From 22970be5ffb8053488031059e89ce47d24c907d3 Mon Sep 17 00:00:00 2001 From: Chris Bono Date: Sat, 1 Feb 2025 18:31:19 -0600 Subject: [PATCH] Fix couple of CVEs before releasing 2024.0.1 (#625) * Updates Spring Boot to 3.3.8 and Spring Cloud to 2023.0.5 * Update Groovy to 3.0.23 This updates `org.codehaus.groovy:groovy-all` used by the `stream-applications-release-train` module to `3.0.23` to fix `CVE-2022-4065` from transitive depepdency `org.testng:testng`. * Add CVEs to .trivyignore due to `debezium-supplier` transitive dependencies. --- .trivyignore | 2 ++ .../stream-applications-descriptor/pom.xml | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.trivyignore b/.trivyignore index 7934daf1..93d59b27 100644 --- a/.trivyignore +++ b/.trivyignore @@ -3,6 +3,8 @@ ################################ CVE-2023-1428 CVE-2023-32731 +CVE-2024-41909 +CVE-2024-7254 ################################ # Snakeyaml 1.3.3 diff --git a/stream-applications-release-train/stream-applications-descriptor/pom.xml b/stream-applications-release-train/stream-applications-descriptor/pom.xml index bceca31a..064f8ca9 100644 --- a/stream-applications-release-train/stream-applications-descriptor/pom.xml +++ b/stream-applications-release-train/stream-applications-descriptor/pom.xml @@ -20,7 +20,7 @@ org.codehaus.groovy groovy-all - 3.0.17 + 3.0.23 pom compile @@ -52,7 +52,7 @@ org.codehaus.groovy groovy-all - 3.0.17 + 3.0.23 pom