Merge branch 'solxget/CVE-2022-22965' into 'master'

Fix vulnerabilities

See merge request !479

NOTICE

@@ -136,7 +136,6 @@ The following software have components provided under the terms of this license:
 - Jackson-module-parameter-names (from https://repo1.maven.org/maven2/com/fasterxml/jackson/module/jackson-module-parameter-names)
 - Jakarta Servlet (from https://projects.eclipse.org/projects/ee4j.servlet)
 - Jakarta Validation API (from https://beanvalidation.org)
-- Jakarta XML Binding API (from https://repo1.maven.org/maven2/jakarta/xml/bind/jakarta.xml.bind-api, https://repo1.maven.org/maven2/org/jboss/spec/javax/xml/bind/jboss-jaxb-api_2.3_spec)
 - Java Architecture for XML Binding (from http://jaxb.java.net/, https://repo1.maven.org/maven2/javax/xml/bind/jaxb-api)
 - Java Native Access (from https://github.com/java-native-access/jna, https://github.com/twall/jna)
 - Java Native Access Platform (from https://github.com/java-native-access/jna)
@@ -247,7 +246,7 @@ The following software have components provided under the terms of this license:
 - Spring JMS (from http://www.springframework.org, https://github.com/SpringSource/spring-framework, https://github.com/spring-projects/spring-framework, https://repo1.maven.org/maven2/org/springframework/spring-jms)
 - Spring Messaging (from https://github.com/spring-projects/spring-framework)
 - Spring Object/XML Marshalling (from https://github.com/spring-projects/spring-framework)
-- Spring Plugin - Metadata Extension (from https://repo1.maven.org/maven2/org/springframework/plugin/spring-plugin-metadata)
+- Spring Plugin - Metadata Extension (from https://github.com/spring-projects/spring-plugin/spring-plugin-metadata, https://repo1.maven.org/maven2/org/springframework/plugin/spring-plugin-metadata)
 - Spring Plugin Core (from https://github.com/spring-projects/spring-plugin/spring-plugin-core, https://repo1.maven.org/maven2/org/springframework/plugin/spring-plugin-core)
 - Spring Security - Core (from http://spring.io/spring-security, https://repo1.maven.org/maven2/org/springframework/security/spring-security-core, https://spring.io/projects/spring-security, https://spring.io/spring-security)
 - Spring Security - Namespace Configuration Module (from http://spring.io/spring-security, https://repo1.maven.org/maven2/org/springframework/security/spring-security-config, https://spring.io/projects/spring-security, https://spring.io/spring-security)
@@ -414,6 +413,7 @@ The following software have components provided under the terms of this license:
 
 - Guava: Google Core Libraries for Java (from http://code.google.com/p/guava-libraries, https://github.com/google/guava, https://repo1.maven.org/maven2/com/google/guava/guava)
 - HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
+- Hibernate Validator (from https://repo1.maven.org/maven2/org/hibernate/hibernate-validator, https://repo1.maven.org/maven2/org/hibernate/validator/hibernate-validator)
 - LatencyUtils (from http://latencyutils.github.io/LatencyUtils/)
 - MongoDB Java Driver (from http://mongodb.org/, http://www.mongodb.org, https://www.mongodb.com/)
 - Netty/Common (from https://repo1.maven.org/maven2/io/netty/netty-common)
@@ -467,13 +467,11 @@ The following software have components provided under the terms of this license:
 - JUnit Jupiter API (from http://junit.org/junit5/, https://junit.org/junit5/)
 - JUnit Jupiter Engine (from http://junit.org/junit5/, https://junit.org/junit5/)
 - JUnit Jupiter Params (from http://junit.org/junit5/, https://junit.org/junit5/)
-- JUnit Platform Commons (from http://junit.org/junit5/, https://junit.org/junit5/)
 - JUnit Platform Engine API (from http://junit.org/junit5/, https://junit.org/junit5/)
 - JUnit Vintage Engine (from http://junit.org/junit5/, https://junit.org/junit5/)
 - Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
 - Jakarta Validation API (from https://beanvalidation.org)
 - Jakarta WebSocket - Server API (from https://projects.eclipse.org/projects/ee4j.websocket, https://repo1.maven.org/maven2/org/jboss/spec/javax/websocket/jboss-websocket-api_1.1_spec)
-- Jakarta XML Binding API (from https://repo1.maven.org/maven2/jakarta/xml/bind/jakarta.xml.bind-api, https://repo1.maven.org/maven2/org/jboss/spec/javax/xml/bind/jboss-jaxb-api_2.3_spec)
 - Java Servlet 4.0 API
 - Logback Contrib :: JSON :: Classic (from https://repo1.maven.org/maven2/ch/qos/logback/contrib/logback-json-classic)
 - Logback Contrib :: JSON :: Core (from https://repo1.maven.org/maven2/ch/qos/logback/contrib/logback-json-core)
@@ -542,7 +540,6 @@ GPL-3.0-only
 The following software have components provided under the terms of this license:
 
 - Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
-- Jakarta XML Binding API (from https://repo1.maven.org/maven2/jakarta/xml/bind/jakarta.xml.bind-api, https://repo1.maven.org/maven2/org/jboss/spec/javax/xml/bind/jboss-jaxb-api_2.3_spec)
 - Java Servlet 4.0 API
 
 ========================================================================
@@ -605,7 +602,6 @@ The following software have components provided under the terms of this license:
 - ClassGraph (from https://github.com/classgraph/classgraph)
 - JUL to SLF4J bridge (from http://www.slf4j.org)
 - Jackson-core (from http://wiki.fasterxml.com/JacksonHome, https://github.com/FasterXML/jackson-core)
-- Jakarta XML Binding API (from https://repo1.maven.org/maven2/jakarta/xml/bind/jakarta.xml.bind-api, https://repo1.maven.org/maven2/org/jboss/spec/javax/xml/bind/jboss-jaxb-api_2.3_spec)
 - Java Client Runtime for AutoRest (from https://github.com/Azure/autorest-clientruntime-for-java)
 - Java JWT (from http://www.jwt.io, https://github.com/auth0/java-jwt)
 - Lucene Core (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-core)

notification-core/pom.xml

@@ -17,7 +17,6 @@
 
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
-
     <artifactId>notification-core</artifactId>
     <name>notification-core</name>
     <description>Core module for the notification service</description>
@@ -31,10 +30,6 @@
 	</parent>
 
     <properties>
-        <java.version>17</java.version>
-        <maven.compiler.target>${java.version}</maven.compiler.target>
-        <maven.compiler.source>${java.version}</maven.compiler.source>
-        <netty.version>4.1.70.Final</netty.version>
         <undertow.version>2.2.19.Final</undertow.version>
         <woodstox-core.version>5.3.0</woodstox-core.version>
         <log4j.version>2.17.1</log4j.version>

pom.xml

@@ -29,6 +29,9 @@
 		<log4j2.version>2.17.1</log4j2.version>
 		<json-smart.version>2.5.0</json-smart.version>
 		<openapi.version>1.6.14</openapi.version>
+		<spring-webmvc.version>5.3.31</spring-webmvc.version>
+		<netty.version>4.1.106.Final</netty.version>
+		<snakeyaml-version>2.0</snakeyaml-version>
 	</properties>
 
 	<licenses>
@@ -51,11 +54,11 @@
 				<scope>import</scope>
 			</dependency>
 			<dependency>
-				<groupId>org.springframework.boot</groupId>
-				<artifactId>spring-boot-dependencies</artifactId>
-				<version>2.7.17</version>
-				<type>pom</type>
-				<scope>import</scope>
+			    <groupId>org.springframework.boot</groupId>
+			    <artifactId>spring-boot-dependencies</artifactId>
+			    <version>2.7.17</version>
+			    <type>pom</type>
+			    <scope>import</scope>
 			</dependency>
 
 			<dependency>
@@ -112,6 +115,12 @@
 		<groupId>org.springdoc</groupId>
 		<artifactId>springdoc-openapi-ui</artifactId>
 		<version>${openapi.version}</version>
+        <exclusions>
+        	<exclusion>
+        		<groupId>org.yaml</groupId>
+        		<artifactId>snakeyaml</artifactId>
+        	</exclusion>
+        </exclusions>
 	</dependency>
 	<dependency>
 		<groupId>org.springframework.plugin</groupId>

