From 8913a1befd285864dc7b16a8850cdb2dc6a14a3c Mon Sep 17 00:00:00 2001
From: Marty Pradere <martyp@labkey.com>
Date: Thu, 27 Mar 2025 14:21:34 -0700
Subject: [PATCH 1/5] Update commons VFS

---
 gradle.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle.properties b/gradle.properties
index 867cecfccd..cba52e55d3 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -136,7 +136,7 @@ commonsMath3Version=3.6.1
 commonsPoolVersion=1.6
 commonsTextVersion=1.12.0
 commonsValidatorVersion=1.9.0
-commonsVfs2Version=2.7.0
+commonsVfs2Version=2.10.0
 
 datadogVersion=1.41.1
 

From b406c4695300f0d9888bfa6221a55c7fc3965e52 Mon Sep 17 00:00:00 2001
From: Marty Pradere <martyp@labkey.com>
Date: Mon, 31 Mar 2025 17:02:05 -0700
Subject: [PATCH 2/5] force version

---
 build.gradle | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/build.gradle b/build.gradle
index 4a5258118a..866fd4e302 100644
--- a/build.gradle
+++ b/build.gradle
@@ -195,6 +195,10 @@ allprojects {
                     force "org.apache.logging.log4j:log4j-core:${log4j2Version}"
                     force "org.apache.logging.log4j:log4j-api:${log4j2Version}"
                     force "org.apache.logging.log4j:log4j-1.2-api:${log4j2Version}"
+                    force "org.apache.commons.vfs2:FileContent:${commonsVfs2Version}"
+                    force "org.apache.commons.vfs2:FileObject:${commonsVfs2Version}"
+                    force "org.apache.commons.vfs2:FileSystemException:${commonsVfs2Version}"
+                    force "org.apache.commons.vfs2:FileSystemManager:${commonsVfs2Version}"
                     // force version for consistency with saml, query, LDK, and pipeline
                     force "commons-lang:commons-lang:${commonsLangVersion}"
                     // force version for consistency with workflow, api, SequenceAnalysis

From f87efbd7513ea8196e9b00b84b3288b2b3fc3767 Mon Sep 17 00:00:00 2001
From: Marty Pradere <martyp@labkey.com>
Date: Tue, 1 Apr 2025 08:39:26 -0700
Subject: [PATCH 3/5] suppress

---
 dependencyCheckSuppression.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index dcfd3f14af..35398824e1 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -1,6 +1,15 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 
+    <!-- Tangled CVEs. See https://github.com/jeremylong/DependencyCheck/issues/4614 and https://github.com/OSSIndex/vulns/issues/316 -->
+    <suppress>
+        <notes><![CDATA[
+   file name: commons-vfs2-2.7.0.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org.apache.commons/commons-vfs@.*$</packageUrl>
+        <vulnerabilityName>CVE-2025-27553</vulnerabilityName>
+    </suppress>
+
     <!-- Prevent match against unrelated "rengine" at https://github.com/yogeshojha/rengine -->
     <suppress>
         <notes><![CDATA[

From 187bd5e4cb2fcbbb3a2e07f20de03cc67aa624a0 Mon Sep 17 00:00:00 2001
From: Marty Pradere <martyp@labkey.com>
Date: Tue, 1 Apr 2025 08:56:02 -0700
Subject: [PATCH 4/5] comment and regex

---
 dependencyCheckSuppression.xml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index 35398824e1..94a2e6d3d7 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -1,12 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 
-    <!-- Tangled CVEs. See https://github.com/jeremylong/DependencyCheck/issues/4614 and https://github.com/OSSIndex/vulns/issues/316 -->
+    <!-- commons vfs features not used in LK. LK version has been bumped to 2.10.0 but this version is used by mondrian.
+     We are forcing mondrian to use 2.10.0 but still need to suppress here.-->
     <suppress>
         <notes><![CDATA[
    file name: commons-vfs2-2.7.0.jar
    ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org.apache.commons/commons-vfs@.*$</packageUrl>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.commons/commons-vfs@.*$</packageUrl>
         <vulnerabilityName>CVE-2025-27553</vulnerabilityName>
     </suppress>
 

From 13eeb8009011c09b7ced2d51094af76f70c08f8e Mon Sep 17 00:00:00 2001
From: Marty Pradere <martyp@labkey.com>
Date: Tue, 1 Apr 2025 11:30:22 -0700
Subject: [PATCH 5/5] update force version

---
 build.gradle                   |  5 +----
 dependencyCheckSuppression.xml | 10 ----------
 2 files changed, 1 insertion(+), 14 deletions(-)

diff --git a/build.gradle b/build.gradle
index 866fd4e302..2e2d45a83a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -195,10 +195,7 @@ allprojects {
                     force "org.apache.logging.log4j:log4j-core:${log4j2Version}"
                     force "org.apache.logging.log4j:log4j-api:${log4j2Version}"
                     force "org.apache.logging.log4j:log4j-1.2-api:${log4j2Version}"
-                    force "org.apache.commons.vfs2:FileContent:${commonsVfs2Version}"
-                    force "org.apache.commons.vfs2:FileObject:${commonsVfs2Version}"
-                    force "org.apache.commons.vfs2:FileSystemException:${commonsVfs2Version}"
-                    force "org.apache.commons.vfs2:FileSystemManager:${commonsVfs2Version}"
+                    force "org.apache.commons:commons-vfs2:${commonsVfs2Version}"
                     // force version for consistency with saml, query, LDK, and pipeline
                     force "commons-lang:commons-lang:${commonsLangVersion}"
                     // force version for consistency with workflow, api, SequenceAnalysis
diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index 94a2e6d3d7..dcfd3f14af 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -1,16 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 
-    <!-- commons vfs features not used in LK. LK version has been bumped to 2.10.0 but this version is used by mondrian.
-     We are forcing mondrian to use 2.10.0 but still need to suppress here.-->
-    <suppress>
-        <notes><![CDATA[
-   file name: commons-vfs2-2.7.0.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.commons/commons-vfs@.*$</packageUrl>
-        <vulnerabilityName>CVE-2025-27553</vulnerabilityName>
-    </suppress>
-
     <!-- Prevent match against unrelated "rengine" at https://github.com/yogeshojha/rengine -->
     <suppress>
         <notes><![CDATA[