Merge branch 'develop'

build.gradle

@@ -240,6 +240,9 @@ allprojects {
                     force "com.google.http-client:google-http-client-apache-v2:${googleHttpClientVersion}"
                     force "com.google.http-client:google-http-client-gson:${googleHttpClientVersion}"
 
+                    // FileTransfer depends on this directly; WNPRC_EHR and GoogleDrive bring a different version in transitively.
+                    force "com.google.oauth-client:google-oauth-client:${googleOauthClientVersion}"
+
                     // Google HTTP Client Library and Guava bring in different versions; force the latest
                     force "com.google.errorprone:error_prone_annotations:${googleErrorProneAnnotationsVersion}"
                     // Force patched version of GPRC, dependency of a number of Google service APIs in WNPRC and fileTransfer

dependencyCheckSuppression.xml

@@ -49,15 +49,6 @@
         <cve>CVE-2021-39491</cve>
     </suppress>
 
-    <!-- Prevent match against unrelated JSON library -->
-    <suppress>
-        <notes><![CDATA[
-   file name: json-20230227.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
-        <cve>CVE-2022-45688</cve>
-    </suppress>
-
     <!--
     GWT uses Protobuf internally but doesn't expose it, meaning the handful of CVEs in 2.5.0 are not a concern.
     https://github.com/gwtproject/gwt/issues/9778
@@ -72,28 +63,6 @@
         <vulnerabilityName>CVE-2021-22569</vulnerabilityName>
     </suppress>
 
-    <!-- Guava has deprecated the problematic com.google.common.io.Files.createTempDir(), the topic of this CVE,
-     and we don't call it. https://github.com/google/guava/issues/4011 -->
-    <suppress>
-        <notes><![CDATA[
-   file name: guava-31.1-jre.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
-        <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
-    </suppress>
-
-    <!--
-    Actually packages MINA 2.2.1 but dependency check confuses the version number.
-    https://search.maven.org/artifact/org.apache.directory.api/api-parent/2.1.3/jar?eh=
-     -->
-    <suppress>
-        <notes><![CDATA[
-   file name: api-all-2.1.3.jar (shaded: org.apache.directory.api:api-ldap-net-mina:2.1.3)
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.directory\.api/api\-ldap\-net\-mina@.*$</packageUrl>
-        <cve>CVE-2021-41973</cve>
-    </suppress>
-
     <!-- Tangled CVEs. See https://github.com/jeremylong/DependencyCheck/issues/4614 and https://github.com/OSSIndex/vulns/issues/316 -->
     <suppress>
         <notes><![CDATA[
@@ -103,7 +72,6 @@
         <vulnerabilityName>CVE-2017-10355</vulnerabilityName>
     </suppress>
 
-
     <!--
      We don't use any classes from org.springframework.remoting.httpinvoker like HttpInvokerServiceExporter
      https://github.com/spring-projects/spring-framework/issues/24434
@@ -117,7 +85,6 @@
         <vulnerabilityName>CVE-2016-1000027</vulnerabilityName>
     </suppress>
 
-
     <!--
     For our purposes, Random is good enough, and not worth publishing our own version of the artifact that uses
     SecureRandom. https://github.com/penggle/kaptcha/issues/3
@@ -139,7 +106,6 @@
         <cve>CVE-2016-3093</cve>
     </suppress>
 
-
     <!-- False positive - we're not bundling Windows PGP -->
     <suppress>
         <notes><![CDATA[
@@ -192,7 +158,6 @@
         <cve>CVE-2022-3421</cve>
     </suppress>
 
-
     <!--
     This is a dependency of Java-FPDF, used by the WNPRC billing module for PDF generation, which hasn't been updated
     to reference the now-renamed Commons Imaging library instead of the old Sanselan incubator. The CVE is related
@@ -236,15 +201,6 @@
         <vulnerabilityName>CVE-2023-35116</vulnerabilityName>
     </suppress>
 