provider/notification-aws/pom.xml

@@ -31,9 +31,6 @@
     </parent>
 
     <properties>
-        <java.version>17</java.version>
-        <maven.compiler.target>${java.version}</maven.compiler.target>
-        <maven.compiler.source>${java.version}</maven.compiler.source>
         <log4j2.version>2.17.1</log4j2.version>
         <jackson-databind.version>2.13.4.2</jackson-databind.version>
         <jackson.version>2.13.4</jackson.version>
@@ -72,6 +69,16 @@
         <dependency>
             <groupId>org.opengroup.osdu.core.aws</groupId>
             <artifactId>os-core-lib-aws</artifactId>
+            <exclusions>
+            	<exclusion>
+				    <groupId>org.springframework</groupId>
+				    <artifactId>spring-core</artifactId>
+            	</exclusion>
+            	<exclusion>
+				    <groupId>org.springframework</groupId>
+				    <artifactId>spring-beans</artifactId>
+            	</exclusion>
+            </exclusions>
             <version>0.25.0-rc3</version>
         </dependency>
         <dependency>
@@ -91,11 +98,6 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-actuator</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.springframework</groupId>
-            <artifactId>spring-webmvc</artifactId>
-        </dependency>
-
         <!-- unit test dependencies -->
         <dependency>
             <groupId>org.mockito</groupId>

provider/notification-azure/pom.xml

@@ -30,9 +30,6 @@
   </parent>
 
   <properties>
-    <java.version>17</java.version>
-    <maven.compiler.target>${java.version}</maven.compiler.target>
-    <maven.compiler.source>${java.version}</maven.compiler.source>
     <jacoco-maven-plugin.version>0.8.10</jacoco-maven-plugin.version>
     <osdu.notification-core.version>0.26.0-SNAPSHOT</osdu.notification-core.version>
     <springframework.version>4.3.0.RELEASE</springframework.version>
@@ -47,12 +44,9 @@
     <reactor-netty.version>1.1.14</reactor-netty.version>
     <oauth2-oidc-sdk.version>6.0</oauth2-oidc-sdk.version>
     <woodstox-core.version>5.4.0</woodstox-core.version>
-    <spring-webmvc.version>5.3.22</spring-webmvc.version>
     <undertow.version>2.2.26.Final</undertow.version>
     <spring-boot-maven-plugin.version>2.7.6</spring-boot-maven-plugin.version>
     <xnio-api.version>3.8.8.Final</xnio-api.version>
-    <netty.version>4.1.101.Final</netty.version>
-    <snakeyaml-version>2.0</snakeyaml-version>
   </properties>
 
   <dependencyManagement>
@@ -193,6 +187,7 @@
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-webmvc</artifactId>
+      <version>${spring-webmvc.version}</version>
     </dependency>
 
     <dependency>

provider/notification-gc/pom.xml

@@ -29,9 +29,6 @@
     </parent>
 
     <properties>
-        <java.version>17</java.version>
-        <maven.compiler.target>${java.version}</maven.compiler.target>
-        <maven.compiler.source>${java.version}</maven.compiler.source>
         <spring-boot-maven-plugin.version>2.7.6</spring-boot-maven-plugin.version>
     </properties>
 
@@ -62,6 +59,12 @@
             <groupId>org.opengroup.osdu</groupId>
             <artifactId>core-lib-gc</artifactId>
             <version>0.24.0</version>
+            <exclusions>
+            	<exclusion>
+            		<groupId>org.yaml</groupId>
+            		<artifactId>snakeyaml</artifactId>
+            	</exclusion>
+        	</exclusions>
         </dependency>
 
         <dependency>
@@ -77,6 +80,10 @@
                     <groupId>com.google.oauth-client</groupId>
                     <artifactId>google-oauth-client</artifactId>
                 </exclusion>
+                <exclusion>
+            		<groupId>org.yaml</groupId>
+            		<artifactId>snakeyaml</artifactId>
+            	</exclusion>
             </exclusions>
         </dependency>
 
@@ -116,6 +123,12 @@
             <artifactId>oqm</artifactId>
             <version>0.24.0</version>
         </dependency>
+        
+        <dependency>
+        	<groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+            <version>${snakeyaml-version}</version>
+        </dependency>
     </dependencies>
 
     <build>

provider/notification-ibm/pom.xml

@@ -102,7 +102,7 @@
         <dependency>
         	<groupId>org.yaml</groupId>
             <artifactId>snakeyaml</artifactId>
-            <version>1.33</version>
+            <version>${snakeyaml-version}</version>
         </dependency>
 		<dependency>
 			<groupId>org.apache.lucene</groupId>