Merge branch 'resolve-package-vulnerbilities' into 'master'

upgrade the packages which have high and critical vulnerabilities

See merge request !83

NOTICE

@@ -18,7 +18,6 @@ The following software have components provided under the terms of this license:
 - Cobertura code coverage (from http://cobertura.sourceforge.net)
 - Plexus :: Default Container (from )
 - Plexus Common Utilities (from http://plexus.codehaus.org/plexus-utils)
-- StAX (from http://stax.codehaus.org/)
 - oro (from )
 
 ========================================================================
@@ -232,16 +231,14 @@ The following software have components provided under the terms of this license:
 - Apache Commons Lang (from http://commons.apache.org/proper/commons-lang/)
 - Apache Commons Logging (from http://commons.apache.org/proper/commons-logging/)
 - Apache Commons Logging (from http://commons.apache.org/proper/commons-logging/)
+- Apache Commons Text (from http://commons.apache.org/proper/commons-text/)
 - Apache Commons Validator (from http://commons.apache.org/proper/commons-validator/)
 - Apache Geronimo JMS Spec 2.0 (from http://geronimo.apache.org/maven/${siteId}/${version})
 - Apache Groovy (from http://groovy-lang.org)
 - Apache Groovy (from http://groovy-lang.org)
-- Apache Groovy (from http://groovy-lang.org)
-- Apache HttpAsyncClient (from http://hc.apache.org/httpcomponents-asyncclient)
 - Apache HttpClient (from http://hc.apache.org/httpcomponents-client)
 - Apache HttpClient Cache (from http://hc.apache.org/httpcomponents-client)
 - Apache HttpCore (from http://hc.apache.org/httpcomponents-core-ga)
-- Apache HttpCore NIO (from http://hc.apache.org/httpcomponents-core-ga)
 - Apache Log4j API (from )
 - Apache Log4j Core (from )
 - Apache Log4j JUL Adapter (from )
@@ -272,6 +269,7 @@ The following software have components provided under the terms of this license:
 - Commons Digester (from http://commons.apache.org/digester/)
 - Commons IO (from http://commons.apache.org/io/)
 - Commons Lang (from http://commons.apache.org/lang/)
+- Commons Lang (from http://commons.apache.org/lang/)
 - Converter: Jackson (from )
 - Doxia :: APT Module (from )
 - Doxia :: Core (from )
@@ -281,8 +279,6 @@ The following software have components provided under the terms of this license:
 - Doxia :: Site Renderer (from http://maven.apache.org/doxia/doxia-sitetools/doxia-site-renderer/)
 - Doxia :: XDoc Module (from )
 - Doxia :: XHTML Module (from )
-- Elastic JNA Distribution (from https://github.com/java-native-access/jna)
-- Elasticsearch: 5.0.0-alpha5 (from https://github.com/elastic/elasticsearch)
 - FindBugs-jsr305 (from http://findbugs.sourceforge.net/)
 - Google APIs Client Library for Java (from )
 - Google App Engine extensions to the Google HTTP Client Library for Java. (from )
@@ -301,7 +297,6 @@ The following software have components provided under the terms of this license:
 - Guava ListenableFuture only (from )
 - Guava: Google Core Libraries for Java (from https://github.com/google/guava.git)
 - Guava: Google Core Libraries for Java (from https://github.com/google/guava.git)
-- HPPC Collections (from http://labs.carrotsearch.com)
 - Hibernate Validator Engine (from )
 - IBM COS Java SDK for Amazon S3 (from https://github.com/ibm/ibm-cos-sdk-java)
 - IBM COS Java SDK for COS KMS (from https://github.com/ibm/ibm-cos-sdk-java)
@@ -329,7 +324,6 @@ The following software have components provided under the terms of this license:
 - Jackson-annotations (from http://github.com/FasterXML/jackson)
 - Jackson-core (from https://github.com/FasterXML/jackson-core)
 - Jackson-core (from https://github.com/FasterXML/jackson-core)
-- Jackson-dataformat-Smile (from http://github.com/FasterXML/jackson-dataformat-smile)
 - Jackson-dataformat-XML (from http://wiki.fasterxml.com/JacksonExtensionXmlDataBinding)
 - Jackson-dataformat-YAML (from https://github.com/FasterXML/jackson)
 - Jackson-dataformat-YAML (from https://github.com/FasterXML/jackson)
@@ -357,21 +351,6 @@ The following software have components provided under the terms of this license:
 - KeePassJava2 :: KDB (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-kdb)
 - KeePassJava2 :: KDBX (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-kdbx)
 - KeePassJava2 :: Simple (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-simple)
-- Lucene Common Analyzers (from )
-- Lucene Core (from )
-- Lucene Grouping (from )
-- Lucene Highlighter (from )
-- Lucene Join (from )
-- Lucene Memory (from )
-- Lucene Memory (from )
-- Lucene Miscellaneous (from )
-- Lucene Queries (from )
-- Lucene QueryParsers (from )
-- Lucene Sandbox (from )
-- Lucene Spatial (from )
-- Lucene Spatial 3D (from )
-- Lucene Spatial Extras (from )
-- Lucene Suggest (from )
 - MapStruct Core (from )
 - Maven Artifact (from )
 - Maven Artifact Manager (from )
@@ -393,10 +372,11 @@ The following software have components provided under the terms of this license:
 - Microsoft Application Insights Java SDK Spring Boot starter (from https://github.com/Microsoft/ApplicationInsights-Java)
 - Microsoft Application Insights Java SDK Web Module (from https://github.com/Microsoft/ApplicationInsights-Java)
 - Microsoft Application Insights Log4j 2 Appender (from https://github.com/Microsoft/ApplicationInsights-Java)
+- Microsoft Azure Java Core Library (from https://github.com/Azure/azure-sdk-for-java)
 - Microsoft Azure Netty HTTP Client Library (from https://github.com/Azure/azure-sdk-for-java)
