Bump springboot from 1.15.14 to 1.15.19

This indirectly upgrades jackson-databind to 2.8.11.3 which resolves the selected version for a number of dependencies. Although reporting an error this release fixes: CVE-2018-14718: RCE with slf4j-ext jar CVE-2018-14719: RCE with blaze-ds-opt, -core jars CVE-2018-14720: exfiltration/XXE with only JDK classes (some JDK versions) CVE-2018-14721: exfiltration/SSRF with axis2-jaxws Ref FasterXML/jackson-databind#2097 CVE-2018-19360 (axis2-transport-jms) CVE-2018-19361 (openjpa) CVE-2018-19362 (jboss-common-core) Ref FasterXML/jackson-databind#2186 See FasterXML/jackson-databind#2097 (comment) https://github.com/FasterXML/jackson-databind/blob/2.8/release-notes/VERSION#L8-L15 RDM-3796
hmcts · Jan 31, 2019 · 913f97f · 913f97f
1 parent 808fb87
commit 913f97f
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 15 deletions.
diff --git a/build.gradle b/build.gradle
@@ -13,7 +13,7 @@ buildscript {
 plugins {
     id 'application'
     id 'io.spring.dependency-management' version '1.0.6.RELEASE'
-    id 'org.springframework.boot' version '1.5.14.RELEASE'
+    id 'org.springframework.boot' version '1.5.19.RELEASE'
     id 'com.github.ben-manes.versions' version '0.20.0'
     id 'org.sonarqube' version '2.6.2'
     id 'jacoco'

diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml
@@ -75,38 +75,52 @@
         <cpe>cpe:/a:slf4j:slf4j:1.7.25</cpe>
     </suppress>
     <suppress>
-        <notes>Temporarily suppress jackson-databind CVE see RDM-3796</notes>
-        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:.*$</gav>
+        <notes>jackson-databind 2.8.11.3 fixes this CVE. See
+            https://github.com/FasterXML/jackson-databind/issues/2097#issuecomment-457071680
+            and RDM-3796</notes>
+        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
         <cve>CVE-2018-14718</cve>
     </suppress>
     <suppress>
-        <notes>Temporarily suppress jackson-databind CVE see RDM-3796</notes>
-        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:.*$</gav>
+        <notes>jackson-databind 2.8.11.3 fixes this CVE. See
+            https://github.com/FasterXML/jackson-databind/issues/2097#issuecomment-457071680
+            and RDM-3796</notes>
+        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
         <cve>CVE-2018-14719</cve>
     </suppress>
     <suppress>
-        <notes>Temporarily suppress jackson-databind CVE see RDM-3796</notes>
-        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:.*$</gav>
+        <notes>jackson-databind 2.8.11.3 fixes this CVE. See
+            https://github.com/FasterXML/jackson-databind/issues/2097#issuecomment-457071680
+            and RDM-3796</notes>
+        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
         <cve>CVE-2018-14720</cve>
     </suppress>
     <suppress>
-        <notes>Temporarily suppress jackson-databind CVE see RDM-3796</notes>
-        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:.*$</gav>
+        <notes>jackson-databind 2.8.11.3 fixes this CVE. See
+            https://github.com/FasterXML/jackson-databind/issues/2097#issuecomment-457071680
+            and RDM-3796</notes>
+        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
         <cve>CVE-2018-14721</cve>
     </suppress>
     <suppress>
-        <notes>Temporarily suppress jackson-databind CVE see RDM-3796</notes>
-        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:.*$</gav>
+        <notes>jackson-databind 2.8.11.3 fixes this CVE. See
+            https://github.com/FasterXML/jackson-databind/issues/2097#issuecomment-457071680
+            and RDM-3796</notes>
+        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
         <cve>CVE-2018-19360</cve>
     </suppress>
     <suppress>
-        <notes>Temporarily suppress jackson-databind CVE see RDM-3796</notes>
-        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:.*$</gav>
+        <notes>jackson-databind 2.8.11.3 fixes this CVE. See
+            https://github.com/FasterXML/jackson-databind/issues/2097#issuecomment-457071680
+            and RDM-3796</notes>
+        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
         <cve>CVE-2018-19361</cve>
     </suppress>
     <suppress>
-        <notes>Temporarily suppress jackson-databind CVE see RDM-3796</notes>
-        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:.*$</gav>
+        <notes>jackson-databind 2.8.11.3 fixes this CVE. See
+            https://github.com/FasterXML/jackson-databind/issues/2097#issuecomment-457071680
+            and RDM-3796</notes>
+        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
         <cve>CVE-2018-19362</cve>
     </suppress>
     <suppress>