From c9e7d9d6c9c8692bf931b3eba6b97b956e873544 Mon Sep 17 00:00:00 2001
From: Anthony Stirling <77850077+Frooodle@users.noreply.github.com>
Date: Wed, 25 Feb 2026 15:42:36 +0000
Subject: [PATCH] deps (#5796)

---
 app/core/build.gradle |  4 ++++
 build.gradle          | 15 +++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/app/core/build.gradle b/app/core/build.gradle
index e03c487d5..329e2e23e 100644
--- a/app/core/build.gradle
+++ b/app/core/build.gradle
@@ -76,6 +76,8 @@ dependencies {
     implementation "org.apache.pdfbox:xmpbox:$pdfboxVersion"
 
     implementation 'org.verapdf:validation-model:1.28.2'
+    // CVE-2025-66453: Explicit rhino 1.7.15 to override verapdf's 1.7.13
+    implementation 'org.mozilla:rhino:1.7.15'
 
     // veraPDF still uses javax.xml.bind, not the new jakarta namespace
     implementation 'javax.xml.bind:jaxb-api:2.3.1'
@@ -89,6 +91,8 @@ dependencies {
         exclude group: 'org.bouncycastle', module: 'bcprov-jdk15on'
         exclude group: 'com.google.code.gson', module: 'gson'
     }
+    // CVE-2022-25647: Explicit gson 2.8.9 to prevent unsafe deserialization (tabula would pull 2.8.7)
+    implementation 'com.google.code.gson:gson:2.8.9'
     implementation 'org.apache.pdfbox:jbig2-imageio:3.0.4'
     implementation 'com.opencsv:opencsv:5.12.0' // https://mvnrepository.com/artifact/com.opencsv/opencsv
     implementation 'org.apache.poi:poi-ooxml:5.5.1'
diff --git a/build.gradle b/build.gradle
index 2a5b32fe4..bab884a60 100644
--- a/build.gradle
+++ b/build.gradle
@@ -188,6 +188,21 @@ subprojects {
         // google-java-format 1.34+ requires Guava 33.x (ImmutableSortedMapFauxverideShim);
         // force it here so Spotless's FeatureClassLoader resolves the correct version.
         resolutionStrategy.force 'com.google.guava:guava:33.4.8-jre'
+
+        // Security CVE fixes - hardcoded resolution strategy to ensure safe versions
+        // Primary fixes via explicit dependencies in app/core/build.gradle:
+        // - CVE-2022-25647: gson 2.8.9+ (explicit dependency overrides tabula 2.8.7)
+        // - CVE-2025-66453: rhino 1.7.15 (explicit dependency overrides verapdf 1.7.13)
+        // Fallback strategy force declarations for additional safety:
+        resolutionStrategy.force 'com.google.code.gson:gson:2.8.9'
+        resolutionStrategy.force 'org.mozilla:rhino:1.7.15'
+        // CVE-2025-48924: commons-lang3 3.20.0 DoS prevention
+        resolutionStrategy.force 'org.apache.commons:commons-lang3:3.20.0'
+        // CVE-2024-47554: commons-io 2.21.0 DoS prevention
+        resolutionStrategy.force 'commons-io:commons-io:2.21.0'
+        // Bouncycastle 1.83 (from bouncycastleVersion variable)
+        resolutionStrategy.force 'org.bouncycastle:bcprov-jdk18on:1.83'
+        resolutionStrategy.force 'org.bouncycastle:bcpkix-jdk18on:1.83'
     }
 
     dependencyManagement {