 - Microsoft Azure SDK for SQL API of Azure Cosmos DB Service (from https://github.com/Azure/azure-sdk-for-java)
-- Mockito (from http://www.mockito.org)
 - Mockito (from http://mockito.org)
+- Mockito (from http://www.mockito.org)
 - Mockito (from http://mockito.org)
 - Mojo's Maven plugin for Cobertura (from http://mojo.codehaus.org/cobertura-maven-plugin/)
 - Netty Reactive Streams Implementation (from )
@@ -404,6 +384,7 @@ The following software have components provided under the terms of this license:
 - Netty/Buffer (from http://netty.io/)
 - Netty/Codec (from )
 - Netty/Codec (from )
+- Netty/Codec (from )
 - Netty/Codec/HTTP (from )
 - Netty/Codec/HTTP (from )
 - Netty/Codec/HTTP2 (from )
@@ -447,7 +428,6 @@ The following software have components provided under the terms of this license:
 - Reactive Streams Netty driver (from https://github.com/reactor/reactor-netty)
 - Retrofit (from )
 - Servlet Specification 2.5 API (from )
-- Simple XML (from http://simple.sourceforge.net)
 - SnakeYAML (from http://www.snakeyaml.org)
 - Spring AOP (from https://github.com/spring-projects/spring-framework)
 - Spring Beans (from https://github.com/spring-projects/spring-framework)
@@ -482,25 +462,18 @@ The following software have components provided under the terms of this license:
 - Spring Transaction (from https://github.com/spring-projects/spring-framework)
 - Spring Web (from https://github.com/spring-projects/spring-framework)
 - Spring Web MVC (from https://github.com/spring-projects/spring-framework)
-- StAX (from http://stax.codehaus.org/)
-- StAX API (from http://stax.codehaus.org/)
-- T-Digest (from https://github.com/tdunning/t-digest)
 - Vavr (from http://vavr.io)
 - Vavr Match (from http://vavr.io)
 - Woodstox (from https://github.com/FasterXML/woodstox)
 - Xerces2-j (from https://xerces.apache.org/xerces2-j/)
 - aalto-xml (from )
-- aggs-matrix-stats (from https://github.com/elastic/elasticsearch)
-- cli (from https://github.com/elastic/elasticsearch)
 - com.google.api.grpc:grpc-google-cloud-pubsub-v1 (from https://github.com/googleapis/googleapis)
 - com.google.api.grpc:proto-google-cloud-logging-v2 (from https://github.com/googleapis/googleapis)
 - com.google.api.grpc:proto-google-cloud-pubsub-v1 (from https://github.com/googleapis/googleapis)
 - com.google.api.grpc:proto-google-common-protos (from https://github.com/googleapis/googleapis)
 - com.google.api.grpc:proto-google-iam-v1 (from https://github.com/googleapis/googleapis)
 - commons-collections (from )
-- compiler (from http://github.com/spullara/mustache.java)
 - datastore-v1-proto-client (from )
-- elasticsearch-core (from https://github.com/elastic/elasticsearch)
 - error-prone annotations (from )
 - error-prone annotations (from )
 - io.grpc:grpc-alts (from https://github.com/grpc/grpc-java)
@@ -518,6 +491,7 @@ The following software have components provided under the terms of this license:
 - jackson-databind (from http://github.com/FasterXML/jackson)
 - jackson-databind (from http://github.com/FasterXML/jackson)
 - jackson-databind (from http://github.com/FasterXML/jackson)
+- jackson-databind (from http://github.com/FasterXML/jackson)
 - java-cloudant (from https://cloudant.com)
 - java-cloudant (from https://cloudant.com)
 - javatuples (from http://www.javatuples.org)
@@ -535,13 +509,11 @@ The following software have components provided under the terms of this license:
 - jersey-media-json-jackson (from git://java.net/jersey~code/project/jersey-media-json-jackson)
 - jersey-spring4 (from )
 - jose4j (from https://bitbucket.org/b_c/jose4j/)
-- lang-mustache (from https://github.com/elastic/elasticsearch)
 - lettuce (from http://github.com/mp911de/lettuce/wiki)
 - micrometer-core (from https://github.com/micrometer-metrics/micrometer)
 - micrometer-registry-azure-monitor (from https://github.com/micrometer-metrics/micrometer)
 - org.xmlunit:xmlunit-core (from http://www.xmlunit.org/)
 - oro (from )
-- parent-join (from https://github.com/elastic/elasticsearch)
 - powermock-api-support (from )
 - powermock-core (from http://www.powermock.org)
 - powermock-module-junit4 (from http://www.powermock.org)
@@ -549,14 +521,10 @@ The following software have components provided under the terms of this license:
 - powermock-reflect (from )
 - proto-google-cloud-datastore-v1 (from https://github.com/googleapis/api-client-staging)
 - proton-j (from )
-- rank-eval (from https://github.com/elastic/elasticsearch)
 - resilience4j (from https://github.com/resilience4j/resilience4j)
 - resilience4j (from https://github.com/resilience4j/resilience4j)
 - resilience4j (from https://github.com/resilience4j/resilience4j)
-- rest (from https://github.com/elastic/elasticsearch)
-- rest-high-level (from https://github.com/elastic/elasticsearch)
 - rxjava (from https://github.com/ReactiveX/RxJava)
-- secure-sm (from https://github.com/elastic/elasticsearch)
 - spring-security-config (from http://spring.io/spring-security)
 - spring-security-core (from http://spring.io/spring-security)
 - spring-security-oauth2-client (from http://spring.io/spring-security)
@@ -580,7 +548,6 @@ The following software have components provided under the terms of this license:
 - tomcat-embed-core (from http://tomcat.apache.org/)
 - tomcat-embed-el (from http://tomcat.apache.org/)
 - tomcat-embed-websocket (from http://tomcat.apache.org/)
-- x-content (from https://github.com/elastic/elasticsearch)
 - xml-apis (from )
 
