RDCC-6464: Adding Suppression for CVE-2023-24998 (#280)

* RDCC-6464: Adding Suppression for `CVE-2023-24998` * Upgrading Serenity Version * CVE Fixes --------- Co-authored-by: Sahitya Desireddy <[email protected]>
hmcts · Mar 3, 2023 · 8c98c2b · 8c98c2b
1 parent f96e68e
commit 8c98c2b
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/build.gradle b/build.gradle
@@ -1,6 +1,6 @@
 buildscript {
   dependencies {
-    classpath("net.serenity-bdd:serenity-gradle-plugin:2.3.6")
+    classpath("net.serenity-bdd:serenity-gradle-plugin:2.4.34")
   }
 }
 plugins {
@@ -283,6 +283,10 @@ dependencyManagement {
       entry 'tomcat-embed-el'
       entry 'tomcat-embed-websocket'
     }
+    //CVE-2023-24998
+    dependencySet(group: 'commons-fileupload', version: '1.5') {
+      entry 'commons-fileupload'
+    }
     // CVE-2021-22060, CVE-2022-22965, CVE-2022-22950, CVE-2022-22971, CVE-2022-22968, CVE-2022-22970
     dependency(group: 'org.springframework', name: 'spring-corespring-core', version: '5.3.22') //remove this line after spring boot upgrade to 2.7.7 and spring frame work to 6.0
   }

diff --git a/config/owasp/suppressions.xml b/config/owasp/suppressions.xml
@@ -45,7 +45,6 @@
     <cve>CVE-2021-4235</cve>
     <cve>CVE-2022-3064</cve>
   </suppress>
-
   <suppress>
     <notes>CVE-2022-22978 suppression (false positive), because spring security already at (5.7.5) this is higher than the vulnerable versions
       (5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4)