chore(deps): Security dependency remediation - Spring Boot 3.5.8 and library updates

Daniel Scholl (MS]requested to merge
agent/dep-remediation-20251207 into master

Summary

Security dependency remediation to address 507 identified vulnerabilities by updating to patched library versions.

Closes #164 (closed)

Changes

legal/pom.xml

  • os-core-common: 3.6.1 → trusted-agent-dep-remediation-20251205-SNAPSHOT
  • spring-boot: 3.3.11 → 3.5.8
  • spring-security: 6.3.6 → 6.5.7
  • spring-framework: 6.1.16 → 6.2.14
  • jackson-bom: 2.16.1 → 2.18.3
  • resilience4j: 1.7.0 → 1.7.1
  • gson: 2.10.1 → 2.11.0
  • commons-beanutils: 1.9.4 → 1.10.1
  • openapi: 2.3.0 → 2.8.6
  • Added netty-bom: 4.1.128.Final
  • spring-boot-maven-plugin: 3.2.2 → 3.5.8

legal-core/pom.xml

  • commons-text: 1.10.0 → 1.13.0
  • lettuce-core: 6.3.2.RELEASE → 6.5.2.RELEASE
  • maven-surefire-plugin: 3.0.0 → 3.5.2
  • Added junit-vintage-engine dependency for JUnit 4 test compatibility

legal-azure/pom.xml

  • core-lib-azure: 2.2.6 → trusted-agent-dep-remediation-20251205-SNAPSHOT
  • surefire-plugin: 3.0.0 → 3.5.2

Test Compatibility Fix: JUnit Vintage Engine

The upgrade to Spring Boot 3.5.8 brings JUnit Platform 1.12.x which requires explicit junit-vintage-engine for JUnit 4 tests.

Problem: After upgrading, tests failed with "OutputDirectoryProvider not available" due to JUnit Platform version mismatch.

Fix: Added junit-vintage-engine as a test dependency (version managed by Spring Boot BOM):

<dependency>
    <groupId>org.junit.vintage</groupId>
    <artifactId>junit-vintage-engine</artifactId>
    <scope>test</scope>
</dependency>

This allows JUnit 4 tests to run on the JUnit 5 platform.

CVEs Addressed

Critical/High Priority

  • CVE-2025-24813: Tomcat RCE
  • CVE-2025-22235: Spring Boot security bypass
  • CVE-2025-41249: Spring Core authorization bypass
  • CVE-2025-41248: Spring Security authorization bypass
  • CVE-2025-41242: Spring WebMVC path traversal
  • CVE-2019-20444: Netty HTTP Request Smuggling
  • CVE-2025-24970: Netty native crash via SSL
  • CVE-2025-58057: Netty codec DoS

Via Library Updates

  • CVE-2023-52428, CVE-2025-53864: nimbus-jose-jwt DoS
  • CVE-2024-47535: lettuce-core vulnerability
  • CVE-2025-22227: reactor-netty credential leak
  • CVE-2025-11226: Logback ACE
  • CVE-2025-48924: Commons Lang3 DoS

Testing

  • All 336 legal-core unit tests passing locally
  • All 27 legal-azure unit tests passing locally
  • Total: 363 tests, 0 failures
  • CI pipeline build
  • Integration tests

Notes

  • Snapshot versions used for validation - will be updated to release versions once libraries are published
  • Testing modules (legal-test-*) are out of scope for this MR - will be addressed separately
Edited by Daniel Scholl (MS]

Merge request reports