Merge branch 'vulnerabilities' into 'master'

POM Organization & Dependency bumps

See merge request !629

partition-core/pom.xml

@@ -28,14 +28,19 @@
 	</parent>
 
 	<properties>
+		<kotlin_stdlib_version>1.3.60</kotlin_stdlib_version>
+		<cobertura_maven_plugin_version>2.7</cobertura_maven_plugin_version>
 		<openapi.version>2.3.0</openapi.version>
+		<commons-beanutils.version>1.9.4</commons-beanutils.version>
+		<json-smart.version>2.5.1</json-smart.version>
+
+		<!-- Test Scoped Versions -->
 		<mockito.core.version>3.4.0</mockito.core.version>
+		<mockito.inline.version>3.6.28</mockito.inline.version>
 		<assertj_core_version>3.16.1</assertj_core_version>
-		<kotlin_stdlib_version>1.3.60</kotlin_stdlib_version>
-		<cobertura_maven_plugin_version>2.7</cobertura_maven_plugin_version>
+		<!-- Plugin Versions -->
 		<maven_surefire_plugin_version>3.0.0-M4</maven_surefire_plugin_version>
 		<maven_failsafe_plugin_version>3.0.0-M4</maven_failsafe_plugin_version>
-		<commons-beanutils.version>1.9.4</commons-beanutils.version>
 	</properties>
 
 	<dependencyManagement>
@@ -54,15 +59,13 @@
 	</dependencyManagement>
 
 	<dependencies>
-		<dependency>
-			<groupId>org.projectlombok</groupId>
-			<artifactId>lombok</artifactId>
-		</dependency>
-
+		<!-- OSDU Dependencies -->
 		<dependency>
 			<groupId>org.opengroup.osdu</groupId>
 			<artifactId>os-core-common</artifactId>
 		</dependency>
+		<!-- Spring Dependencies -->
+    	<!-- Versions managed by parent pom -->
 		<dependency>
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-webmvc</artifactId>
@@ -89,12 +92,26 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
-
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-validation</artifactId>
 		</dependency>
-		<!-- test dependencies -->
+		<!-- Project Dependencies -->
+		<dependency>
+			<groupId>org.projectlombok</groupId>
+			<artifactId>lombok</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>net.minidev</groupId>
+			<artifactId>json-smart</artifactId>
+			<version>${json-smart.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springdoc</groupId>
+			<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
+			<version>${openapi.version}</version>
+		</dependency>
+		<!-- Test Scoped Dependencies -->
 		<dependency>
 			<groupId>org.jetbrains.kotlin</groupId>
 			<artifactId>kotlin-stdlib</artifactId>
@@ -112,16 +129,10 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
-		<dependency>
-			<groupId>net.minidev</groupId>
-			<artifactId>json-smart</artifactId>
-			<version>2.5.1</version>
-		</dependency>
-
 		<dependency>
 			<groupId>org.mockito</groupId>
 			<artifactId>mockito-inline</artifactId>
-			<version>3.6.28</version>
+			<version>${mockito.inline.version}</version>
 			<scope>test</scope>
 		</dependency>
 		<dependency>
@@ -141,14 +152,6 @@
 			<artifactId>junit</artifactId>
 			<scope>test</scope>
 		</dependency>
-
-		<!-- swagger dependencies -->
-		<dependency>
-			<groupId>org.springdoc</groupId>
-			<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
-			<version>${openapi.version}</version>
-		</dependency>
-
 	</dependencies>
 
 	<build>

pom.xml

 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  Copyright 2017-2020, Schlumberger
+  Copyright
 
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
@@ -20,26 +20,49 @@
   <artifactId>partition</artifactId>
   <version>0.28.0-SNAPSHOT</version>
   <description>Partition Service</description>
+  <packaging>pom</packaging>
+
+  <modules>
+    <module>partition-core</module>
+    <module>provider/partition-azure</module>
+    <module>provider/partition-aws</module>
+    <module>provider/partition-ibm</module>
+    <module>provider/partition-gc</module>
+    <module>partition-core-plus</module>
+  </modules>
 
   <properties>
     <java.version>17</java.version>
     <maven.compiler.target>17</maven.compiler.target>
     <maven.compiler.source>17</maven.compiler.source>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+
+    <!-- OSDU Versions-->
     <os-core-common.version>3.3.0</os-core-common.version>
-    <spring-framework.version>6.1.16</spring-framework.version>
+
+    <!-- Spring Versions-->
     <spring-boot.version>3.3.7</spring-boot.version>
-    <spring-security.version>6.3.4</spring-security.version>
-    <log4j.version>2.21.1</log4j.version>
+    <spring-security.version>6.3.6</spring-security.version>
+    <spring-framework.version>6.1.16</spring-framework.version>
+
+    <!-- Project Versions-->
+    <lombok.version>1.18.36</lombok.version>
     <guava.version>32.1.2-jre</guava.version>
-    <netty-version>4.1.115.Final</netty-version>
-    <snakeyaml.version>2.0</snakeyaml.version>
-  </properties>
 
