Bindu |Fix Critical and High security vulnerabilities with the spring…

… boot version (#20) * Bindu |Fix Critical and High security vulnerabilities with the spring boot version * Bindu | Update the trivyignore with medium vulnerabilities * Apply suggestions from code review --------- Co-authored-by: Umair Fayaz <[email protected]>
Bahmni · Dec 5, 2023 · a2606eb · a2606eb
1 parent 2333a7a
commit a2606eb
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 18 deletions.
diff --git a/.trivyignore b/.trivyignore
@@ -1 +1,4 @@
-CVE-2023-39017
+# Ignoring the below vulnerabilities, to be reviewed later
+CVE-2023-39017
+CVE-2023-2976 #Medium
+CVE-2023-33201 #Medium
diff --git a/pom.xml b/pom.xml
@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.7.13</version>
+		<version>2.7.18</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>org.bahmni</groupId>
@@ -15,7 +15,10 @@
 	<description>event-router-service</description>
 	<properties>
 		<java.version>17</java.version>
-		<camel-spring-boot.version>3.20.6</camel-spring-boot.version>
+		<camel-spring-boot.version>3.21.2</camel-spring-boot.version>
+		<grpc.protobuf.version>1.53.0</grpc.protobuf.version>
+		<log4j.slf4j.version>2.17.1</log4j.slf4j.version>
+
 	</properties>
 	<dependencies>
 
@@ -28,10 +31,21 @@
 					<groupId>org.yaml</groupId>
 					<artifactId>snakeyaml</artifactId>
 				</exclusion>
+				<exclusion>
+					<groupId>org.apache.logging.log4j</groupId>
+					<artifactId>log4j-to-slf4j</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>ch.qos.logback</groupId>
+					<artifactId>logback-classic</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
-
-		<!-- Lombok dependency -->
+		<dependency>
+			<groupId>org.apache.logging.log4j</groupId>
+			<artifactId>log4j-slf4j-impl</artifactId>
+			<version>${log4j.slf4j.version}</version>
+		</dependency>
 		<dependency>
 			<groupId>org.projectlombok</groupId>
 			<artifactId>lombok</artifactId>
@@ -67,6 +81,17 @@
 		<dependency>
 			<groupId>org.apache.camel.springboot</groupId>
 			<artifactId>camel-google-pubsub-starter</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>io.grpc</groupId>
+					<artifactId>grpc-protobuf</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+		<dependency>
+			<groupId>io.grpc</groupId>
+			<artifactId>grpc-protobuf</artifactId>
+			<version>${grpc.protobuf.version}</version>
 		</dependency>
 
 		<dependency>
@@ -117,19 +142,6 @@
 				<version>${camel-spring-boot.version}</version>
 				<type>pom</type>
 				<scope>import</scope>
-				<exclusions>
-					<exclusion>
-						<groupId>org.apache.activemq</groupId>
-						<artifactId>activemq-openwire-legacy</artifactId>
-					</exclusion>
-				</exclusions>
-			</dependency>
-			<dependency>
-				<groupId>org.apache.activemq</groupId>
-				<artifactId>activemq-openwire-legacy</artifactId>
-				<version>5.16.7</version>
-				<type>pom</type>
-				<scope>import</scope>
 			</dependency>
 		</dependencies>
 	</dependencyManagement>