Updates required to pass CVE checks (#34)

* add license scanning for node and maven * Update license-scanning-node.yml * Delete .github/workflows/license-scanning-maven.yml * Update license-scanning-node.yml * Update license-scanning-node.yml * add license * Fix CVE-2023-41080(6.1) * Fix CVE-2023-41080(6.1) * fix CVE-2023-41080 * fix CVE also on tomcat websocket and el dependencies * fix CVE in tomcat * fix tomcat CVE --------- Co-authored-by: Maurizio Pillitu <[email protected]> Co-authored-by: maoo <[email protected]>
finos · Sep 8, 2023 · cbfa26e · cbfa26e
1 parent 9a8afbb
commit cbfa26e
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 4 deletions.
diff --git a/account-service/build.gradle b/account-service/build.gradle
@@ -21,7 +21,20 @@ configurations.all {
 
 dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
-	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation ('org.springframework.boot:spring-boot-starter-web') {
+		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-core'
+		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-websocket'
+		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-el'
+	}
+	implementation('org.apache.tomcat.embed:tomcat-embed-core:10.1.13') {
+		because 'previous versions are affected by CVE-2023-41080'
+	}
+	implementation('org.apache.tomcat.embed:tomcat-embed-websocket:10.1.13') {
+		because 'previous versions are affected by CVE-2023-41080'
+	}
+	implementation('org.apache.tomcat.embed:tomcat-embed-el:10.1.13') {
+		because 'previous versions are affected by CVE-2023-41080'
+	}
 	implementation 'com.h2database:h2:2.2.220'
 	implementation 'org.springdoc:springdoc-openapi-ui:1.7.0'
 	implementation group: 'org.slf4j', name: 'slf4j-api', version: '2.0.7'

diff --git a/position-service/build.gradle b/position-service/build.gradle
@@ -21,7 +21,20 @@ configurations.all {
 
 dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
-	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation ('org.springframework.boot:spring-boot-starter-web') {
+		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-core'
+		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-websocket'
+		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-el'
+	}
+	implementation('org.apache.tomcat.embed:tomcat-embed-core:10.1.13') {
+		because 'previous versions are affected by CVE-2023-41080'
+	}
+	implementation('org.apache.tomcat.embed:tomcat-embed-websocket:10.1.13') {
+		because 'previous versions are affected by CVE-2023-41080'
+	}
+	implementation('org.apache.tomcat.embed:tomcat-embed-el:10.1.13') {
+		because 'previous versions are affected by CVE-2023-41080'
+	}
 	implementation 'com.h2database:h2:2.2.220'
 	implementation 'org.springdoc:springdoc-openapi-ui:1.7.0'
 	implementation group: 'org.slf4j', name: 'slf4j-api', version: '1.7.30'

diff --git a/trade-processor/build.gradle b/trade-processor/build.gradle
@@ -21,7 +21,20 @@ configurations.all {
 
 dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
-	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation ('org.springframework.boot:spring-boot-starter-web') {
+		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-core'
+		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-websocket'
+		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-el'
+	}
+	implementation('org.apache.tomcat.embed:tomcat-embed-core:10.1.13') {
+		because 'previous versions are affected by CVE-2023-41080'
+	}
+	implementation('org.apache.tomcat.embed:tomcat-embed-websocket:10.1.13') {
+		because 'previous versions are affected by CVE-2023-41080'
+	}
+	implementation('org.apache.tomcat.embed:tomcat-embed-el:10.1.13') {
+		because 'previous versions are affected by CVE-2023-41080'
+	}
 	implementation 'com.h2database:h2:2.2.220'
 	implementation 'org.springdoc:springdoc-openapi-ui:1.7.0'
 	implementation 'org.json:json'

diff --git a/trade-service/build.gradle b/trade-service/build.gradle
@@ -21,7 +21,20 @@ configurations.all {
 
 dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
-	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation ('org.springframework.boot:spring-boot-starter-web') {
+		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-core'
+		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-websocket'
+		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-el'
+	}
+	implementation('org.apache.tomcat.embed:tomcat-embed-core:10.1.13') {
+		because 'previous versions are affected by CVE-2023-41080'
+	}
+	implementation('org.apache.tomcat.embed:tomcat-embed-websocket:10.1.13') {
+		because 'previous versions are affected by CVE-2023-41080'
+	}
+	implementation('org.apache.tomcat.embed:tomcat-embed-el:10.1.13') {
+		because 'previous versions are affected by CVE-2023-41080'
+	}
 	implementation 'org.json:json'
 	implementation 'io.socket:socket.io-client:2.1.0'
 	implementation 'com.h2database:h2:2.2.220'