-    <!-- False positive. We're using MINA Core. The vulnerability is in MINA's SSHD-Core, which we don't use. -->
-    <suppress>
-        <notes><![CDATA[
-   file name: mina-core-2.2.1.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.mina/mina\-core@.*$</packageUrl>
-        <cve>CVE-2023-35887</cve>
-    </suppress>
-
     <!-- The CVE is against Quartz Jobs, not the core Quartz library, so this is a false positive given our actual dependency.
      For additional info see: Issue #48405
     -->
@@ -259,52 +215,6 @@
         <cpe>cpe:/a:softwareag:quartz</cpe>
     </suppress>
 
-    <!--
-    The CVE has a low impact (DDOS) and targets older versions of Postgres (<= v12.2), not the JDBC driver itself.
-    -->
-    <suppress>
-        <notes><![CDATA[
-   file name: postgresql-42.6.0.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.postgresql/postgresql@.*$</packageUrl>
-        <vulnerabilityName>CVE-2020-21469</vulnerabilityName>
-    </suppress>
-
-    <!--
-    Netty doesn't turn on cert checking by default, so this gets flagged periodically. per the linked discussion
-    this should be handled/enabled when configuring the client to use https.
-     For more info see: https://github.com/jeremylong/DependencyCheck/issues/5912#issuecomment-1699363391 and the subsequent rabbit-hole.
-    -->
-    <suppress>
-        <notes><![CDATA[
-   file name: netty-handler-4.1.100.Final.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl>
-        <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
-    </suppress>
-
-    <!--
-    json-java versioning does not work with cpe; suppressing specifically for CVE-2023-5072
-    -->
-    <suppress>
-        <notes><![CDATA[
-   file name: json-20231013.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
-        <cve>CVE-2023-5072</cve>
-    </suppress>
-
-    <!--
-    false-positive CVE as per https://github.com/dom4j/dom4j/issues/171
-    -->
-    <suppress>
-        <notes><![CDATA[
-   file name: dom4j-2.1.4.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.dom4j/dom4j@.*$</packageUrl>
-        <vulnerabilityName>CVE-2023-45960</vulnerabilityName>
-    </suppress>
-
     <!--
     GraalJS shaded and re-versioned icu4j without changing the file name, leading to many old CVEs getting tagged.
     This should be fixed soon, but suppress all CVEs for now. https://github.com/oracle/graal/issues/8204

gradle.properties

@@ -160,8 +160,8 @@ fopVersion=2.9
 googleAutoValueAnnotationsVersion=1.10.4
 googleErrorProneAnnotationsVersion=2.24.1
 googleHttpClientVersion=1.43.3
-googleOauthClientVersion=1.34.1
-googleProtocolBufVersion=3.25.1
+googleOauthClientVersion=1.35.0
+googleProtocolBufVersion=3.25.2
 
 graalVersion=23.1.2
 
@@ -171,7 +171,7 @@ graalVersion=23.1.2
 # "java.lang.NoSuchMethodError: 'void com.google.gson.internal.ConstructorConstructor.<init>(java.util.Map)'" errors
 gsonVersion=2.8.9
 
-grpcVersion=1.60.1
+grpcVersion=1.61.0
 
 guavaVersion=33.0.0-jre
 gwtVersion=2.11.0
@@ -238,13 +238,13 @@ lombokVersion=1.18.24
 
 luceneVersion=9.9.1
 
-mysqlDriverVersion=8.2.0
-
 mssqlJdbcVersion=12.4.2.jre11
 
+mysqlDriverVersion=8.3.0
+
 # forced compatibility between docker and UserReg-
 # update version in modules/UserReg-WS/gradle.properties as well
-nettyVersion=4.1.104.Final
+nettyVersion=4.1.106.Final
 
 objenesisVersion=1.0
 
@@ -290,8 +290,7 @@ springBootTomcatVersion=10.1.18
 
 springVersion=6.1.3
 
-# Do not upgrade until BaseDaoImpl stops calling getGeneratedKeys()
-sqliteJdbcVersion=3.42.0.1
+sqliteJdbcVersion=3.45.0.0
 
 # NLP and SAML bring stax2-api in as a transitive dependency but with very different versions. We force the later version.
 stax2ApiVersion=4.2.1