-  <packaging>pom</packaging>
+    <!-- Plugin Versions -->
+    <git-commit-id-plugin.version>8.0.2</git-commit-id-plugin.version>
+  </properties>
 
   <dependencyManagement>
     <dependencies>
+      <!-- BOMs listed in order of dependency hierarchy:
+           spring-boot-dependencies first as it's the parent BOM providing default dependency management,
+           spring-security-bom second as it may need to override Spring Framework versions for security purposes,
+           spring-framework-bom third as it provides core dependencies that can be safely overridden by the security BOM
+           os-core-common last as it provides the default dependencies for the project.dependency>
+      -->
+
+      <!-- BOM Section Start-->
       <dependency>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-dependencies</artifactId>
@@ -47,13 +70,6 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
-      <dependency>
-        <groupId>org.springframework</groupId>
-        <artifactId>spring-framework-bom</artifactId>
-        <version>${spring-framework.version}</version>
-        <type>pom</type>
-        <scope>import</scope>
-      </dependency>
       <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-bom</artifactId>
@@ -62,17 +78,15 @@
         <scope>import</scope>
       </dependency>
       <dependency>
-        <groupId>io.netty</groupId>
-        <artifactId>netty-bom</artifactId>
-        <version>${netty-version}</version>
+        <groupId>org.springframework</groupId>
+        <artifactId>spring-framework-bom</artifactId>
+        <version>${spring-framework.version}</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
-      <dependency>
-        <groupId>com.google.guava</groupId>
-        <artifactId>guava</artifactId>
-        <version>${guava.version}</version>
-      </dependency>
+      <!-- Core CommonBOM Override Section Start -->
+
+      <!-- Core CommonBOM Override Section End -->
       <dependency>
         <groupId>org.opengroup.osdu</groupId>
         <artifactId>os-core-common</artifactId>
@@ -80,11 +94,9 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
-      <dependency>
-        <groupId>org.apache.httpcomponents</groupId>
-        <artifactId>httpclient</artifactId>
-        <version>4.5.13</version>
-      </dependency>
+      <!-- BOM Section End-->
+
+      <!-- Any dependencies here will be used by all projects. -->
       <dependency>
         <groupId>org.opengroup.osdu</groupId>
         <artifactId>os-core-common</artifactId>
@@ -107,16 +119,26 @@
       <dependency>
         <groupId>org.yaml</groupId>
         <artifactId>snakeyaml</artifactId>
-        <version>${snakeyaml.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.httpcomponents</groupId>
+        <artifactId>httpclient</artifactId>
+      </dependency>
+      <dependency>
+        <groupId>com.google.guava</groupId>
+        <artifactId>guava</artifactId>
+        <version>${guava.version}</version>
       </dependency>
     </dependencies>
   </dependencyManagement>
 
   <dependencies>
+    <!-- Lombok is compile-time only due to 'provided' scope - it generates code during compilation
+         but is not included in the final artifact -->
     <dependency>
       <groupId>org.projectlombok</groupId>
       <artifactId>lombok</artifactId>
-      <version>1.18.34</version>
+      <version>${lombok.version}</version>
       <scope>provided</scope>
     </dependency>
   </dependencies>
@@ -144,7 +166,7 @@
       <plugin>
         <groupId>io.github.git-commit-id</groupId>
         <artifactId>git-commit-id-maven-plugin</artifactId>
-        <version>8.0.2</version>
+        <version>${git-commit-id-plugin.version}</version>
         <executions>
           <execution>
             <goals>
@@ -164,15 +186,6 @@
     </plugins>
   </build>
 
-  <modules>
-    <module>partition-core</module>
-    <module>provider/partition-azure</module>
-    <module>provider/partition-aws</module>
-    <module>provider/partition-ibm</module>
-    <module>provider/partition-gc</module>
-      <module>partition-core-plus</module>
-  </modules>
-
   <profiles>
     <profile>
       <id>Default</id>

provider/partition-azure/pom.xml

@@ -30,7 +30,7 @@
   </parent>
 
   <properties>
-    <core-lib-azure.version>2.0.2</core-lib-azure.version>
+    <core-lib-azure.version>2.0.3</core-lib-azure.version>
     <!-- Plugin Versions -->
     <surefire-plugin.version>2.22.2</surefire-plugin.version>
     <jacoco-plugin.version>0.8.12</jacoco-plugin.version>

provider/partition-gc/pom.xml

@@ -17,13 +17,6 @@
 
   <dependencyManagement>
     <dependencies>
-      <dependency>
-        <groupId>io.netty</groupId>
-        <artifactId>netty-bom</artifactId>
-        <version>${netty-version}</version>
-        <type>pom</type>
-        <scope>import</scope>
-      </dependency>
       <dependency>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-dependencies</artifactId>