cve updates (#1533)

* cve updates * fixing flaky smoke test * keeping in suppressions not yet fixed with version
hmcts · Feb 7, 2024 · eba328b · eba328b
1 parent 5185f4f
commit eba328b
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 19 deletions.
diff --git a/build.gradle b/build.gradle
@@ -5,7 +5,7 @@ plugins {
   id 'jacoco'
   id 'io.spring.dependency-management' version '1.1.4'
   id 'org.springframework.boot' version '2.7.18'
-  id 'org.owasp.dependencycheck' version '9.0.4'
+  id 'org.owasp.dependencycheck' version '9.0.9'
   id 'com.github.ben-manes.versions' version '0.50.0'
   id 'org.sonarqube' version '4.4.1.3373'
   id 'org.flywaydb.flyway' version '9.22.3'
@@ -226,7 +226,7 @@ dependencies {
   implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-bootstrap', version: '3.1.7'
 
   implementation group: 'com.azure', name: 'azure-messaging-servicebus', version: '7.14.7'
-  implementation group: 'com.google.guava', name: 'guava', version: '32.1.3-jre'
+  implementation group: 'com.google.guava', name: 'guava', version: '33.0.0-jre'
 
   // region: feign clients
   implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-openfeign', version: '3.1.8'

diff --git a/config/owasp/suppressions.xml b/config/owasp/suppressions.xml
@@ -4,26 +4,10 @@
         <packageUrl regex="true">^pkg:maven/com.fasterxml.jackson.core/jackson-databind@.*$</packageUrl>
         <cve>CVE-2023-35116</cve>
     </suppress>
-    <suppress>
-      <notes>Suppression for netty. Pulled in by springboot on latest version</notes>
-      <cve>CVE-2023-4586</cve>
-    </suppress>
-    <suppress>
-      <notes>Wait until a version exists that fixes this</notes>
-      <cve>CVE-2023-46604</cve>
-    </suppress>
     <suppress>
       <notes>Azure cli. Wait for fix.</notes>
       <cve>CVE-2023-36052</cve>
     </suppress>
-    <suppress>
-      <notes>Pulled in by springboot, waiting for them to release fix.</notes>
-      <cve>CVE-2023-34055</cve>
-    </suppress>
-    <suppress>
-      <notes>Pulled in by springboot, waiting for them to release fix.</notes>
-      <cve>CVE-2023-46589</cve>
-    </suppress>
     <suppress>
       <notes>Logback, waiting for fix</notes>
       <cve>CVE-2023-6378</cve>

diff --git a/src/smokeTest/java/uk/gov/hmcts/reform/notificationservice/LaunchDarklySmokeTest.java b/src/smokeTest/java/uk/gov/hmcts/reform/notificationservice/LaunchDarklySmokeTest.java
@@ -37,6 +37,7 @@ void setUp() {
     @Test
     void checkLaunchDarklyStatus() {
         DataSourceStatusProvider.Status ldStatus = ldClient.getDataSourceStatus();
-        assertThat(ldStatus.getState()).isEqualTo(DataSourceStatusProvider.State.VALID);
+        assertThat(ldStatus.getState())
+            .isIn(DataSourceStatusProvider.State.VALID, DataSourceStatusProvider.State.INITIALIZING);
     }
 }