CIV-0000 fix cve (#83)

* Update build.gradle * Update suppressions.xml * Update README.md * password changes
hmcts · Nov 2, 2023 · 92e1293 · 92e1293
1 parent 1a91820
commit 92e1293
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 2 deletions.
diff --git a/Jenkinsfile_CNP b/Jenkinsfile_CNP
@@ -44,7 +44,10 @@ def secrets = [
     secret('ccd-importer-username', 'CCD_CONFIGURER_IMPORTER_USERNAME'),
     secret('ccd-importer-password', 'CCD_CONFIGURER_IMPORTER_PASSWORD'),
     secret('postgres-user', 'POSTGRES_USER'),
-    secret('postgres-password', 'POSTGRES_PASSWORD')
+    secret('postgres-password', 'POSTGRES_PASSWORD'),
+    secret('default-password', 'DEFAULT_PASSWORD'),
+    secret('judge-default-password', 'JUDGE_DEFAULT_PASSWORD'),
+    secret('iac-default-password', 'IAC_DEFAULT_PASSWORD')
   ]
 ]
 

diff --git a/README.md b/README.md
@@ -12,6 +12,7 @@ Civil orchestration service for bulk claims
 The project is dependent on other Civil repositories:
 
 civil-ccd-definition
+civil-service
 
 ### Building the application
 

diff --git a/build.gradle b/build.gradle
@@ -277,6 +277,16 @@ dependencies {
   implementation group: 'uk.gov.hmcts.reform', name: 'service-auth-provider-client', version: '4.0.0'
 
 }
+dependencyManagement {
+  dependencies {
+// Fix CVE-2023-42795, CVE-2023-45648
+    dependencySet(group: 'org.apache.tomcat.embed', version: '10.1.15') {
+      entry 'tomcat-embed-core'
+      entry 'tomcat-embed-el'
+      entry 'tomcat-embed-websocket'
+    }
+  }
+}
 
 mainClassName = 'uk.gov.hmcts.reform.civil.Application'
 

diff --git a/charts/civil-orchestrator-service/values.aat.template.yaml b/charts/civil-orchestrator-service/values.aat.template.yaml
@@ -58,6 +58,9 @@ civil-service:
           - ordnance-survey-api-key
           - robotics-notification-recipient-spec
           - robotics-notification-multipartyrecipient
+          - default-password
+          - judge-default-password
+          - iac-default-password
     environment:
       IDAM_CLIENT_ID: civil-service
       IDAM_CLIENT_REDIRECT_URI: https://civil-orchestrator-service-{{ .Values.global.environment }}.service.core-compute-{{ .Values.global.environment }}.internal/oauth2/callback

diff --git a/charts/civil-orchestrator-service/values.preview.template.yaml b/charts/civil-orchestrator-service/values.preview.template.yaml
@@ -58,6 +58,9 @@ civil-service:
           - ordnance-survey-api-key
           - robotics-notification-recipient-spec
           - robotics-notification-multipartyrecipient
+          - default-password
+          - judge-default-password
+          - iac-default-password
     environment:
       IDAM_CLIENT_ID: civil-service
       IDAM_CLIENT_REDIRECT_URI: https://civil-ccd-{{ .Values.global.environment }}.service.core-compute-{{ .Values.global.environment }}.internal/oauth2/callback

diff --git a/config/owasp/suppressions.xml b/config/owasp/suppressions.xml
@@ -10,14 +10,15 @@
   <!--End of false positives section -->
 
   <!--Please add all the temporary suppression under the below section-->
-  <suppress until="2023-10-14">
+  <suppress until="2024-10-14">
     <cve>CVE-2022-1471</cve>
     <cve>CVE-2022-45688</cve>
     <cve>CVE-2023-2976</cve>
     <cve>CVE-2020-8908</cve>
     <cve>CVE-2023-33201</cve>
     <cve>CVE-2023-35116</cve>
     <cve>CVE-2023-41080</cve>
+    <cve>CVE-2023-5072</cve>
   </suppress>
   <!--End of temporary suppression section -->
 </suppressions>