Fix Netty Security Vulnerabilities in os-core-lib-azure

Summary

This PR fixes critical Netty security vulnerabilities in the community os-core-lib-azure that were not being resolved despite having Spring Boot 3.5.3 and security overrides already in place.

Problem Discovered

While os-core-lib-azure uses Spring Boot 3.5.3 and already has security overrides for several components, the Netty vulnerabilities were not being fixed because:

1. Spring Boot 3.5.3 includes Netty 4.1.122.Final which has CVEs
2. The os-core-common BOM (which has netty-bom 4.1.125.Final) is imported AFTER Spring Boot
3. Due to Maven's BOM import ordering, Spring Boot's Netty version takes precedence

Security Vulnerabilities Fixed

Netty Codec Vulnerabilities (HIGH SEVERITY)

• CVEs: CVE-2025-58056, CVE-2025-58057, CVE-2025-55163
• Component: io.netty:netty-codec, netty-codec-http, netty-codec-http2
• Previous Version: 4.1.122.Final (from Spring Boot 3.5.3)
• Fixed Version: 4.1.125.Final (via explicit BOM import)
• Impact: Fixes request smuggling and denial of service vulnerabilities

Solution

Added netty-bom 4.1.125.Final import BEFORE Spring Boot dependencies to ensure it takes precedence over Spring Boot's Netty version.

Changes Made

pom.xml

• Added netty-bom 4.1.125.Final import in dependencyManagement section
• Positioned it BEFORE Spring Boot dependencies to ensure proper override
• Added clear documentation about the fix and when it can be removed

Technical Details

The fix requires careful BOM import ordering:

1. Spring Framework BOM
2. Azure SDK BOM
3. Spring Cloud Azure dependencies
4. springdoc-openapi
5. Netty BOM (4.1.125.Final) - NEW ← Must be here to override Spring Boot
6. Spring Boot dependencies
7. os-core-common BOM

Version

The library version remains as development-SNAPSHOT per community repository conventions.

Existing Security Overrides (Already Present)

The library already contains the following security fixes which remain effective:

• nimbus-jose-jwt: 10.0.2 (fixes CVE-2025-53864)
• reactor-netty-http: 1.2.8 (fixes CVE-2025-22227)
• commons-lang3: 3.18.0 (fixes CVE-2025-48924)

Notes

• This issue affects any project using Spring Boot 3.5.3 with os-core-common imported after Spring Boot
• The fix can be removed when Spring Boot updates to Netty 4.1.125.Final or later