From b7cf87d6d31cef80f06cef66f542838de4d34caa Mon Sep 17 00:00:00 2001
From: Andreas Svanberg <andreass@dsv.su.se>
Date: Thu, 20 Feb 2025 14:31:59 +0100
Subject: [PATCH] Fix CVE-2024-57699 by override transitive dependency version
(#116)
The overriding should be removed once Spring Security updates its dependencies.
Fixes #104
## How to test
1. Run `mvnw install org.owasp:dependency-check-maven:12.1.0:check --fail-at-end -DnvdApiDelay=60000 -DskipTests -DfailBuildOnCVSS=7`
2. Wait a very long time (can be sped up be [requesting an NVD API key](https://nvd.nist.gov/developers/request-an-api-key) and adding `-DnvdApiKey=<key>`
3. Check the build succeeds
Reviewed-on: https://gitea.dsv.su.se/DMC/scipro/pulls/116
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
---
pom.xml | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/pom.xml b/pom.xml
index 42018f99dc..a43a6491cd 100755
--- a/pom.xml
+++ b/pom.xml
@@ -39,6 +39,12 @@
<jersey.version>3.1.6</jersey.version>
<poi.version>5.2.5</poi.version>
<jackson.version>2.17.0</jackson.version>
+
+ <!--
+ When updating spring-boot check if the transitive dependency on json-smart has been
+ updated to 2.5.2 or later.
+ If so, remove the dependency managed version of json-smart
+ -->
<spring.boot.version>3.4.1</spring.boot.version>
<springdoc.openapi.version>2.8.3</springdoc.openapi.version>
@@ -213,6 +219,20 @@
<version>2.0.2</version>
<scope>runtime</scope>
</dependency>
+ <dependency>
+ <!--
+ 2.5.1 is brought in transitively by
+ spring-boot-starter-oauth2-client
+ spring-security-oauth2-client
+ oauth2-oidc-sdk
+ json-smart
+ it has a known security vulnerability that's fixed in 2.5.2
+ should be removed when spring-boot-starter-oauth2-client is updated
+ -->
+ <groupId>net.minidev</groupId>
+ <artifactId>json-smart</artifactId>
+ <version>2.5.2</version>
+ </dependency>
<!-- Test stuff -->
<dependency>