 ========================================================================
@@ -594,10 +561,8 @@ The following software have components provided under the terms of this license:
 - GAX (Google Api eXtensions) (from https://github.com/googleapis)
 - GAX (Google Api eXtensions) (from https://github.com/googleapis)
 - Hamcrest Core (from http://hamcrest.org/)
-- Lucene Common Analyzers (from )
 - Plexus :: Default Container (from )
 - Plexus Common Utilities (from http://plexus.codehaus.org/plexus-utils)
-- StAX (from http://stax.codehaus.org/)
 - Stax2 API (from http://github.com/FasterXML/stax2-api)
 - jersey-ext-bean-validation (from )
 - jersey-spring4 (from )
@@ -628,9 +593,6 @@ The following software have components provided under the terms of this license:
 - JDOM (from http://www.jdom.org)
 - JSch (from http://www.jcraft.com/jsch/)
 - JavaBeans Activation Framework API jar (from )
-- Lucene Common Analyzers (from )
-- Lucene Core (from )
-- Lucene Suggest (from )
 - Microsoft Application Insights Java SDK Core (from https://github.com/Microsoft/ApplicationInsights-Java)
 - Microsoft Application Insights Java SDK Spring Boot starter (from https://github.com/Microsoft/ApplicationInsights-Java)
 - Microsoft Application Insights Java SDK Web Module (from https://github.com/Microsoft/ApplicationInsights-Java)
@@ -761,6 +723,7 @@ The following software have components provided under the terms of this license:
 - Cobertura Limited Runtime (from http://cobertura.sourceforge.net)
 - Cobertura code coverage (from http://cobertura.sourceforge.net)
 - Commons Lang (from http://commons.apache.org/lang/)
+- Commons Lang (from http://commons.apache.org/lang/)
 - HK2 API module (from git://java.net/hk2~git/hk2-api)
 - HK2 Implementation Utilities (from )
 - HK2 Spring Bridge (from )
@@ -840,7 +803,6 @@ The following software have components provided under the terms of this license:
 
