SYMPHONYP-1237 vulnerability fix

Author: vaibhav-db

.github/workflows/allow-list.xml

@@ -58,8 +58,65 @@
 		</notes>
 		<cve>CVE-2024-21138</cve>
 	</suppress>
-
-
-
+	<suppress>
+		<notes>
+         Not using Bouncy Castle crafted
+        </notes>
+		<cve>CVE-2024-30172</cve>
+		<cve>CVE-2024-30171</cve>
+		<cve>CVE-2024-29857</cve>
+		<cve>CVE-2024-34447</cve>
+	</suppress>
+	<suppress>
+		<notes>
+			we don't have write access to log config file.
+		</notes>
+		<cve>CVE-2024-12798</cve>
+	</suppress>
+	<suppress>
+		<notes>
+			as we have update msal4j, we don't need to update this. 
+		</notes>
+		<cve>CVE-2024-35255</cve>
+	</suppress>
+	<suppress>
+		<notes>
+			No impact, we are using java 17
+		</notes>
+		<cve>CVE-2010-0538</cve>
+	</suppress>
+	<suppress>
+		<notes>
+			No impact, not using for JSON documents parser
+		</notes>
+		<cve>CVE-2023-7272</cve>
+	</suppress>
+	<suppress>
+		<notes>
+			No impact, we are not using Protobuf
+		</notes>
+		<cve>CVE-2024-7254</cve>
+	</suppress>	
+	<suppress>
+		<notes>
+			Doesn't have fixed, we are using latest version jar
+		</notes>
+		<cve>CVE-2021-3869</cve>
+		<cve>CVE-2022-0198</cve>
+	</suppress>	
+	<suppress>
+		<notes>
+			No impact, we are using java 17
+		</notes>
+		<cve>CVE-2017-10355</cve>
+	</suppress>
+	<suppress>
+		<notes>
+			We will take this on next release
+		</notes>
+		<cve>CVE-2024-45772</cve>
+	</suppress>	
+	
+	
 </suppressions>
 

libs/teams/teams-chat-workflow-spring-boot-starter/pom.xml

@@ -58,6 +58,13 @@
 	        	</exclusion>
 	        </exclusions>
       	</dependency>
+      	
+      	<dependency>
+			<groupId>com.microsoft.azure</groupId>
+			<artifactId>msal4j</artifactId>
+			<version>${azure-msal4j.version}</version>
+		</dependency>
+      	
 		<dependency>
 			<groupId>com.microsoft.bot</groupId>
 			<artifactId>bot-builder</artifactId>
@@ -79,6 +86,18 @@
 			</exclusions>
 		</dependency>
 
+		<dependency>
+			<groupId>io.netty</groupId>
+			<artifactId>netty-codec-http</artifactId>
+			<version>${netty-codec.version}</version>
+		</dependency>
+
+		<dependency>
+			<groupId>io.netty</groupId>
+			<artifactId>netty-handler</artifactId>
+			<version>${netty-handler.version}</version>
+		</dependency>
+		
 		<dependency>
 			<groupId>com.azure</groupId>
 	  		<artifactId>azure-storage-blob</artifactId>
@@ -144,17 +163,6 @@
 	        <version>${guava.version}</version>
 		</dependency>
 
-		<dependency>
-			<groupId>io.netty</groupId>
-			<artifactId>netty-codec-http</artifactId>
-			<version>${netty-codec.version}</version>
-		</dependency>
-
-		<dependency>
-			<groupId>io.netty</groupId>
-			<artifactId>netty-handler</artifactId>
-			<version>${netty-handler.version}</version>
-		</dependency>
 
 		<!-- for testing -->
 		<dependency>

pom.xml

@@ -49,7 +49,7 @@
 
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-		<spring-boot.version>3.3.0</spring-boot.version>
+		<spring-boot.version>3.4.0</spring-boot.version>
 		<maven.compiler.source>17</maven.compiler.source>
 		<maven.compiler.target>17</maven.compiler.target>
 		<java.version>17</java.version>
@@ -77,6 +77,7 @@
 		<azure-storage-blob.version>12.25.3</azure-storage-blob.version>
 		<netty-handler.version>4.1.115.Final</netty-handler.version>
 		<netty-codec.version>4.1.115.Final</netty-codec.version>
+		<azure-msal4j.version>1.16.1</azure-msal4j.version>
 	</properties>
 
 	<licenses>

tools/reminder-bot/pom.xml

@@ -37,7 +37,7 @@
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-lang3</artifactId>
 		</dependency>
-
+	
 		<!-- https://mvnrepository.com/artifact/edu.stanford.nlp/stanford-corenlp -->
 		<dependency>
 			<groupId>edu.stanford.nlp</groupId>