From f678258736b059895c3d8d5fbd3585a3ecd2c6eb Mon Sep 17 00:00:00 2001
From: Deepika Karanji <deeps.karanji2@gmail.com>
Date: Tue, 11 Oct 2022 12:03:37 +0530
Subject: [PATCH] [Updated]Vulnerability fix based on SNYK report with Code
 Drop (#62)

* high severities fixed

Signed-off-by: Deepika Karanji - d0k03k3 <Deepika.Karanji@walmartlabs.com>

* all fixed

Signed-off-by: Deepika Karanji - d0k03k3 <Deepika.Karanji@walmartlabs.com>

* Added comments

Signed-off-by: Deepika Karanji - d0k03k3 <Deepika.Karanji@walmartlabs.com>

* update to stable version

Signed-off-by: Deepika Karanji - d0k03k3 <Deepika.Karanji@walmartlabs.com>

* exclusions

Signed-off-by: Deepika Karanji - d0k03k3 <Deepika.Karanji@walmartlabs.com>

Signed-off-by: Deepika Karanji - d0k03k3 <Deepika.Karanji@walmartlabs.com>
Co-authored-by: Deepika Karanji - d0k03k3 <Deepika.Karanji@walmartlabs.com>
---
 pom.xml | 41 +++++++++++++++++++++++++++++++++++++----
 1 file changed, 37 insertions(+), 4 deletions(-)

diff --git a/pom.xml b/pom.xml
index 5b8b32f1..d5797825 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.7.1</version>
+		<version>2.7.4</version>
 		<relativePath /> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>hlf.java.client</groupId>
@@ -19,11 +19,11 @@
 	<properties>
 		<java.version>11</java.version>
 		<jacoco.version>0.8.8</jacoco.version>
-		<protobuf.version>3.19.2</protobuf.version>
+		<protobuf.version>3.19.6</protobuf.version>
 		<spring-cloud.version>2021.0.3</spring-cloud.version>
 	</properties>
 
-	<!-- Adding dependency management through the Spring BOM, so that we need 
+	<!-- Adding dependency management through the Spring BOM, so that we need
 		not manage versions ourselves -->
 	<dependencyManagement>
 		<dependencies>
@@ -36,11 +36,22 @@
 			</dependency>
 		</dependencies>
 	</dependencyManagement>
-
 	<dependencies>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter</artifactId>
+			<exclusions>
+				<!--Excluding default snakeyaml transitive dependency as remediation for CVE-2022-25857, CVE-2022-38749 -->
+				<exclusion>
+					<groupId>org.yaml</groupId>
+					<artifactId>snakeyaml</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+		<dependency>
+			<groupId>org.yaml</groupId>
+			<artifactId>snakeyaml</artifactId>
+			<version>1.32</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
@@ -49,6 +60,28 @@
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
+			<exclusions>
+				<!--Excluding default jackson-databind dependency as remediation for CVE-2020-36518 -->
+				<exclusion>
+					<groupId>com.fasterxml.jackson.core</groupId>
+					<artifactId>jackson-databind</artifactId>
+				</exclusion>
+				<!--Excluding default tomcat-embed-core dependency as remediation for CVE-2021-43980 -->
+				<exclusion>
+					<groupId>org.apache.tomcat.embed</groupId>
+					<artifactId>tomcat-embed-core</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+		<dependency>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-databind</artifactId>
+			<version>2.13.4</version>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.tomcat.embed</groupId>
+			<artifactId>tomcat-embed-core</artifactId>
+			<version>9.0.62</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>