From fc04d03eab6a5c24ddd2d47aba24c636bc45dd18 Mon Sep 17 00:00:00 2001
From: Zhe Sun <31067185+ZheSun88@users.noreply.github.com>
Date: Thu, 29 Jun 2023 16:57:28 +0300
Subject: [PATCH] chore: update flow to 24.0.11 and spring.boot to 3.0.8 (24.0)
(#4304)
* chore: update spring.boot to 3.0.8
this will resolve the CVE reported on spring-boot-web dependency which depends on tomcat-embed-core https://nvd.nist.gov/vuln/detail/CVE-2023-34981
* add one cve to exclude list
* Update versions.json
---
pom.xml | 2 +-
scripts/generateAndCheckSBOM.js | 2 ++
versions.json | 2 +-
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/pom.xml b/pom.xml
index 0ecc608ab..a5a5738a4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -19,7 +19,7 @@
17
17
2.0-SNAPSHOT
- 3.0.7
+ 3.0.8
5.9.1
11.0.13
diff --git a/scripts/generateAndCheckSBOM.js b/scripts/generateAndCheckSBOM.js
index 8f7c1a2ec..c5416f154 100755
--- a/scripts/generateAndCheckSBOM.js
+++ b/scripts/generateAndCheckSBOM.js
@@ -43,6 +43,8 @@ const licenseWhiteList = [
const cveWhiteList = {
// Check fix in vaadin-testbench/pom.xml, and update when Selenium is fixed
// 'pkg:maven/com.google.guava/guava@31.1-jre': ['CVE-2020-8908', 'CVE-2023-2976']
+ // based on the issue this is not a CVE https://github.com/FasterXML/jackson-databind/issues/3972
+ 'pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.2' : ['CVE-2023-35116']
}
const STYLE = `