SDIT-1677: ⬆️ Upgrade to latest spring boot (#572)

* SDIT-1677: ⬆️ Upgrade to latest spring boot

* SDIT-1677: 🔒️ Remove custom suppressions as spring boot now upgraded

.trivyignore

@@ -1,6 +1,15 @@
-# Suppression for spring-security: Broken Access Control With Direct Use of AuthenticatedVoter as we don't use it
-CVE-2024-22257
-
-# Suppression for springframework: URL Parsing with Host Validation
-# Can't upgrade to spring boot 3.2.4 at present - see https://github.com/spring-projects/spring-framework/issues/32510
-CVE-2024-22259
+# WARNING - THIS FILE WAS GENERATED BY THE dps-gradle-spring-boot GRADLE PLUGIN
+#           AND ANY MANUAL CHANGES WILL BE OVERRIDDEN ON YOUR NEXT BUILD.
+#
+# To make general changes to the suppressions below, change the gradle plugin dps-gradle-spring-boot,
+# publish a new version and update to the new version in your gradle build script
+#
+# To stop the dps-gradle-spring-boot project from overwriting any project specific customisations here, remove the
+# warning at the top of this file.
+#
+# Suppression for h2 2.1.214 password on command line vulnerability
+#   can be suppressed as we only run h2 locally and not on build environments
+CVE-2022-45868
+# Suppression for logback-classic and logback-core as we don't let third parties control our appenders.
+# See https://logback.qos.ch/news.html#1.3.12 for further information.
+CVE-2023-6378

build.gradle.kts

@@ -5,18 +5,11 @@ import org.jlleitschuh.gradle.ktlint.tasks.KtLintFormatTask
 import org.openapitools.generator.gradle.plugin.tasks.GenerateTask
 
 plugins {
-  id("uk.gov.justice.hmpps.gradle-spring-boot") version "5.15.3"
-  kotlin("plugin.spring") version "1.9.22"
-  id("org.openapi.generator") version "7.4.0"
+  id("uk.gov.justice.hmpps.gradle-spring-boot") version "5.15.6"
+  kotlin("plugin.spring") version "1.9.23"
+  id("org.openapi.generator") version "7.5.0"
 }
 
-dependencyCheck {
-  // Suppression till can upgrade to 3.2.5
-  suppressionFiles.add("spring-suppressions.xml")
-}
-// Temporarily pin as can't upgrade to latest gradle plugin
-ext["netty.version"] = "4.1.108.Final"
-
 configurations {
   implementation { exclude(module = "spring-boot-starter-web") }
   implementation { exclude(module = "spring-boot-starter-tomcat") }
@@ -26,32 +19,32 @@ configurations {
 dependencies {
   implementation("uk.gov.justice.service.hmpps:hmpps-kotlin-spring-boot-starter:0.2.2")
   implementation("org.springframework.boot:spring-boot-starter-webflux")
-  implementation("uk.gov.justice.service.hmpps:hmpps-sqs-spring-boot-starter:3.1.1")
+  implementation("uk.gov.justice.service.hmpps:hmpps-sqs-spring-boot-starter:3.1.2")
   implementation("org.springframework.boot:spring-boot-starter-data-r2dbc")
 
-  implementation("org.springdoc:springdoc-openapi-starter-webflux-ui:2.4.0")
+  implementation("org.springdoc:springdoc-openapi-starter-webflux-ui:2.5.0")
 
   implementation("org.jetbrains.kotlinx:kotlinx-coroutines-reactor")
   implementation("org.jetbrains.kotlinx:kotlinx-coroutines-jdk8")
   implementation("org.jetbrains.kotlinx:kotlinx-coroutines-jdk9")
 
-  runtimeOnly("org.postgresql:r2dbc-postgresql:1.0.4.RELEASE")
+  runtimeOnly("org.postgresql:r2dbc-postgresql:1.0.5.RELEASE")
   runtimeOnly("org.springframework.boot:spring-boot-starter-jdbc")
   runtimeOnly("org.postgresql:postgresql:42.7.3")
   implementation("org.flywaydb:flyway-core")
 
-  implementation("io.opentelemetry.instrumentation:opentelemetry-instrumentation-annotations:1.32.0")
+  implementation("io.opentelemetry.instrumentation:opentelemetry-instrumentation-annotations:1.33.1")
 
-  testImplementation("io.swagger.parser.v3:swagger-parser:2.1.21") {
+  testImplementation("io.swagger.parser.v3:swagger-parser:2.1.22") {
     exclude(group = "io.swagger.core.v3")
   }
-  testImplementation("io.swagger.core.v3:swagger-core-jakarta:2.2.20")
+  testImplementation("io.swagger.core.v3:swagger-core-jakarta:2.2.21")
   testImplementation("io.jsonwebtoken:jjwt-impl:0.12.5")
   testImplementation("io.jsonwebtoken:jjwt-jackson:0.12.5")
 
-  testImplementation("org.wiremock:wiremock-standalone:3.4.2")
+  testImplementation("org.wiremock:wiremock-standalone:3.5.3")
   testImplementation("org.testcontainers:localstack:1.19.7")
-  testImplementation("com.amazonaws:aws-java-sdk-core:1.12.681")
+  testImplementation("com.amazonaws:aws-java-sdk-core:1.12.704")
   testImplementation("org.awaitility:awaitility-kotlin:4.2.1")
   testImplementation("org.testcontainers:postgresql:1.19.7")
   testImplementation("io.mockk:mockk:1.13.10")

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.6-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

helm_deploy/hmpps-prisoner-from-nomis-migration/Chart.yaml

@@ -5,7 +5,7 @@ name: hmpps-prisoner-from-nomis-migration
 version: 0.2.0
 dependencies:
   - name: generic-service
-    version: "3.0"
+    version: "3.1"
     repository: https://ministryofjustice.github.io/hmpps-helm-charts
   - name: generic-prometheus-alerts
     version: "1.4"