issue_863: Updated gradle version, fixed more vulnerabilities, now figuring what to do with the remaining vulnerabilities.

HIRS_AttestationCA/build.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id 'io.spring.dependency-management' version '1.1.0'
+    id 'io.spring.dependency-management' version '1.1.2'
     id 'com.google.protobuf' version '0.9.4'
 }
 
@@ -18,28 +18,28 @@ dependencies {
     implementation libs.commons.codec
     implementation libs.commons.io
     implementation libs.commons.lang3
-    implementation libs.hibernate.core
     implementation libs.guava
     implementation libs.jackson.core
     implementation libs.jackson.databind
     implementation libs.jakarta.persistence.api
     implementation libs.jakarta.xml
-    implementation libs.log4j.api
+    implementation libs.spring.boot.starter.log4j2
-    implementation libs.log4j.core
     implementation libs.minimal.json
 
     // pull the pci dependency and ...
     implementation(libs.pci) {
-        // replace the default apache http client transitive dependency
+        // explicitly exclude the default apache http client transitive dependency
         exclude group: 'org.apache.httpcomponents', module: 'httpclient'
     }
-    // with the non-vulnerable version of the apache http client dependency
+    // and explicitly include the patched version of the apache http client dependency
     implementation libs.apacheHttpClient
 
     implementation libs.protobuf.java
     implementation libs.spring.boot.starter.data.jpa
     implementation libs.spring.retry
-    implementation libs.spring.boot.starter.web
+
+    // pull the spring-boot-starter-web dependency and ...
+    implementation(libs.spring.boot.starter.web)
 
     compileOnly libs.lombok
     annotationProcessor libs.lombok
@@ -48,11 +48,7 @@ dependencies {
     annotationProcessor libs.spotbugs.annotations
 
     testImplementation libs.commons.io
-    testImplementation libs.hamcrest
+    testImplementation libs.spring.boot.starter.test
-    testImplementation libs.junit.jupiter
-    testImplementation libs.junit.platform.launcher
-    testImplementation libs.mockito.core
-    testImplementation libs.spring.test
 
     testCompileOnly libs.lombok
     testAnnotationProcessor libs.lombok

HIRS_AttestationCAPortal/build.gradle

@@ -3,7 +3,7 @@ plugins {
     id 'war'
     id 'com.netflix.nebula.ospackage' version '11.8.0'
     id 'org.springframework.boot' version '3.0.8'
-    id 'io.spring.dependency-management' version '1.1.0'
+    id 'io.spring.dependency-management' version '1.1.2'
 }
 
 // Get version from main project gradle
@@ -35,18 +35,20 @@ dependencies {
     implementation libs.jakarta.persistence.api
     implementation libs.jakarta.servlet
     implementation libs.jakarta.xml
-    implementation libs.log4j.spring.boot
 
     // pull the pci dependency and ...
     implementation(libs.pci) {
-        // replace the default apache http client transitive dependency
+        // explicitly exclude the default apache http client transitive dependency
         exclude group: 'org.apache.httpcomponents', module: 'httpclient'
     }
-    // with the non-vulnerable version of the apache http client dependency
+    // and explicitly include the patched version of the apache http client dependency
     implementation libs.apacheHttpClient
 
     implementation libs.mariadb.java.client
-    implementation libs.spring.boot.starter.web
+
+    // pull the spring-boot-starter-web dependency and ...
+    implementation(libs.spring.boot.starter.web)
+
     implementation libs.spring.boot.starter.validation
     implementation libs.spring.boot.starter.data.jpa
     implementation libs.spring.boot.starter.log4j2
@@ -57,7 +59,6 @@ dependencies {
 
     providedRuntime libs.spring.boot.starter.tomcat
 
-    testImplementation libs.junit.jupiter
     testImplementation libs.hsqldb
     testImplementation libs.spring.boot.starter.test
 

HIRS_Structs/build.gradle

@@ -4,10 +4,7 @@ dependencies {
     compileOnly libs.lombok
     annotationProcessor libs.lombok
 
