From 04429d78da76b65be3e345319c551a4dfde483e8 Mon Sep 17 00:00:00 2001
From: Dan Lysiak <danlysiak@hotmail.com>
Date: Thu, 2 May 2024 13:11:07 +0100
Subject: [PATCH 1/3] PAY-6328: Fix CVE-2022-1471

---
 cve-resolution-strategy.gradle    |  2 +-
 dependency-check-suppressions.xml | 25 -------------------------
 2 files changed, 1 insertion(+), 26 deletions(-)

diff --git a/cve-resolution-strategy.gradle b/cve-resolution-strategy.gradle
index d583cfc0a..f346fff4c 100644
--- a/cve-resolution-strategy.gradle
+++ b/cve-resolution-strategy.gradle
@@ -65,7 +65,7 @@ configurations.all {
 
              /* CVE-2017-18640, CVE-2022-41854 */
             if(det.requested.name == 'snakeyaml'){
-                det.useVersion '1.32'
+                det.useVersion '2.2'
             }
 
             /*
diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml
index 4af9c80d8..ee6f6367b 100644
--- a/dependency-check-suppressions.xml
+++ b/dependency-check-suppressions.xml
@@ -136,26 +136,6 @@
         <cve>CVE-2020-0187</cve>
     </suppress>
 
-    <suppress>
-        <notes>
-            The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing
-            to nested depth limitation for collections.
-        </notes>
-        <cve>CVE-2022-25857</cve>
-        <cve>CVE-2022-38749</cve>
-        <cve>CVE-2022-38750</cve>
-        <cve>CVE-2022-38751</cve>
-    </suppress>
-
-    <suppress>
-        <notes>
-            Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the
-            parser is running on user supplied input, an attacker may supply content that causes the parser to crash by
-            stack-overflow.
-        </notes>
-        <cve>CVE-2022-38752</cve>
-    </suppress>
-
     <suppress>
         <notes>
             In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection
@@ -258,11 +238,6 @@
         <notes>commons-fileupload</notes>
         <cve>CVE-2023-24998</cve>
     </suppress>
-    <suppress>
-        <notes>SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.
-        </notes>
-        <cve>CVE-2022-1471</cve>
-    </suppress>
     <suppress>
         <notes>Tomcat-embed-core and websocket suppressed to fix appinsights issue
         </notes>

From 104d6e6524e04a23e30c8b05ed0121ad485c22ec Mon Sep 17 00:00:00 2001
From: Dan Lysiak <danlysiak@hotmail.com>
Date: Thu, 2 May 2024 13:33:32 +0100
Subject: [PATCH 2/3] Upgrade liquibase

---
 api/build.gradle                  | 2 +-
 dependency-check-suppressions.xml | 5 -----
 2 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/api/build.gradle b/api/build.gradle
index bc0702789..bcbacb793 100644
--- a/api/build.gradle
+++ b/api/build.gradle
@@ -83,7 +83,7 @@ dependencies {
         exclude(module: 'commons-logging')
         exclude(module: 'slf4j-simple')
     }
-    implementation group: 'org.liquibase', name: 'liquibase-core', version: '4.23.1'
+    implementation group: 'org.liquibase', name: 'liquibase-core', version: '4.27.0'
     implementation group: 'com.github.hmcts.java-logging', name: 'logging-appinsights', version: javaLoggingVersion
     implementation group: 'net.logstash.logback', name: 'logstash-logback-encoder', version:'5.0'
     implementation group: 'org.springframework.boot', name: 'spring-boot-devtools'
diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml
index ee6f6367b..12a90c911 100644
--- a/dependency-check-suppressions.xml
+++ b/dependency-check-suppressions.xml
@@ -41,11 +41,6 @@
         <cve>CVE-2020-23171</cve>
     </suppress>
 
-    <suppress>
-        <notes>Major liquibase update to version 4.8.0+ needed, this will require code refactoring</notes>
-        <cve>CVE-2022-0839</cve>
-    </suppress>
-
     <suppress>
         <notes>jackson-databind issue, upgrading to new version broke functional tests.</notes>
         <cve>CVE-2020-36518</cve>

From 9857ee43f7bc1bb93cfb4ff217c65d3113df39a4 Mon Sep 17 00:00:00 2001
From: Dan Lysiak <danlysiak@hotmail.com>
Date: Thu, 2 May 2024 14:42:51 +0100
Subject: [PATCH 3/3] Modify resolution strategy for liquibase

---
 api/build.gradle               | 2 +-
 cve-resolution-strategy.gradle | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/api/build.gradle b/api/build.gradle
index bcbacb793..7fd73a0f4 100644
--- a/api/build.gradle
+++ b/api/build.gradle
@@ -83,7 +83,7 @@ dependencies {
         exclude(module: 'commons-logging')
         exclude(module: 'slf4j-simple')
     }
-    implementation group: 'org.liquibase', name: 'liquibase-core', version: '4.27.0'
+    implementation group: 'org.liquibase', name: 'liquibase-core'
     implementation group: 'com.github.hmcts.java-logging', name: 'logging-appinsights', version: javaLoggingVersion
     implementation group: 'net.logstash.logback', name: 'logstash-logback-encoder', version:'5.0'
     implementation group: 'org.springframework.boot', name: 'spring-boot-devtools'
diff --git a/cve-resolution-strategy.gradle b/cve-resolution-strategy.gradle
index f346fff4c..98524a8f4 100644
--- a/cve-resolution-strategy.gradle
+++ b/cve-resolution-strategy.gradle
@@ -63,6 +63,10 @@ configurations.all {
                 det.useVersion '42.7.3'
             }
 
+            if (det.requested.name == 'liquibase-core') {
+                det.useVersion '4.27.0'
+            }
+
              /* CVE-2017-18640, CVE-2022-41854 */
             if(det.requested.name == 'snakeyaml'){
                 det.useVersion '2.2'