress>
+  </suppress>
 </suppressions>