-//    testCompile libs.mockito
+    testImplementation libs.spring.boot.starter.test
-    testImplementation libs.junit.jupiter
-    testImplementation libs.junit.platform.launcher
-    testImplementation libs.hamcrest
 
     testCompileOnly libs.lombok
     testAnnotationProcessor libs.lombok

HIRS_Utils/build.gradle

@@ -21,16 +21,15 @@ dependencies {
     implementation libs.jackson.databind
     implementation libs.jakarta.persistence.api
     implementation libs.jakarta.xml
-    implementation libs.log4j.core
+    implementation libs.spring.boot.starter.log4j2
-    implementation libs.log4j.api
     implementation libs.minimal.json
 
     // pull the pci dependency and ...
     implementation(libs.pci) {
-        // replace the default apache http client transitive dependency
+        // explicitly exclude the default apache http client transitive dependency
         exclude group: 'org.apache.httpcomponents', module: 'httpclient'
     }
-    // with the non-vulnerable version of the apache http client dependency
+    // and explicitly include the patched version of the apache http client dependency
     implementation libs.apacheHttpClient
 
     implementation libs.slf4j.simple
@@ -38,10 +37,7 @@ dependencies {
     compileOnly libs.lombok
     annotationProcessor libs.lombok
 
-    testImplementation libs.junit.jupiter
+    testImplementation libs.spring.boot.starter.test
-    testImplementation libs.junit.platform.launcher
-    testImplementation libs.hamcrest
-    testImplementation libs.mockito.core
     testImplementation project(path: ':HIRS_AttestationCA')
 
     testCompileOnly libs.lombok

build.gradle

@@ -1,3 +1,5 @@
+import com.github.spotbugs.snom.SpotBugsTask
+
 import java.util.concurrent.TimeUnit
 
 plugins {
@@ -50,7 +52,7 @@ subprojects {
         excludeFilter = file('config/spotbugs/spotbugs-exclude.xml')
     }
 
-    tasks.withType(com.github.spotbugs.snom.SpotBugsTask).configureEach {
+    tasks.withType(SpotBugsTask).configureEach {
         reports {
             html.required = true
         }

gradle.properties

@@ -2,5 +2,4 @@ excludeGroups=rhel-6,performance
 includeGroups=
 org.gradle.daemon=true
 org.gradle.jvmargs=-Xms1g -Xmx4g
-org.gradle.caching=true
+org.gradle.caching=true
-org.gradle.parallel=true

gradle/versions.toml

@@ -8,32 +8,26 @@ gsonVersion = "2.11.0"
 glassfishJakartaJsonVersion = "2.0.1"
 glassfishJaxbRuntimeVersion = "4.0.5"
 guavaVersion = "33.3.1-jre"
-hibernateCoreVersion = "6.2.32.Final"
+jacksonVersion = "2.18.2"
-jacksonVersion = "2.18.0"
 jakartaPersistenceApiVersion = "3.2.0"
 jakartaServletVersion = "3.0.0"
 jakartaXmlVersion = "4.0.2"
 jcommanderVersion = "1.85"
-log4jVersion = "2.24.2"
 lombokVersion = "1.18.34"
 mariadbVersion = "3.4.0"
 minimalJsonVersion = "0.9.5"
 ospackageVersion = "11.2.0"
 pciVersion = "0.3"
 protobufJavaVersion = "4.28.3"
-springBootVersion = "3.0.8"
+springBootVersion = "3.4.0"
 springRetryVersion = "2.0.10"
+springCoreVersion = "6.2.1"
 testngVersion = "7.10.2"
 tomcatVersion = "10.1.33"
 
 #test dependencies versions
-hamcrestVersion = "3.0"
 hsqldbVersion = "2.7.3"
-junitJupiterVersion = "5.11.3"
-junitPlatformVersion = "1.11.3"
-mockitoVersion = "5.14.2"
 slf4jVersion = "2.0.16"
-springTestVersion = "6.0.8"
 spotBugAnnotationVersion = "4.8.6"
 
