build: update org.json:json to 20231013 patched version (#850)

Soy brings `org.json:json` as a transtivite dependency. Unfortunately, it brings https://ossindex.sonatype.org/component/pkg:maven/org.json/json@20230618 which is affected by a HIGH CVE. There is no version of soy patched. I reported an issue: google/closure-templates#2128 This PR forces `org.json:json` to first patched version. I have verified with the sonatype scan gradle plugin this PR fixes the issue: http://localhost/sergiodelamo.com/blog/2024-08-08-sonatype-scan-gradle-plugin.html
micronaut-projects · Aug 8, 2024 · c929004 · c929004
1 parent bf02c8b
commit c929004
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -15,6 +15,7 @@ managed-jstachio = "1.3.6"
 managed-jte = "3.1.12"
 managed-rocker = "1.4.0"
 managed-soy = "2023-09-13"
+org-json = "20231013"
 managed-thymeleaf = "3.1.2.RELEASE"
 managed-velocity = "2.3"
 
@@ -47,6 +48,7 @@ managed-jte = { module = "gg.jte:jte", version.ref = "managed-jte" }
 managed-jte-kotlin = { module = "gg.jte:jte-kotlin", version.ref = "managed-jte" }
 managed-rocker-runtime = { module = "com.fizzed:rocker-runtime", version.ref = "managed-rocker" }
 managed-soy = { module = "com.google.template:soy", version.ref = "managed-soy" }
+org-json = { module = "org.json:json", version.ref = "org-json" }
 managed-thymeleaf = { module = "org.thymeleaf:thymeleaf", version.ref = "managed-thymeleaf" }
 managed-velocity-engine-core = { module = "org.apache.velocity:velocity-engine-core", version.ref = "managed-velocity" }
 

diff --git a/views-soy/build.gradle → views-soy/build.gradle.kts b/views-soy/build.gradle → views-soy/build.gradle.kts
@@ -1,12 +1,15 @@
 plugins {
-    id "io.micronaut.build.internal.views-module"
+    id("io.micronaut.build.internal.views-module")
 }
 
 dependencies {
     annotationProcessor(mnValidation.micronaut.validation.processor)
 
-    api projects.micronautViewsCore
-    api(libs.managed.soy)
+    api(projects.micronautViewsCore)
+    api(libs.managed.soy) {
+        exclude(group = "org.json", module = "json")
+    }
+    implementation(libs.org.json)
 
     compileOnly(mn.micronaut.management)
     compileOnly(mnValidation.micronaut.validation)
@@ -22,4 +25,4 @@ dependencies {
     testImplementation(mn.micronaut.management)
     testImplementation(mnValidation.micronaut.validation)
     testImplementation(mn.snakeyaml)
-}
+}