From 6ab0cbddbf28196716968c1205158ca461abb0d9 Mon Sep 17 00:00:00 2001
From: Susan Hert <susanh@labkey.com>
Date: Tue, 3 Jun 2025 14:04:48 -0700
Subject: [PATCH 1/2] Upgrade to Apache Tomcat 10.1.41 and suppress false
 positive CVEs from bzip2 (#1082)

---
 dependencyCheckSuppression.xml | 24 +++++++++++++++++++++++-
 gradle.properties              |  2 +-
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index 5f8f9d157b..e05aa61253 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -194,5 +194,27 @@
         <packageUrl regex="true">^pkg:maven/io\.github\.x-stream/mxparser@.*$</packageUrl>
         <cpe>cpe:/a:xstream:xstream</cpe>
     </suppress>
-
+    
+    <!-- False positives - bzip2 from a different source -->
+    <suppress>
+       <notes><![CDATA[
+       file name: bzip2-0.9.1.jar
+       ]]></notes>
+       <packageUrl regex="true">^pkg:maven/org\.itadaki/bzip2@.*$</packageUrl>
+       <cve>CVE-2019-12900</cve>
+    </suppress>
+    <suppress>
+       <notes><![CDATA[
+       file name: bzip2-0.9.1.jar
+       ]]></notes>
+       <packageUrl regex="true">^pkg:maven/org\.itadaki/bzip2@.*$</packageUrl>
+       <cve>CVE-2010-0405</cve>
+    </suppress>
+    <suppress>
+       <notes><![CDATA[
+       file name: bzip2-0.9.1.jar
+       ]]></notes>
+       <packageUrl regex="true">^pkg:maven/org\.itadaki/bzip2@.*$</packageUrl>
+       <cve>CVE-2005-1260</cve>
+    </suppress>
 </suppressions>
diff --git a/gradle.properties b/gradle.properties
index d08eea9569..031eeeafe3 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -99,7 +99,7 @@ apacheDirectoryVersion=2.1.7
 apacheMinaVersion=2.2.4
 
 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below)
-apacheTomcatVersion=10.1.40
+apacheTomcatVersion=10.1.41
 
 # (mothership) -> json-path -> json-smart -> accessor-smart
 # (core) -> graalvm

From bd3af0c234d19a1f3b663cf50364e59146a3429d Mon Sep 17 00:00:00 2001
From: Josh Eckels <jeckels@labkey.com>
Date: Wed, 4 Jun 2025 16:06:43 -0700
Subject: [PATCH 2/2] Issue 53209: Allow externalModules folder to be dictated
 via application.properties file (#1083)

---
 server/configs/application.properties                |  1 +
 .../src/org/labkey/embedded/LabKeyServer.java        | 12 ++++++++++++
 .../LabKeyTomcatServletWebServerFactory.java         |  5 +++++
 3 files changed, 18 insertions(+)

diff --git a/server/configs/application.properties b/server/configs/application.properties
index 2cdc072243..8f85e56fca 100644
--- a/server/configs/application.properties
+++ b/server/configs/application.properties
@@ -58,6 +58,7 @@ context.encryptionKey=@@encryptionKey@@
 #context.additionalWebapps.firstContextPath=/my/webapp/path
 #context.additionalWebapps.secondContextPath=/my/other/webapp/path
 
+#context.externalModules=/path/to/external/modules/dir
 #context.requiredModules=
 #context.pipelineConfig=/path/to/pipeline/config/dir
 #context.serverGUID=
diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
index 0ed7ce5d14..54057d5750 100644
--- a/server/embedded/src/org/labkey/embedded/LabKeyServer.java
+++ b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
@@ -431,6 +431,8 @@ public static class ContextProperties
         private String contextPath = "";
         private String pipelineConfig;
         private String requiredModules;
+        /** Path to external modules directory */
+        private String externalModules;
         private boolean bypass2FA = false;
         private String serverGUID;
         private Integer httpPort;
@@ -576,6 +578,16 @@ public void setRequiredModules(String requiredModules)
             this.requiredModules = requiredModules;
         }
 
+        public String getExternalModules()
+        {
+            return externalModules;
+        }
+
+        public void setExternalModules(String externalModules)
+        {
+            this.externalModules = externalModules;
+        }
+
         public boolean isBypass2FA()
         {
             return bypass2FA;
diff --git a/server/embedded/src/org/labkey/embedded/LabKeyTomcatServletWebServerFactory.java b/server/embedded/src/org/labkey/embedded/LabKeyTomcatServletWebServerFactory.java
index d70bb4b16f..a02a5312e1 100644
--- a/server/embedded/src/org/labkey/embedded/LabKeyTomcatServletWebServerFactory.java
+++ b/server/embedded/src/org/labkey/embedded/LabKeyTomcatServletWebServerFactory.java
@@ -175,6 +175,11 @@ protected TomcatWebServer getTomcatWebServer(Tomcat tomcat)
                 {
                     context.addParameter("requiredModules", contextProperties.getRequiredModules());
                 }
+                if (contextProperties.getExternalModules() != null)
+                {
+                    // We've long supported configuring this via a system property so propagate the value
+                    System.setProperty("labkey.externalModulesDir", contextProperties.getExternalModules());
+                }
                 if (contextProperties.getPipelineConfig() != null)
                 {
                     context.addParameter("org.labkey.api.pipeline.config", contextProperties.getPipelineConfig());