 [libraries]
@@ -46,16 +40,12 @@ gson = { module = "com.google.code.gson:gson", version.ref = "gsonVersion" }
 glassfish-jakarta-json = { module = "org.glassfish:jakarta.json", version.ref = "glassfishJakartaJsonVersion" }
 glassfish-jaxb-runtime = { module = "org.glassfish.jaxb:jaxb-runtime", version.ref = "glassfishJaxbRuntimeVersion" }
 guava = { module = "com.google.guava:guava", version.ref = "guavaVersion" }
-hibernate-core = { module = "org.hibernate:hibernate-core", version.ref = "hibernateCoreVersion" }
 jackson-core = { module = "com.fasterxml.jackson.core:jackson-core", version.ref = "jacksonVersion" }
 jackson-databind = { module = "com.fasterxml.jackson.core:jackson-databind", version.ref = "jacksonVersion" }
 jakarta-persistence-api = { module = "jakarta.persistence:jakarta.persistence-api", version.ref = "jakartaPersistenceApiVersion" }
 jakarta-servlet = { module = "org.glassfish.web:jakarta.servlet.jsp.jstl", version.ref = "jakartaServletVersion" }
 jakarta-xml = { module = "jakarta.xml.bind:jakarta.xml.bind-api", version.ref = "jakartaXmlVersion" }
 jcommander = { module = "org.jcommander:jcommander", version.ref = "jcommanderVersion" }
-log4j-api = { module = "org.apache.logging.log4j:log4j-api", version.ref = "log4jVersion" }
-log4j-core = { module = "org.apache.logging.log4j:log4j-core", version.ref = "log4jVersion" }
-log4j-spring-boot = { module = "org.apache.logging.log4j:log4j-spring-boot", version.ref = "log4jVersion" }
 lombok = { module = "org.projectlombok:lombok", version.ref = "lombokVersion" }
 mariadb-java-client = { module = "org.mariadb.jdbc:mariadb-java-client", version.ref = "mariadbVersion" }
 minimal-json = { module = "com.eclipsesource.minimal-json:minimal-json", version.ref = "minimalJsonVersion" }
@@ -68,17 +58,14 @@ spring-boot-starter-log4j2 = { module = "org.springframework.boot:spring-boot-st
 spring-boot-starter-tomcat = { module = "org.springframework.boot:spring-boot-starter-tomcat", version.ref = "springBootVersion" }
 spring-boot-starter-validation = { module = "org.springframework.boot:spring-boot-starter-validation", version.ref = "springBootVersion" }
 spring-boot-starter-web = { module = "org.springframework.boot:spring-boot-starter-web", version.ref = "springBootVersion" }
+#spring-framework-webmvc = { module = "org.springframework:spring-webmvc", version.ref = "springCoreVersion" }
+#spring-framework-web = { module = "org.springframework:spring-web", version.ref = "springCoreVersion" }
 spring-retry = { module = "org.springframework.retry:spring-retry", version.ref = "springRetryVersion" }
 tomcat-embed-jasper = { module = "org.apache.tomcat.embed:tomcat-embed-jasper", version.ref = "tomcatVersion" }
 testng = { module = "org.testng:testng", version.ref = "testngVersion" }
 
 # test dependencies
-hamcrest = { module = "org.hamcrest:hamcrest", version.ref = "hamcrestVersion" }
 hsqldb = { module = "org.hsqldb:hsqldb", version.ref = "hsqldbVersion" }
-junit-jupiter = { module = "org.junit.jupiter:junit-jupiter", version.ref = "junitJupiterVersion" }
-junit-platform-launcher = { module = "org.junit.platform:junit-platform-launcher", version.ref = "junitPlatformVersion" }
-mockito-core = { module = "org.mockito:mockito-core", version.ref = "mockitoVersion" }
-spring-test = { module = "org.springframework:spring-test", version.ref = "springTestVersion" }
 spring-boot-starter-test = { module = "org.springframework.boot:spring-boot-starter-test", version.ref = "springBootVersion" }
 spotbugs-annotations = { module = "com.github.spotbugs:spotbugs-annotations", version.ref = "spotBugAnnotationVersion" }
 

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.3-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11.1-bin.zip
 networkTimeout=10000
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

tools/tcg_rim_tool/build.gradle

@@ -16,12 +16,12 @@ dependencies {
     implementation libs.glassfish.jakarta.json
     implementation libs.glassfish.jaxb.runtime
     implementation libs.guava
-    implementation libs.hibernate.core
     implementation libs.jcommander
     implementation libs.jackson.databind
     implementation libs.jakarta.persistence.api
     implementation libs.jakarta.xml
-    implementation libs.log4j.core
+    implementation libs.spring.boot.starter.log4j2
+    implementation libs.spring.boot.starter.data.jpa
 
     compileOnly libs.lombok
     annotationProcessor libs.lombok