Merge pull request #456 from deutschebank/spring-bot-master-db

SYMPHONYP-1237 vulnerability-in-spring-bot-framework
finos · Jan 22, 2025 · 7bb206c · 7bb206c
2 parents 7156391 + 2a0944a
commit 7bb206c
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 77 deletions.
diff --git a/.github/workflows/allow-list.xml b/.github/workflows/allow-list.xml
@@ -51,126 +51,77 @@
         ]]></notes>
 		<cve>CVE-2023-20863</cve>
 	</suppress>
-
+	
 	<suppress>
 		<notes>
-			These are added in the conversion from spring2 to spring3.
+		This vulnerablity is affect to JDK 17.0.11 and we are using JDK 17.13. so no impact to our application.		
 		</notes>
-		<cve>CVE-2023-36052</cve>
+		<cve>CVE-2024-21138</cve>
 	</suppress>
-
 	<suppress>
 		<notes>
-			An issue was discovered in Bouncy Castle Java Cryptography APIs
-			before 1.78. An Ed25519 verification code infinite loop can occur via
-			a crafted signature and public key.
-
-			We don't use that.
-		</notes>
+         Not using Bouncy Castle crafted
+        </notes>
 		<cve>CVE-2024-30172</cve>
-	</suppress>
-	<suppress>
-		<notes>
-		</notes>
-
 		<cve>CVE-2024-30171</cve>
-	</suppress>
-
-
-	<suppress>
-		<notes>
-		</notes>
 		<cve>CVE-2024-29857</cve>
+		<cve>CVE-2024-34447</cve>
 	</suppress>
-
 	<suppress>
 		<notes>
+			we don't have write access to log config file.
 		</notes>
-		<cve>CVE-2024-34447</cve>
+		<cve>CVE-2024-12798</cve>
 	</suppress>
-
 	<suppress>
 		<notes>
+			as we have update msal4j, we don't need to update this. 
 		</notes>
 		<cve>CVE-2024-35255</cve>
 	</suppress>
-
 	<suppress>
 		<notes>
+			No impact, we are using java 17
 		</notes>
-		<cve>CVE-2023-1370</cve>
+		<cve>CVE-2010-0538</cve>
 	</suppress>
-
 	<suppress>
 		<notes>
+			No impact, not using for JSON documents parser
 		</notes>
-		<cve>CVE-2023-52428</cve>
+		<cve>CVE-2023-7272</cve>
 	</suppress>
-
 	<suppress>
 		<notes>
+			No impact, we are not using Protobuf
 		</notes>
-		<cve>CVE-2010-0538</cve>
-	</suppress>
-
+		<cve>CVE-2024-7254</cve>
+	</suppress>	
 	<suppress>
 		<notes>
+			Doesn't have fixed, we are using latest version jar
 		</notes>
 		<cve>CVE-2021-3869</cve>
-	</suppress>
-
-	<suppress>
-		<notes>
-		</notes>
 		<cve>CVE-2022-0198</cve>
-	</suppress>
-
+	</suppress>	
 	<suppress>
 		<notes>
+			No impact, we are using java 17
 		</notes>
 		<cve>CVE-2017-10355</cve>
 	</suppress>
-
-	<suppress>
-		<notes>
-		</notes>
-		<cve>CVE-2020-10146</cve>
-	</suppress>
-
-	<suppress>
-		<notes>
-		</notes>
-		<cve>CVE-2024-38820</cve>
-	</suppress>
-
-	<suppress>
-		<notes>
-		</notes>
-		<cve>CVE-2024-38809</cve>
-	</suppress>
-
-	<suppress>
-		<notes>
-		</notes>
-		<cve>CVE-2024-38816</cve>
-	</suppress>
-
-	<suppress>
-		<notes>
-		</notes>
-		<cve>CVE-2023-7272</cve>
-	</suppress>
 	<suppress>
 		<notes>
+			We will take this on next release
 		</notes>
 		<cve>CVE-2024-45772</cve>
-	</suppress>
+	</suppress>	
 	<suppress>
 		<notes>
+			We will take this on next release
 		</notes>
-		<cve>CVE-2024-7254</cve>
-	</suppress>
-
-
+		<cve>CVE-2020-10146</cve>
+	</suppress>	
+
 </suppressions>
 
diff --git a/libs/teams/teams-chat-workflow-spring-boot-starter/pom.xml b/libs/teams/teams-chat-workflow-spring-boot-starter/pom.xml
@@ -58,6 +58,13 @@
 	        	</exclusion>
 	        </exclusions>
       	</dependency>
+
+      	<dependency>
+			<groupId>com.microsoft.azure</groupId>
+			<artifactId>msal4j</artifactId>
+			<version>${azure-msal4j.version}</version>
+		</dependency>
+
 		<dependency>
 			<groupId>com.microsoft.bot</groupId>
 			<artifactId>bot-builder</artifactId>
@@ -79,6 +86,18 @@
 			</exclusions>
 		</dependency>
 
+		<dependency>
+			<groupId>io.netty</groupId>
+			<artifactId>netty-codec-http</artifactId>
+			<version>${netty-codec.version}</version>
+		</dependency>
+
+		<dependency>
+			<groupId>io.netty</groupId>
+			<artifactId>netty-handler</artifactId>
+			<version>${netty-handler.version}</version>
+		</dependency>
+
 		<dependency>
 			<groupId>com.azure</groupId>
 	  		<artifactId>azure-storage-blob</artifactId>
@@ -143,6 +162,7 @@
 	        <artifactId>guava</artifactId>
 	        <version>${guava.version}</version>
 		</dependency>
+
 
 		<!-- for testing -->
 		<dependency>

diff --git a/pom.xml b/pom.xml
@@ -49,7 +49,7 @@
 
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-		<spring-boot.version>3.3.0</spring-boot.version>
+		<spring-boot.version>3.4.0</spring-boot.version>
 		<maven.compiler.source>17</maven.compiler.source>
 		<maven.compiler.target>17</maven.compiler.target>
 		<java.version>17</java.version>
@@ -66,7 +66,7 @@
 		<okio-jvm.version>3.4.0</okio-jvm.version>
 		<guava.version>32.1.0-jre</guava.version>
 		<jsoup.version>1.17.2</jsoup.version>
-		<graalvm.version>24.1.1</graalvm.version>
+		<graalvm.version>23.0.3</graalvm.version>
 		<symphony-bdk.version>3.0.0</symphony-bdk.version>
 		<!--<mimepull.version>1.9.15</mimepull.version>-->
 		<!--<thymeleaf.version>2.7.0</thymeleaf.version>-->	
@@ -75,6 +75,9 @@
 		<httpclient.version>4.5.13</httpclient.version>			
 		<corenlp.version>4.5.7</corenlp.version>
 		<azure-storage-blob.version>12.25.3</azure-storage-blob.version>
+		<netty-handler.version>4.1.115.Final</netty-handler.version>
+		<netty-codec.version>4.1.115.Final</netty-codec.version>
+		<azure-msal4j.version>1.16.1</azure-msal4j.version>
 	</properties>
 
 	<licenses>

diff --git a/tools/reminder-bot/pom.xml b/tools/reminder-bot/pom.xml
@@ -37,7 +37,7 @@
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-lang3</artifactId>
 		</dependency>
-
+	
 		<!-- https://mvnrepository.com/artifact/edu.stanford.nlp/stanford-corenlp -->
 		<dependency>
 			<groupId>edu.stanford.nlp</groupId>