From c85bf7e3738729307aad5d365d912840cd0484d1 Mon Sep 17 00:00:00 2001
From: lukasz-wolski <1005015+lukasz-wolski@users.noreply.github.com>
Date: Tue, 2 May 2023 15:13:44 +0100
Subject: [PATCH 1/2] addresses CVE-2023-20873, CVE-2023-20862

https://tools.hmcts.net/jira/browse/DTSRD-295
https://tools.hmcts.net/jira/browse/DTSRD-296

### Change description ###

addresses CVE-2023-20873
remedied in spring-boot 2.7.11 - https://spring.io/security/cve-2023-20873

addresses CVE-2023-20862
remedied in spring-security 5.7.8 - https://spring.io/security/cve-2023-20862
---
 build.gradle | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/build.gradle b/build.gradle
index a9fdcb7f6..2e2b4b8f0 100644
--- a/build.gradle
+++ b/build.gradle
@@ -14,7 +14,7 @@ plugins {
     id "info.solidsoft.pitest" version '1.7.0'
     id 'io.spring.dependency-management' version '1.1.0'
     id 'org.sonarqube' version '3.1.1'
-    id 'org.springframework.boot' version '2.7.7'
+    id 'org.springframework.boot' version '2.7.11'
     id "org.flywaydb.flyway" version "8.5.12"
     id 'au.com.dius.pact' version '4.1.7'
     id 'org.owasp.dependencycheck' version '8.0.1'
@@ -33,7 +33,7 @@ def versions = [
         reformHealthStarter: '0.0.5',
         serenity           : '2.0.76',
         sonarPitest        : '0.5',
-        springBoot         : '2.7.7',
+        springBoot         : '2.7.11',
         springHystrix      : '2.2.8.RELEASE',
         pact_version       : '4.1.7',
         launchDarklySdk    : "5.10.7",
@@ -377,7 +377,7 @@ dependencies {
 
     implementation group: 'org.springframework', name: 'spring-core', version: versions.springVersion
    	implementation group: 'org.springframework', name: 'spring-beans', version: versions.springVersion
-    implementation group: 'org.springframework.security', name: 'spring-security-core', version: '5.7.5'
+    implementation group: 'org.springframework.security', name: 'spring-security-core', version: '5.7.8'
 
     implementation group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: '1.70'
     implementation group: 'ch.qos.logback', name: 'logback-core', version: versions.logback

From d064d2f64ff7582ed9f8b4722b368426d621825c Mon Sep 17 00:00:00 2001
From: Lukasz Wolski <1005015+lukasz-wolski@users.noreply.github.com>
Date: Tue, 2 May 2023 16:21:48 +0100
Subject: [PATCH 2/2] removed duplicate dependency

---
 build.gradle | 1 -
 1 file changed, 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 2e2b4b8f0..c655c26ad 100644
--- a/build.gradle
+++ b/build.gradle
@@ -386,7 +386,6 @@ dependencies {
     implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: versions.log4j
     implementation group: 'org.apache.logging.log4j', name: 'log4j', version: versions.log4j
     implementation group: 'org.apache.logging.log4j', name: 'log4j-to-slf4j', version: versions.log4j
-    implementation group: 'org.springframework.security', name: 'spring-security-core', version: '5.7.5'
 
     implementation group:"org.yaml", name: "snakeyaml", version:"1.33"
     //Fix for CVE-2021-29425