From a2606eba0f92f676245e3dd0d848c14be2bcebb2 Mon Sep 17 00:00:00 2001
From: Himabindu T <tbindu@thoughtworks.com>
Date: Tue, 5 Dec 2023 14:35:32 +0530
Subject: [PATCH] Bindu |Fix Critical and High security vulnerabilities with
 the spring boot version (#20)

* Bindu |Fix Critical and High security vulnerabilities with the spring boot version

* Bindu | Update the trivyignore with medium vulnerabilities

* Apply suggestions from code review

---------

Co-authored-by: Umair Fayaz <59157924+umair-fayaz@users.noreply.github.com>
---
 .trivyignore |  5 ++++-
 pom.xml      | 46 +++++++++++++++++++++++++++++-----------------
 2 files changed, 33 insertions(+), 18 deletions(-)

diff --git a/.trivyignore b/.trivyignore
index be8035e..6e51a5c 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -1 +1,4 @@
-CVE-2023-39017
\ No newline at end of file
+# Ignoring the below vulnerabilities, to be reviewed later
+CVE-2023-39017
+CVE-2023-2976 #Medium
+CVE-2023-33201 #Medium
diff --git a/pom.xml b/pom.xml
index b8c96ab..922a57b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.7.13</version>
+		<version>2.7.18</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>org.bahmni</groupId>
@@ -15,7 +15,10 @@
 	<description>event-router-service</description>
 	<properties>
 		<java.version>17</java.version>
-		<camel-spring-boot.version>3.20.6</camel-spring-boot.version>
+		<camel-spring-boot.version>3.21.2</camel-spring-boot.version>
+		<grpc.protobuf.version>1.53.0</grpc.protobuf.version>
+		<log4j.slf4j.version>2.17.1</log4j.slf4j.version>
+
 	</properties>
 	<dependencies>
 
@@ -28,10 +31,21 @@
 					<groupId>org.yaml</groupId>
 					<artifactId>snakeyaml</artifactId>
 				</exclusion>
+				<exclusion>
+					<groupId>org.apache.logging.log4j</groupId>
+					<artifactId>log4j-to-slf4j</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>ch.qos.logback</groupId>
+					<artifactId>logback-classic</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
-
-		<!-- Lombok dependency -->
+		<dependency>
+			<groupId>org.apache.logging.log4j</groupId>
+			<artifactId>log4j-slf4j-impl</artifactId>
+			<version>${log4j.slf4j.version}</version>
+		</dependency>
 		<dependency>
 			<groupId>org.projectlombok</groupId>
 			<artifactId>lombok</artifactId>
@@ -67,6 +81,17 @@
 		<dependency>
 			<groupId>org.apache.camel.springboot</groupId>
 			<artifactId>camel-google-pubsub-starter</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>io.grpc</groupId>
+					<artifactId>grpc-protobuf</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+		<dependency>
+			<groupId>io.grpc</groupId>
+			<artifactId>grpc-protobuf</artifactId>
+			<version>${grpc.protobuf.version}</version>
 		</dependency>
 
 		<dependency>
@@ -117,19 +142,6 @@
 				<version>${camel-spring-boot.version}</version>
 				<type>pom</type>
 				<scope>import</scope>
-				<exclusions>
-					<exclusion>
-						<groupId>org.apache.activemq</groupId>
-						<artifactId>activemq-openwire-legacy</artifactId>
-					</exclusion>
-				</exclusions>
-			</dependency>
-			<dependency>
-				<groupId>org.apache.activemq</groupId>
-				<artifactId>activemq-openwire-legacy</artifactId>
-				<version>5.16.7</version>
-				<type>pom</type>
-				<scope>import</scope>
 			</dependency>
 		</dependencies>
 	</dependencyManagement>