Merge pull request #23 from spt-development/feature/spring-boot-3.2.0-upgrade

SimonTaylor · web-flow · commit cd88b26a45da · 2023-12-03T01:07:59.000Z
diff --git a/.github/workflows/owasp.yml b/.github/workflows/owasp.yml
@@ -14,4 +14,4 @@ jobs:
         with:
           website: jdk.java.net
           release: 21
-      - run: ./mvnw clean install dependency-check:check -DskipTests -B
+      - run: ./mvnw clean install dependency-check:check -DnvdApiKey= -B
diff --git a/documentation/releases/release-3.2.0.md b/documentation/releases/release-3.2.0.md
@@ -0,0 +1,3 @@
+## Dependencies
+
+* Aligned dependencies with [Spring Boot 3.2.0](https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.2-Release-Notes#dependency-upgrades).
diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
 
     <groupId>com.spt-development</groupId>
     <artifactId>spt-development-logging-spring-boot</artifactId>
-    <version>3.1.6-SNAPSHOT</version>
+    <version>3.2.0-SNAPSHOT</version>
 
     <name>logging-spring-boot</name>
     <description>Library for integrating spt-development/spt-development-logging-spring into a Spring Boot application.</description>
@@ -40,37 +40,37 @@
         <maven.min.version>3.9.4</maven.min.version>
 
         <!-- Dependency versions -->
-        <spring-boot.version>3.1.5</spring-boot.version>
+        <spring-boot.version>3.2.0</spring-boot.version>
         <spt-cid.version>2.0.12</spt-cid.version>
-        <spt-logging-spring.version>3.0.11</spt-logging-spring.version>
+        <spt-logging-spring.version>3.0.12</spt-logging-spring.version>
 
         <!-- Plugin versions -->
-        <build-helper-maven-plugin.version>3.4.0</build-helper-maven-plugin.version>
-        <checkstyle-maven-plugin.version>3.3.0</checkstyle-maven-plugin.version>
-        <dependency-check-maven.version>8.4.1</dependency-check-maven.version>
-        <findbugs-slf4j-bug-pattern.version>1.5.0</findbugs-slf4j-bug-pattern.version>
-        <findbugs-sec-bug-pattern.version>1.12.0</findbugs-sec-bug-pattern.version>
+        <build-helper-maven-plugin.version>3.5.0</build-helper-maven-plugin.version>
+        <checkstyle-maven-plugin.version>3.3.1</checkstyle-maven-plugin.version>
+        <dependency-check-maven.version>9.0.2</dependency-check-maven.version>
         <jacoco-maven-plugin.version>0.8.11</jacoco-maven-plugin.version>
-        <license-maven-plugin.version>2.2.0</license-maven-plugin.version>
+        <license-maven-plugin.version>2.3.0</license-maven-plugin.version>
         <maven-compiler-plugin.version>3.11.0</maven-compiler-plugin.version>
-        <maven-dependency-plugin.version>3.6.0</maven-dependency-plugin.version>
+        <maven-dependency-plugin.version>3.6.1</maven-dependency-plugin.version>
         <maven-enforcer-plugin.version>3.4.1</maven-enforcer-plugin.version>
         <maven-gpg-plugin.version>3.1.0</maven-gpg-plugin.version>
-        <maven-javadoc-plugin.version>3.6.0</maven-javadoc-plugin.version>
-        <maven-jxr-plugin.version>3.3.0</maven-jxr-plugin.version>
-        <maven-pmd-plugin.version>3.21.0</maven-pmd-plugin.version>
+        <maven-javadoc-plugin.version>3.6.2</maven-javadoc-plugin.version>
+        <maven-jxr-plugin.version>3.3.1</maven-jxr-plugin.version>
+        <maven-pmd-plugin.version>3.21.2</maven-pmd-plugin.version>
         <maven-release-plugin.version>3.0.1</maven-release-plugin.version>
         <maven-scm-plugin.version>2.0.1</maven-scm-plugin.version>
         <maven-source-plugin.version>3.3.0</maven-source-plugin.version>
-        <maven-surefire-plugin.version>3.1.2</maven-surefire-plugin.version>
+        <maven-surefire-plugin.version>3.2.2</maven-surefire-plugin.version>
         <nexus-staging-plugin.version>1.6.13</nexus-staging-plugin.version>
-        <pitest-maven.version>1.15.1</pitest-maven.version>
-        <spotbugs.version>4.7.3.6</spotbugs.version>
-        <versions-maven-plugin.version>2.16.1</versions-maven-plugin.version>
+        <pitest-maven.version>1.15.3</pitest-maven.version>
+        <spotbugs.version>4.8.1.0</spotbugs.version>
+        <versions-maven-plugin.version>2.16.2</versions-maven-plugin.version>
 
