upgraded os-core-common for all providers and sanitized the poms for all providers
In order to fix spring-web, spring-core, spring-security-vulnerabilities:
- https://community.opengroup.org/osdu/platform/system/dataset/-/security/vulnerabilities/35639
- https://community.opengroup.org/osdu/platform/system/dataset/-/security/vulnerabilities/35635
- https://community.opengroup.org/osdu/platform/system/dataset/-/security/vulnerabilities/35633
- https://community.opengroup.org/osdu/platform/system/dataset/-/security/vulnerabilities/35105
Incorporated the os-core-common spring6 version 0.27.0-rc1 and sanitized the pom so all providers use the same versions. In the process since new os-core-common spring6 is only using cleaned up dependencies, had to include the javaassist separately in the core module.
During the pipeline runs various conflicts were there with this exception:
java.lang.NoSuchMethodError: 'com.fasterxml.jackson.databind.PropertyName com.fasterxml.jackson.databind.PropertyName.merge(com.fasterxml.jackson.databind.PropertyName, com.fasterxml.jackson.databind.PropertyName)'
at com.fasterxml.jackson.dataformat.xml.JacksonXmlAnnotationIntrospector.findNameForSerialization(JacksonXmlAnnotationIntrospector.java:200) ~[jackson-dataformat-xml-2.17.0.jar!/:2.17.0]
So, upgraded the jackson versions as well to fix this issue for all providers.
Before and after changes for 3 main vulnerabilities are attached.vuln.txt
Above changes were reverted from AWS due to unresolved failures.
Edited by Deepa Kumari