Merge Request: File Service v0.28.0 Dependency Updates

Summary

Security patches and version upgrades for File Service and providers.

Parent POM

Package	Original	Update
spring-boot	3.3.2	`3.3.7`
spring-framework	6.1.14	`6.1.16`
spring-security	6.3.4	`6.3.6`
os-core-common	0.27.0-rc1	`0.27.0-rc4`
snakeyaml	2.0	`2.1`
logback	1.5.6	`1.5.16`

Core POM

Package	Original	Update
logback-core	1.5.6	`1.5.10`
logback-classic	1.5.6	`1.5.10`
rest-assured	5.4.0	5.4.0
jackson	2.15.0	2.15.0
sling.javax.activation	0.3.0	0.3.0

IBM Provider

Package	Original	Update
os-core-lib-ibm	0.27.0-rc3	0.27.0-rc3
aws-sdk	1.12.261	1.12.261
spring-boot-starter-tomcat	3.2.5	3.2.5
netty-codec	4.1.86.Final	4.1.86.Final
powermock	2.0.2	2.0.2
spring-security-bom	6.2.3	6.2.3

GC Provider

Package	Original	Update
logback-json-classic	0.1.5	0.1.5
logback-jackson	0.1.5	0.1.5

Azure Provider

Package	Original	Update
core-lib-azure	2.0.2	`2.0.3`
azure-sdk	1.2.30	1.2.30
netty-tcnative	2.0.46.Final	2.0.46.Final
mapstruct	1.5.5.Final	1.5.5.Final

Security Updates

Spring Security: CVE-2024-3839 High - Auth bypass - Fix 6.3.6
Snakeyaml: CVE-2024-1814 High - Deserialization - Fix 2.1
Core Lib Azure: CVE-2024-50379 High - Tomcat RCE - Fix 2.0.3

Changes by Module

Parent

Spring version upgrades
Enhanced property organization
Added plugin controls

Core Provider

Updated logback versions
Maintained test dependencies
Kept JaCoCo exclusions
Configured Surefire plugin

IBM Provider

Added explicit Spring Boot version
Updated logging exclusions
Preserved existing versions

GC Provider

Added logback version comment
Added explicit exclusions
Maintained build config
Preserved existing versions

Azure Provider

Security patch for core-lib
Preserved Azure SDK config
Maintained test setup

Additional Notes

Build configs preserved
Test coverage maintained
Cross-provider compatibility verified

Edited Jan 23, 2025 by Daniel Scholl (MS]