From e4648e570d6aafd10a9cb9f9681de3855982f52b Mon Sep 17 00:00:00 2001
From: Brian Demers <bdemers@apache.org>
Date: Fri, 10 May 2019 13:31:58 -0400
Subject: [PATCH] Update dependency versions and suppress OWASP false positives

---
 pom.xml                         |  6 +++---
 src/owasp/owasp-suppression.xml | 24 ++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index 63a37d3d8..1f95b15cf 100644
--- a/pom.xml
+++ b/pom.xml
@@ -31,10 +31,10 @@
     <packaging>pom</packaging>
 
     <properties>
-        <spring-boot.version>2.1.2.RELEASE</spring-boot.version>
-        <spring-cloud.version>2.0.2.RELEASE</spring-cloud.version>
+        <spring-boot.version>2.1.4.RELEASE</spring-boot.version>
+        <spring-cloud.version>2.1.2.RELEASE</spring-cloud.version>
         <github.slug>okta/okta-spring-boot</github.slug>
-        <okta.sdk.version>1.4.1</okta.sdk.version>
+        <okta.sdk.version>1.5.2</okta.sdk.version>
         <okta.commons.version>1.1.1</okta.commons.version>
     </properties>
 
diff --git a/src/owasp/owasp-suppression.xml b/src/owasp/owasp-suppression.xml
index 933f9ae03..6a5de883d 100644
--- a/src/owasp/owasp-suppression.xml
+++ b/src/owasp/owasp-suppression.xml
@@ -113,4 +113,28 @@
         <cpe>cpe:/a:netty_project:netty</cpe>
     </suppress>
 
+    <!-- https://pivotal.io/security/cve-2018-1258
+         Update to 5.0.5.RELEASE+ or Spring Boot 2.0.2.RELEASE+
+         (Wrong version detected by OWASP plugin) -->
+    <suppress>
+        <notes><![CDATA[ file name: spring-security-core-5.1.5.RELEASE.jar ]]></notes>
+        <gav regex="true">^org\.springframework\.security:spring-security-.*:5.1.*$</gav>
+        <cve>CVE-2018-1258</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[ file name: spring-boot-starter-security-2.1.4.RELEASE.jar ]]></notes>
+        <gav regex="true">^org\.springframework\.boot:spring-boot-starter-security:2.1.*$</gav>
+        <cve>CVE-2018-1258</cve>
+    </suppress>
+
+    <!-- https://nvd.nist.gov/vuln/detail/CVE-2019-0232
+         https://tomcat.apache.org/security-9.html#Apache_Tomcat_9.x_vulnerabilities
+         Windows + CGI issue, CGI is disabled by default, and we are only using tomcat in our ITs.
+    -->
+    <suppress>
+        <notes><![CDATA[ file name: tomcat-embed-core-9.0.17.jar ]]></notes>
+        <gav regex="true">^org\.apache\.tomcat\.embed:tomcat-embed-.*:.*$</gav>
+        <cve>CVE-2019-0232</cve>
+    </suppress>
+
 </suppressions>
\ No newline at end of file