LabKey · labkey-willm · Apr 16, 2024 · Apr 13, 2024 · Apr 13, 2024 · Apr 14, 2024
diff --git a/build.gradle b/build.gradle
@@ -322,6 +322,9 @@ allprojects {
                     // Force snappy-java version for CVE-2023-43642. Remove once HTSJDK bumps its preferred version.
                     force "org.xerial.snappy:snappy-java:${snappyJavaVersion}"
 
+                    // Force consistency for dependencies from cloud
+                    force "joda-time:joda-time:${jodaTimeVersion}"
+
                     dependencySubstitution {
                         // Because the client api artifact name is not the same as the directory structure, we use
                         // Gradle's dependency substitution so the dependency will appear correctly in the pom files that

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
@@ -168,5 +168,16 @@
         <cpe>cpe:/a:apache:tomcat</cpe>
     </suppress>
 
+    <!--
+    suppress CVE-2024-23080 after jodaTime upgrade to 2.12.7, as still detected as 2.12.5
+    -->
+    <suppress>
+        <notes><![CDATA[
+   file name: joda-time-2.12.7.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/joda\-time/joda\-time@.*$</packageUrl>
+        <vulnerabilityName>CVE-2024-23080</vulnerabilityName>
+    </suppress>
+
 </suppressions>
 
diff --git a/gradle.properties b/gradle.properties
@@ -114,8 +114,8 @@ asmVersion=9.6
 batikVersion=1.17
 
 # sync with Tika version (or later)
-bouncycastlePgpVersion=1.77
-bouncycastleVersion=1.77
+bouncycastlePgpVersion=1.78
+bouncycastleVersion=1.78
 
 cglibNodepVersion=2.2.3
 
@@ -214,7 +214,7 @@ jfreechartVersion=1.0.19
 
 jmockVersion=2.6.0
 
-jodaTimeVersion=2.8.1
+jodaTimeVersion=2.12.7
 
 # brought in transitively from guava and other google packages. Need to resolve consistently
 jsr305Version=3.0.2
@@ -287,7 +287,7 @@ springBootVersion=3.2.3
 # Also, keep this in sync with apacheTomcatVersion above
 springBootTomcatVersion=10.1.19
 
-springVersion=6.1.4
+springVersion=6.1.6
 
 sqliteJdbcVersion=3.45.1.0
 

diff --git a/server/embedded/build.gradle b/server/embedded/build.gradle
@@ -38,7 +38,12 @@ dependencies {
     implementation "org.springframework.boot:spring-boot-starter-actuator:${springBootVersion}"
     implementation "org.springframework.boot:spring-boot-starter-validation:${springBootVersion}"
 //    implementation "org.springframework.boot:spring-boot-starter-log4j2:${springBootVersion}"
-
+    // Force to use latest springVersion for CVE-2024-22262
+    implementation('org.springframework:spring-web') {
+        version {
+            strictly "${springVersion}"
+        }
+    }
     // Force to the latest Tomcat version until Spring Boot 2.7.17 is released and we can adopt it
     implementation('org.apache.tomcat.embed:tomcat-embed-core') {
         version {