Merge 25.3 to 25.7

labkey-chrisj · labkey-chrisj · commit f1cf895eb360 · 2025-07-15T12:20:18.000-07:00
diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
@@ -226,4 +226,26 @@
         <packageUrl regex="true">^pkg:maven/org\.postgresql/postgresql@.*$</packageUrl>
         <vulnerabilityName>CVE-2025-49146</vulnerabilityName>
     </suppress>
+
+    <!-- Currently no update is available for the old commons-lang component, so we must suppress. -->
+    <suppress>
+       <notes><![CDATA[
+       file name: commons-lang-2.6.jar
+       ]]></notes>
+       <packageUrl regex="true">^pkg:maven/commons-lang/commons-lang@.*$</packageUrl>
+       <vulnerabilityName>CVE-2025-48924</vulnerabilityName>
+    </suppress>
+    
+    <!--
+    GSON is getting flagged for "Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker 
+    to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of
+    uncontrolled recursion." Seems like a case of mistaken identity, so suppress it.
+    -->
+    <suppress>
+       <notes><![CDATA[
+       file name: gson-2.8.9.jar
+       ]]></notes>
+       <packageUrl regex="true">^pkg:maven/com\.google\.code\.gson/gson@.*$</packageUrl>
+       <vulnerabilityName>CVE-2025-53864</vulnerabilityName>
+    </suppress>
 </suppressions>
diff --git a/gradle.properties b/gradle.properties
@@ -99,7 +99,7 @@ apacheDirectoryVersion=2.1.7
 apacheMinaVersion=2.2.4
 
 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below)
-apacheTomcatVersion=10.1.42
+apacheTomcatVersion=10.1.43
 
 # (mothership) -> json-path -> json-smart -> accessor-smart
 # (core) -> graalvm
