SDIT-2141: ⬆️ Upgrade to hmpps spring boot 6.0.7 for path directory t…

…raversal suppression (#2288)

* SDIT-2141: ⬆️ Upgrade to hmpps spring boot 6.0.7 for path directory traversal suppression

* SDIT-2141: 🔒️ Let hikari version be set by spring boot & change to runtime

.trivyignore

@@ -10,3 +10,6 @@
 # Suppression for h2 2.1.214 password on command line vulnerability
 #   can be suppressed as we only run h2 locally and not on build environments
 CVE-2022-45868
+# Suppression for Spring Framework path directory traversal as it only affects
+#   applications that use WebMvc.fn or WebFlux.fn
+CVE-2024-38819

build.gradle.kts

@@ -1,5 +1,5 @@
 plugins {
-  id("uk.gov.justice.hmpps.gradle-spring-boot") version "6.0.6"
+  id("uk.gov.justice.hmpps.gradle-spring-boot") version "6.0.7"
   kotlin("plugin.spring") version "2.0.20"
   kotlin("plugin.jpa") version "2.0.20"
   kotlin("plugin.lombok") version "2.0.20"
@@ -30,14 +30,14 @@ dependencies {
   implementation("commons-codec:commons-codec:1.17.1")
   implementation("com.github.jsqlparser:jsqlparser:5.0")
   implementation("org.ehcache:ehcache:3.10.8")
-  implementation("com.zaxxer:HikariCP:5.1.0")
+  runtimeOnly("com.zaxxer:HikariCP")
 
   implementation("io.swagger:swagger-annotations:1.6.14")
   implementation("org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0")
 
   implementation("org.apache.commons:commons-lang3:3.17.0")
   implementation("commons-io:commons-io:2.17.0")
-  implementation("com.google.guava:guava:33.3.0-jre")
+  implementation("com.google.guava:guava:33.3.1-jre")
   implementation("org.apache.commons:commons-text:1.12.0")
   implementation("com.oracle.database.jdbc:ojdbc10:19.24.0.0")
   implementation("org.hibernate.orm:hibernate-community-dialects")
@@ -63,18 +63,18 @@ dependencies {
   testImplementation("com.tngtech.java:junit-dataprovider:1.13.1")
   testImplementation("net.javacrumbs.json-unit:json-unit-assertj:3.4.1")
 
-  testImplementation("net.serenity-bdd:serenity-core:4.2.1")
-  testImplementation("net.serenity-bdd:serenity-junit:4.2.1")
-  testImplementation("net.serenity-bdd:serenity-spring:4.2.1")
-  testImplementation("net.serenity-bdd:serenity-cucumber:4.2.1")
+  testImplementation("net.serenity-bdd:serenity-core:4.2.6")
+  testImplementation("net.serenity-bdd:serenity-junit:4.2.6")
+  testImplementation("net.serenity-bdd:serenity-spring:4.2.6")
+  testImplementation("net.serenity-bdd:serenity-cucumber:4.2.6")
   testImplementation("com.paulhammant:ngwebdriver:1.2")
   testImplementation("org.wiremock:wiremock:3.9.1")
   testImplementation("io.swagger.parser.v3:swagger-parser:2.1.22") {
     exclude(group = "io.swagger.core.v3")
   }
-  testImplementation("io.swagger.core.v3:swagger-core-jakarta:2.2.23")
+  testImplementation("io.swagger.core.v3:swagger-core-jakarta:2.2.25")
   testImplementation("commons-beanutils:commons-beanutils:1.9.4")
-  testImplementation("io.opentelemetry:opentelemetry-sdk-testing:1.40.0")
+  testImplementation("io.opentelemetry:opentelemetry-sdk-testing:1.43.0")
 
   testCompileOnly("org.projectlombok:lombok:1.18.34")
 }

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

helm_deploy/prison-api/Chart.yaml

@@ -9,5 +9,5 @@ dependencies:
     version: "3.6"
     repository: https://ministryofjustice.github.io/hmpps-helm-charts
   - name: generic-prometheus-alerts
-    version: "1.9"
+    version: "1.10"
     repository: https://ministryofjustice.github.io/hmpps-helm-charts