From b160941e9f059b685784fb7f10d7b395ec6bb738 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Mon, 14 Jul 2025 12:20:26 -0700
Subject: [PATCH 1/2] Update a couple dependencies

---
 dependencyCheckSuppression.xml | 9 +++++++++
 gradle.properties              | 4 ++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index 0ec7e51890..7efb88b0f4 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -226,4 +226,13 @@
         <packageUrl regex="true">^pkg:maven/org\.postgresql/postgresql@.*$</packageUrl>
         <vulnerabilityName>CVE-2025-49146</vulnerabilityName>
     </suppress>
+
+    <!-- Currently no update is available for the old commons-lang component, so we must suppress. -->
+    <suppress>
+       <notes><![CDATA[
+       file name: commons-lang-2.6.jar
+       ]]></notes>
+       <packageUrl regex="true">^pkg:maven/commons-lang/commons-lang@.*$</packageUrl>
+       <vulnerabilityName>CVE-2025-48924</vulnerabilityName>
+    </suppress>
 </suppressions>
diff --git a/gradle.properties b/gradle.properties
index e50b5a045b..28f5f3cba4 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -99,7 +99,7 @@ apacheDirectoryVersion=2.1.7
 apacheMinaVersion=2.2.4
 
 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below)
-apacheTomcatVersion=10.1.42
+apacheTomcatVersion=10.1.43
 
 # (mothership) -> json-path -> json-smart -> accessor-smart
 # (core) -> graalvm
@@ -130,7 +130,7 @@ commonsDbcpVersion=1.4
 commonsDigesterVersion=1.8.1
 commonsDiscoveryVersion=0.2
 commonsIoVersion=2.18.0
-commonsLang3Version=3.17.0
+commonsLang3Version=3.18.0
 commonsLangVersion=2.6
 commonsLoggingVersion=1.3.4
 commonsMath3Version=3.6.1

From a9baedd7c77e5a0754fa4d7d22cda5ce2c427c47 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Mon, 14 Jul 2025 14:06:24 -0700
Subject: [PATCH 2/2] Suppress GSON false positive

---
 dependencyCheckSuppression.xml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index 7efb88b0f4..423ec9f23d 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -235,4 +235,17 @@
        <packageUrl regex="true">^pkg:maven/commons-lang/commons-lang@.*$</packageUrl>
        <vulnerabilityName>CVE-2025-48924</vulnerabilityName>
     </suppress>
+    
+    <!--
+    GSON is getting flagged for "Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker 
+    to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of
+    uncontrolled recursion." Seems like a case of mistaken identity, so suppress it.
+    -->
+    <suppress>
+       <notes><![CDATA[
+       file name: gson-2.8.9.jar
+       ]]></notes>
+       <packageUrl regex="true">^pkg:maven/com\.google\.code\.gson/gson@.*$</packageUrl>
+       <vulnerabilityName>CVE-2025-53864</vulnerabilityName>
+    </suppress>
 </suppressions>