 - OSGi resource locator (from )
 - Project Lombok (from https://projectlombok.org)
-- SnakeYAML (from http://www.snakeyaml.org)
 - javax.ws.rs-api (from http://jax-rs-spec.java.net)
 
 ========================================================================
@@ -850,7 +812,7 @@ The following software have components provided under the terms of this license:
 
 - Cobertura code coverage (from http://cobertura.sourceforge.net)
 - Commons Lang (from http://commons.apache.org/lang/)
-- Elastic JNA Distribution (from https://github.com/java-native-access/jna)
+- Commons Lang (from http://commons.apache.org/lang/)
 - Java Native Access (from https://github.com/java-native-access/jna)
 - Java Native Access Platform (from https://github.com/java-native-access/jna)
 - Javassist (from http://www.javassist.org/)
@@ -897,11 +859,9 @@ The following software have components provided under the terms of this license:
 - Checker Qual (from https://checkerframework.org)
 - Checker Qual (from https://checkerframework.org)
 - Extensions on Apache Proton-J library (from https://github.com/Azure/qpid-proton-j-extensions)
-- JOpt Simple (from http://pholser.github.io/jopt-simple)
 - JUL to SLF4J bridge (from http://www.slf4j.org)
 - Java Client Runtime for AutoRest (from https://github.com/Azure/autorest-clientruntime-for-java)
 - Java JWT (from http://www.jwt.io)
-- Lucene Core (from )
 - Microsoft Application Insights Java SDK Core (from https://github.com/Microsoft/ApplicationInsights-Java)
 - Microsoft Application Insights Java SDK Spring Boot starter (from https://github.com/Microsoft/ApplicationInsights-Java)
 - Microsoft Application Insights Java SDK Web Module (from https://github.com/Microsoft/ApplicationInsights-Java)
@@ -971,7 +931,6 @@ The following software have components provided under the terms of this license:
 - Spongy Castle (from http://rtyley.github.io/spongycastle/)
 - jersey-core-common (from )
 - jersey-core-server (from git://java.net/jersey~code/jersey-server)
-- reactive-streams (from http://www.reactive-streams.org/)
 
 ========================================================================
 SISSL-1.2
@@ -1012,7 +971,6 @@ The following software have components provided under the terms of this license:
 