         <!-- Plugin dependencies -->
-        <checkstyle.version>10.12.4</checkstyle.version>
-        <pitest-junit5-plugin.version>1.2.0</pitest-junit5-plugin.version>
+        <findbugs-slf4j-bug-pattern.version>1.5.0</findbugs-slf4j-bug-pattern.version>
+        <findbugs-sec-bug-pattern.version>1.12.0</findbugs-sec-bug-pattern.version>
+        <checkstyle.version>10.12.5</checkstyle.version>
+        <pitest-junit5-plugin.version>1.2.1</pitest-junit5-plugin.version>
     </properties>
 
     <dependencyManagement>
@@ -308,6 +308,9 @@
                     <artifactId>dependency-check-maven</artifactId>
                     <version>${dependency-check-maven.version}</version>
                     <configuration>
+                        <!-- NVD API Key obtained from  https://nvd.nist.gov/developers/request-an-api-key -->
+                        <nvdApiKey>${nvdApiKey}</nvdApiKey>
+
                         <!-- Assembly analyzer disabled because we don't have any .NET code/dlls -->
                         <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
                         <!-- Node and retirejs analyzer disabled, because any js floating around isn't part of the main app -->
diff --git a/spt-development-logging-spring-boot-autoconfigure/pom.xml b/spt-development-logging-spring-boot-autoconfigure/pom.xml
@@ -5,7 +5,7 @@
     <parent>
         <groupId>com.spt-development</groupId>
         <artifactId>spt-development-logging-spring-boot</artifactId>
-        <version>3.1.6-SNAPSHOT</version>
+        <version>3.2.0-SNAPSHOT</version>
     </parent>
 
     <artifactId>spt-development-logging-spring-boot-autoconfigure</artifactId>
diff --git a/spt-development-logging-spring-boot-starter/config/owasp/suppress.xml b/spt-development-logging-spring-boot-starter/config/owasp/suppress.xml
@@ -1,11 +1,19 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <!-- Low risk and not wanting to deviate from a Spring Boot dependency -->
+    <!-- Not wanting to deviate from a Spring Boot dependency -->
     <suppress>
         <notes><![CDATA[
-   file name: snakeyaml-1.33.jar
+   file name: logback-classic-1.4.11.jar
    ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
-        <vulnerabilityName>CVE-2022-1471</vulnerabilityName>
+        <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-classic@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-6378</vulnerabilityName>
+    </suppress>
+    <!-- Not wanting to deviate from a Spring Boot dependency -->
+    <suppress>
+        <notes><![CDATA[
+   file name: logback-core-1.4.11.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-6378</vulnerabilityName>
     </suppress>
 </suppressions>
diff --git a/spt-development-logging-spring-boot-starter/pom.xml b/spt-development-logging-spring-boot-starter/pom.xml
@@ -5,7 +5,7 @@
     <parent>
         <groupId>com.spt-development</groupId>
         <artifactId>spt-development-logging-spring-boot</artifactId>
-        <version>3.1.6-SNAPSHOT</version>
+        <version>3.2.0-SNAPSHOT</version>
     </parent>
 
     <artifactId>spt-development-logging-spring-boot-starter</artifactId>

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+## Dependencies`
	`2`	`+`
	`3`	`+* Aligned dependencies with [Spring Boot 3.2.0](https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.2-Release-Notes#dependency-upgrades).`