hypertrace · harshit-kumar-v2 · Mar 6, 2025 · Mar 5, 2025 · Mar 6, 2025 · Mar 6, 2025
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -54,3 +54,5 @@ jobs:
     steps:
       - name: Dependency Check
         uses: hypertrace/github-actions/dependency-check@main
+        with:
+          nvd-api-key: ${{ secrets.NVD_API_KEY }}
@@ -7,7 +7,7 @@ plugins {
   id("org.hypertrace.publish-plugin") version "1.0.2" apply false
   id("org.hypertrace.jacoco-report-plugin") version "0.2.1" apply false
   id("org.hypertrace.code-style-plugin") version "1.1.2" apply false
-  id("org.owasp.dependencycheck") version "8.3.1"
+  id("org.owasp.dependencycheck") version "12.1.0"
 }
 
 subprojects {

@@ -1,3 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress until="2025-05-31Z">
+    <notes><![CDATA[
+   file name: micrometer-registry-prometheus-simpleclient-1.14.4.jar, fix not available yet
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.micrometer/micrometer-registry-prometheus-simpleclient@.*$</packageUrl>
+    <cve>CVE-2019-3826</cve>
+  </suppress>
 </suppressions> 
@@ -12,10 +12,12 @@ tasks.test {
 dependencies {
   api("com.typesafe:config:1.4.2")
   api("io.dropwizard.metrics:metrics-jakarta-servlet:4.2.25")
-  api("io.micrometer:micrometer-core:1.10.2")
+  api("io.micrometer:micrometer-core:1.14.4")
   api("jakarta.servlet:jakarta.servlet-api:6.0.0")
 
-  implementation("io.micrometer:micrometer-registry-prometheus:1.10.2")
+  // Using simpleclient flavour since with version >= 1.13.0 micrometer does not support io.prometheus.simpleclient dependencies
+  // https://github.com/micrometer-metrics/micrometer/wiki/1.13-Migration-Guide
+  implementation("io.micrometer:micrometer-registry-prometheus-simpleclient:1.14.4")
 
   implementation("io.github.mweirauch:micrometer-jvm-extras:0.2.2")
   implementation("org.slf4j:slf4j-api:1.7.36")