POM Organization & Dependency bumps
Merge Request: Dependency updates
Summary
Version tracking for all packages in pom.xml with updates noted.
Parent Properties
| Package | Original | Update |
|---|---|---|
| spring-security | 6.3.4 | 6.3.6 |
| openapi | 1.6.14 | 2.3.0 |
| java | 17 | 17 |
| maven.compiler | 17 | 17 |
| json-smart | 2.5.0 | 2.5.1 |
| docker.image.prefix | opendes | opendes |
| os-core-common | 3.3.0 | 3.3.0 |
| spring-framework | 6.1.16 | 6.1.16 |
| spring-boot | 3.3.7 | 3.3.7 |
| snakeyaml | 2.0 | managed by BOM |
| resilience4j | 1.7.0 | 1.7.0 |
| jackson | 2.16.1 | 2.16.1 |
| spring-boot-maven-plugin | 3.2.2 | managed by property |
| git-commit-id-plugin | 8.0.2 | managed by property |
Azure Provider Properties
| Package | Original | Update |
|---|---|---|
| core-lib-azure | 2.0.2 | 2.0.3 |
| gson | 2.11.0 | 2.11.0 |
| surefire-plugin | 3.0.0 | 3.0.0 |
| jacoco-plugin | 0.8.12 | 0.8.12 |
Resolved Vulnerabilities
org.springframework.security:spring-security-bom
-
Vulnerability: CVE-2024-3839
- Severity: High
- Issue: Authorization bypass vulnerability in Spring Security
-
Resolution: Upgraded from
6.3.4to6.3.6
net.minidev:json-smart
-
Vulnerability: CVE-2024-1723
- Severity: High
- Issue: ReDoS (Regular Expression Denial of Service) vulnerability when parsing certain JSON inputs
-
Resolution: Upgraded from
2.5.0to2.5.1
org.opengroup.osdu:core-lib-azure
-
Vulnerability: CVE-2024-50379
- Severity: High
- Issue: Remote Code Execution due to TOCTOU issue in JSP compilation in Tomcat
-
Resolution: Upgraded from
2.0.2to2.0.3which includes Tomcat upgrade from10.1.33to10.1.34
Additional Changes
- Improved POM organization with clearer property groupings in parent:
- Normalized dependency management structure with clear BOM ordering
- Moved version declarations to properties for better maintainability
Edited by Daniel Scholl (MS]