Merge branch 'master' into merge-hotfix/5.11.1

# Conflicts:
#	build.gradle

.github/workflows/release.yml

@@ -11,7 +11,7 @@ on:
 
 env:
   GH_USER_NAME: github.actor
-  RELEASE_VERSION: 5.11.0
+  RELEASE_VERSION: 5.11.1
 
 jobs:
   release:

build.gradle

@@ -33,7 +33,7 @@ ext['log4j2.version'] = '2.21.1'
 
 dependencyManagement {
     imports {
-        mavenBom(releaseMode ? 'com.epam.reportportal:commons-bom:' + '5.10.0' : 'com.github.reportportal:commons-bom:04b1a7d')
+        mavenBom(releaseMode ? 'com.epam.reportportal:commons-bom:' + '5.11.7' : 'com.epam.reportportal:commons-bom:5.11.7')
     }
 }
 
@@ -46,10 +46,10 @@ dependencies {
         api 'com.github.reportportal:commons:83ea1a5b9e'
     }
 
-    //Fix CVE-2021-41079, CVE-2022-23181, CVE-2021-33037, CVE-2021-30640, CVE-2022-42252
-    implementation 'org.apache.tomcat.embed:tomcat-embed-core:9.0.82'
-    implementation 'org.apache.tomcat.embed:tomcat-embed-el:9.0.82'
-    implementation 'org.apache.tomcat.embed:tomcat-embed-websocket:9.0.82'
+    //Fix CVE-2021-41079, CVE-2022-23181, CVE-2021-33037, CVE-2021-30640, CVE-2022-42252, CVE-2023-46589, CVE-2024-24549
+    implementation 'org.apache.tomcat.embed:tomcat-embed-core:9.0.86'
+    implementation 'org.apache.tomcat.embed:tomcat-embed-el:9.0.86'
+    implementation 'org.apache.tomcat.embed:tomcat-embed-websocket:9.0.86'
     //Fix CVE-2020-15522
     implementation 'org.bouncycastle:bcprov-jdk15on:1.69'
     //Fix CVE-2015-7501, CVE-2015-4852
@@ -65,6 +65,11 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-actuator'
     api 'org.springframework.boot:spring-boot-starter-security'
     implementation 'org.springframework.boot:spring-boot-starter-amqp'
+    //Fix CVE-2023-34050
+    implementation 'org.springframework.amqp:spring-amqp:2.4.17'
+    //Fix CVE-2023-40827, CVE-2023-40828, CVE-2023-40826
+    implementation 'org.springframework:spring-webmvc:5.3.33'
+    implementation 'org.springframework:spring-web:5.3.33'
 
     ///// Security
     //https://nvd.nist.gov/vuln/detail/CVE-2020-5407 AND https://nvd.nist.gov/vuln/detail/CVE-2020-5408
@@ -75,6 +80,8 @@ dependencies {
     //
 
     api 'org.springframework.security:spring-security-oauth2-client'
+    //Fix CVE-2023-1370
+    implementation 'net.minidev:json-smart:2.4.10'
     //Fix CVE-2022-22969
     api 'org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE'
     implementation 'org.springframework.security:spring-security-jwt:1.0.11.RELEASE'
@@ -83,11 +90,17 @@ dependencies {
     implementation 'org.springframework.security.extensions:spring-security-saml2-core:2.0.0.M31'
 //  Temporary fix of https://nvd.nist.gov/vuln/detail/CVE-2019-12400
     implementation 'org.apache.santuario:xmlsec:3.0.3'
+    //Fix CVE-2015-7501, CVE-2015-4852
+    implementation 'org.apache.commons:commons-collections4:4.4'
+
+    //Fix CVE-2023-6378, CVE-2023-6481, CVE-2023-6378, CVE-2023-6481
+    implementation 'ch.qos.logback:logback-classic:1.2.13'
+    implementation 'ch.qos.logback:logback-core:1.2.13'
 
 
     api 'javax.inject:javax.inject:1'
     implementation 'org.springdoc:springdoc-openapi-ui:1.7.0'
-    api 'org.apache.commons:commons-compress:1.21'
+    api 'org.apache.commons:commons-compress:1.26.0'
     implementation 'org.cryptacular:cryptacular:1.1.4'
     // TODO: snakeyaml 2.0 supported by Spring Boot 3 only
     implementation 'org.yaml:snakeyaml:1.33'

gradle.properties

@@ -1,4 +1,4 @@
-version=5.11.0
+version=5.11.2
 description=Unified Authorization Trap for all ReportPortal's Services
 dockerPrepareEnvironment=
 dockerJavaOpts=-Xmx512m -XX:+UseG1GC -XX:InitiatingHeapOccupancyPercent=70 -Djava.security.egd=file:/dev/./urandom