 - AWS SDK for Java - Models (from https://aws.amazon.com/sdkforjava)
 - Apache Groovy (from http://groovy-lang.org)
-- Apache Groovy (from http://groovy-lang.org)
 - Asynchronous Http Client (from )
 - Guava: Google Core Libraries for Java (from https://github.com/google/guava.git)
 - Guava: Google Core Libraries for Java (from https://github.com/google/guava.git)
@@ -1024,8 +982,8 @@ The following software have components provided under the terms of this license:
 - Microsoft Azure client library for Blob Storage (from https://github.com/Azure/azure-sdk-for-java)
 - Project Lombok (from https://projectlombok.org)
 - Spring Web (from https://github.com/spring-projects/spring-framework)
-- StAX API (from http://stax.codehaus.org/)
 - msal4j (from https://github.com/AzureAD/microsoft-authentication-library-for-java)
+- reactive-streams (from http://www.reactive-streams.org/)
 - xml-apis (from )
 
 ========================================================================
@@ -1050,5 +1008,3 @@ The following software have components provided under the terms of this license:
 - jersey-media-jaxb (from )
 - jersey-spring4 (from )
 - xml-apis (from )
-
-

legal-core/pom.xml

 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+		 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
-    <parent>
+	<parent>
 		<groupId>org.opengroup.osdu.legal</groupId>
 		<artifactId>legal-service</artifactId>
 		<version>0.0.5-SNAPSHOT</version>
@@ -18,6 +18,7 @@
 
 	<properties>
 		<springfox-version>2.7.0</springfox-version>
+		<netty-codec-version>4.1.55.Final</netty-codec-version>
 	</properties>
 
 	<dependencies>
@@ -32,6 +33,12 @@
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-jersey</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>org.glassfish.hk2</groupId>
+					<artifactId>osgi-resource-locator</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
@@ -55,7 +62,7 @@
 		<dependency>
 			<groupId>org.apache.tomcat.embed</groupId>
 			<artifactId>tomcat-embed-core</artifactId>
-			<version>9.0.21</version>
+			<version>9.0.40</version>
 		</dependency>
 
 		<!-- https://mvnrepository.com/artifact/javax.inject/javax.inject -->
@@ -89,7 +96,7 @@
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-databind</artifactId>
-			<version>2.9.10</version>
+			<version>2.12.0</version>
 		</dependency>
 		<dependency>
 			<groupId>io.jsonwebtoken</groupId>
@@ -115,11 +122,17 @@
 			<artifactId>resilience4j-retry</artifactId>
 			<version>0.17.0</version>
 		</dependency>
-		<!-- https://mvnrepository.com/artifact/commons-lang/commons-lang -->
 		<dependency>
-			<groupId>commons-lang</groupId>
-			<artifactId>commons-lang</artifactId>
-			<version>2.6</version>
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-text</artifactId>
+			<version>1.9</version>
+		</dependency>
+
+		<!--explicitly load latest compatible version with security fix in it-->
+		<dependency>
+			<groupId>io.netty</groupId>
+			<artifactId>netty-codec</artifactId>
+			<version>${netty-codec-version}</version>
 		</dependency>
 
 		<!-- Test Dependencies -->

legal-core/src/main/java/org/opengroup/osdu/legal/util/HtmlEncodeAdapter.java

 package org.opengroup.osdu.legal.util;
 
-import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.text.StringEscapeUtils;
 import com.google.common.base.Strings;
 
 import javax.xml.bind.annotation.adapters.XmlAdapter;
@@ -12,7 +12,7 @@ public class HtmlEncodeAdapter extends XmlAdapter<String, String> {
         if(Strings.isNullOrEmpty(rawString))
             return "";
 
-        return StringEscapeUtils.escapeHtml(rawString);
+        return StringEscapeUtils.escapeHtml4(rawString);
     }
 
     @Override

pom.xml

@@ -10,6 +10,8 @@
         <docker.image.prefix>opendes</docker.image.prefix>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <os-core-common.version>0.3.23</os-core-common.version>
+        <snakeyaml.version>1.26</snakeyaml.version>
+        <spring-web.version>5.1.19.RELEASE</spring-web.version>
     </properties>
 
