Vulnerability Fixes and Workload Identity Enablement

Daniel Scholl (MS]requested to merge
vulnerabilities into master

New Feature: Updated OSDU Core Lib Azure supports workload identity capabilities.

Fix: Resolve vulnerabilities in pom.xml

This PR highlights the vulnerabilities that have been resolved in pom.xml. Below is the delta of vulnerabilities that were present in the previous scan but are no longer found in the current state.

Resolved Vulnerabilities:

  1. com.azure:azure-identity

    • Vulnerability: CVE-2024-35255
    • Severity: Medium
    • Issue: Azure Identity Libraries Elevation of Privilege Vulnerability
    • Resolution: Upgraded from 1.11.2 to 1.12.2.

  2. com.nimbusds:nimbus-jose-jwt

    • Vulnerability: CVE-2023-52428
    • Severity: Medium
    • Issue: Large JWE p2c header value causes Denial of Service
    • Resolution: Upgraded from 9.30.2 to 9.37.2.

  3. io.netty:netty-common

    • Vulnerability: CVE-2024-47535
    • Severity: Medium
    • Issue: Denial of Service attack on Windows apps using Netty
    • Resolution: Upgraded from 4.1.114.Final to 4.1.115.

  4. org.springframework:spring-beans

    • Vulnerability: CVE-2024-38827
    • Severity: Medium
    • Issue: Authorization bypass for case-sensitive comparisons in Spring Security
    • Resolution: Upgraded from 6.1.6 to 6.1.14.

  5. org.springframework:spring-context

    • Vulnerability: CVE-2024-38820
    • Severity: Medium
    • Issue: DataBinder vulnerability related to disallowedFieldspatterns
    • Resolution: Addressed through updated libraries.

By resolving these vulnerabilities, the project achieves improved security and mitigates associated risks. Please review and approve this PR.

Merge request reports