From 1bd160cabbed5719c8e09dcec0ade20b52549800 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Thu, 14 May 2026 10:14:58 -0700
Subject: [PATCH 1/2] Update Netty (#1376)

---
 gradle.properties | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/gradle.properties b/gradle.properties
index 037fddd143..d50ccd41cd 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -262,12 +262,10 @@ microsoftGraphVersion=6.59.0
 mssqlJdbcVersion=13.4.0.jre11
 
 # Netty - transitive dependency via azure-core-http-netty; force for CVE-2026-33871, CVE-2026-33870
-nettyVersion=4.2.12.Final
+nettyVersion=4.2.13.Final
 # Reactor - transitive dependency via azure-core; force for version consistency across modules
 reactorCoreVersion=3.8.1
 
-mssqlJdbcVersion=13.2.1.jre11
-
 objenesisVersion=1.0
 
 opencsvVersion=2.3

From 48f83a53ea7ed8b9aa4f3df270b76be8ae393f3e Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Wed, 20 May 2026 11:22:57 -0700
Subject: [PATCH 2/2] Address Azure-related findings (#1383)

* Address Azure-related findings

* Suppress CVE-2025-15104

* Suppress more

* One more
---
 dependencyCheckSuppression.xml | 113 +++++++++++++++++++++++++++++++--
 gradle.properties              |   2 +-
 2 files changed, 110 insertions(+), 5 deletions(-)

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index 84bd7efb39..4ff8e59363 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -319,17 +319,122 @@
     -->
     <suppress>
         <notes><![CDATA[
-   file name: mcp-spring-webmvc-2.0.0-M3.jar
-   ]]></notes>
+    file name: mcp-spring-webmvc-2.0.0-M3.jar
+    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.ai/mcp-spring-webmvc@.*$</packageUrl>
         <cpe>cpe:/a:vmware:server</cpe>
     </suppress>
     <suppress>
         <notes><![CDATA[
-   file name: mcp-spring-webmvc-2.0.0-M3.jar
-   ]]></notes>
+    file name: mcp-spring-webmvc-2.0.0-M3.jar
+    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.ai/mcp-spring-webmvc@.*$</packageUrl>
         <cpe>cpe:/a:vmware:vmware_server</cpe>
     </suppress>
 
+    <!--
+    False positives: OWASP checker seems to be confusing kiota libraries (https://github.com/microsoft/kiota-java)
+    with kiota tool (https://github.com/microsoft/kiota/)
+    -->
+    <suppress>
+        <notes><![CDATA[
+    file name: microsoft-kiota-abstractions-1.9.0.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.microsoft\.kiota/microsoft-kiota-abstractions@.*$</packageUrl>
+        <cve>CVE-2026-41134</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+    file name: microsoft-kiota-authentication-azure-1.9.0.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.microsoft\.kiota/microsoft-kiota-authentication-azure@.*$</packageUrl>
+        <cve>CVE-2026-41134</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+    file name: microsoft-kiota-http-okHttp-1.9.0.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.microsoft\.kiota/microsoft-kiota-http-okHttp@.*$</packageUrl>
+        <cve>CVE-2026-41134</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+    file name: microsoft-kiota-serialization-form-1.9.0.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.microsoft\.kiota/microsoft-kiota-serialization-form@.*$</packageUrl>
+        <cve>CVE-2026-41134</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+    file name: microsoft-kiota-serialization-json-1.9.0.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.microsoft\.kiota/microsoft-kiota-serialization-json@.*$</packageUrl>
+        <cve>CVE-2026-41134</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+    file name: microsoft-kiota-serialization-multipart-1.9.0.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.microsoft\.kiota/microsoft-kiota-serialization-multipart@.*$</packageUrl>
+        <cve>CVE-2026-41134</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+    file name: microsoft-kiota-serialization-text-1.9.0.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.microsoft\.kiota/microsoft-kiota-serialization-text@.*$</packageUrl>
+        <cve>CVE-2026-41134</cve>
+    </suppress>
+
+    <!--
+    Checker is confusing json-schema-validator with Nu Html Checker
+    -->
+    <suppress>
+        <notes><![CDATA[
+    file name: json-schema-validator-3.0.1.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.networknt/json-schema-validator@.*$</packageUrl>
+        <cve>CVE-2025-15104</cve>
+    </suppress>
+
+    <!--
+    CVE-2026-33117 against "Azure SDK for Java" might affect these libraries, but we ship the latest and our use case
+    (requiring server admins to provide credentials) is certainly not vulnerable. Newer versions may allow us to remove
+    this suppression.
+    -->
+    <suppress>
+        <notes><![CDATA[
+    file name: azure-core-1.58.0.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.azure/azure-core@.*$</packageUrl>
+        <cve>CVE-2026-33117</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+    file name: azure-core-http-netty-1.16.4.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.azure/azure-core-http-netty@.*$</packageUrl>
+        <cpe>cpe:/a:microsoft:azure_sdk_for_java</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+    file name: azure-identity-1.18.3.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.azure/azure-identity@.*$</packageUrl>
+        <cpe>cpe:/a:microsoft:azure_identity_sdk</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+    file name: azure-identity-1.18.3.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.azure/azure-identity@.*$</packageUrl>
+        <cpe>cpe:/a:microsoft:azure_sdk_for_java</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+    file name: azure-json-1.5.1.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.azure/azure-json@.*$</packageUrl>
+        <cpe>cpe:/a:microsoft:azure_sdk_for_java</cpe>
+    </suppress>
 </suppressions>
diff --git a/gradle.properties b/gradle.properties
index 9d618308c4..7a7c5bcdc3 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -105,7 +105,7 @@ apacheTomcatVersion=11.0.22
 asmVersion=9.9.1
 
 # Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API
-azureIdentityVersion=1.18.2
+azureIdentityVersion=1.18.3
 
 # Apache Batik -- Batik version needs to be compatible with Apache FOP, but we need to pull in batik-codec separately
 batikVersion=1.19