     <licenses>
@@ -23,7 +25,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.1.7.RELEASE</version>
+        <version>2.1.8.RELEASE</version>
         <relativePath/> <!-- lookup parent from repository -->
     </parent>
 
@@ -67,6 +69,31 @@
                 <groupId>org.opengroup.osdu</groupId>
                 <artifactId>os-core-common</artifactId>
                 <version>${os-core-common.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.elasticsearch</groupId>
+                        <artifactId>elasticsearch</artifactId>
+                    </exclusion>
+                    <exclusion>
+                        <groupId>org.elasticsearch.client</groupId>
+                        <artifactId>elasticsearch-rest-client</artifactId>
+                    </exclusion>
+                    <exclusion>
+                        <groupId>org.elasticsearch.client</groupId>
+                        <artifactId>elasticsearch-rest-high-level-client</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
+            <!--explicitly load latest compatible version with security fix in it-->
+            <dependency>
+                <groupId>org.yaml</groupId>
+                <artifactId>snakeyaml</artifactId>
+                <version>${snakeyaml.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-web</artifactId>
+                <version>${spring-web.version}</version>
             </dependency>
         </dependencies>
     </dependencyManagement>

provider/legal-azure/pom.xml

@@ -33,11 +33,12 @@
         <azure.appservice.plan></azure.appservice.plan>
         <azure.appservice.appname></azure.appservice.appname>
         <azure.appservice.subscription></azure.appservice.subscription>
-        <osdu.corelibazure.version>0.0.42</osdu.corelibazure.version>
-        <osdu.oscorecommon.version>0.3.23</osdu.oscorecommon.version>
+        <osdu.corelibazure.version>0.0.48</osdu.corelibazure.version>
         <osdu.legal-core.version>0.0.5-SNAPSHOT</osdu.legal-core.version>
         <javax.inject.version>1</javax.inject.version>
         <javax.servlet-api.version>4.0.1</javax.servlet-api.version>
+        <woodstox-core.version>5.3.0</woodstox-core.version>
+        <tomcat-embed-core.version>9.0.40</tomcat-embed-core.version>
     </properties>
 
     <dependencyManagement>
@@ -57,21 +58,6 @@
         <dependency>
             <groupId>org.opengroup.osdu</groupId>
             <artifactId>os-core-common</artifactId>
-            <version>${osdu.oscorecommon.version}</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.elasticsearch</groupId>
-                    <artifactId>elasticsearch</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.elasticsearch.client</groupId>
-                    <artifactId>elasticsearch-rest-client</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.elasticsearch.client</groupId>
-                    <artifactId>elasticsearch-rest-high-level-client</artifactId>
-                </exclusion>
-            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.opengroup.osdu.legal</groupId>
@@ -126,18 +112,42 @@
             <groupId>org.opengroup.osdu</groupId>
             <artifactId>core-lib-azure</artifactId>
             <version>${osdu.corelibazure.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.simpleframework</groupId>
+                    <artifactId>simple-xml</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
         </dependency>
 
+        <!--explicitly load latest compatible version with security fix in it-->
+        <dependency>
+            <groupId>com.fasterxml.woodstox</groupId>
+            <artifactId>woodstox-core</artifactId>
+            <version>${woodstox-core.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-core</artifactId>
+            <version>${tomcat-embed-core.version}</version>
+        </dependency>
+
         <!-- test -->
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>4.12</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

provider/legal-ibm/pom.xml

@@ -27,6 +27,12 @@
 			<artifactId>os-core-lib-ibm</artifactId>
 			<version>${os-core-lib-ibm.version}</version>
 		</dependency>
+		<!-- https://mvnrepository.com/artifact/net.minidev/json-smart -->
+		<dependency>
+			<groupId>net.minidev</groupId>
+			<artifactId>json-smart</artifactId>
+			<version>2.3</version>
+		</dependency>
 
 		<dependency>
 			<groupId>org.projectlombok</groupId>