POM Organization & Dependency bumps
Merge Request: Dependency updates
Summary
Version tracking for all packages in pom.xml with updates noted.
Parent Properties
| Package | Original | Update |
|---|---|---|
| lombok | 1.18.34 | 1.18.36 |
| snakeyaml | 2.0 | managed by BOM |
| httpclient | 4.5.13 | managed by BOM |
| spring-security | 6.3.4 | 6.3.6 |
| java | 17 | 17 |
| maven.compiler | 17 | 17 |
| os-core-common | 3.3.0 | 3.3.0 |
| spring-framework | 6.1.16 | 6.1.16 |
| spring-boot | 3.3.7 | 3.3.7 |
| log4j | 2.21.1 | 2.21.1 |
| guava | 32.1.2-jre | 32.1.2-jre |
| netty | 4.1.115.Final | 4.1.115.Final |
Core Properties
| Package | Original | Update |
|---|---|---|
| openapi | 2.3.0 | 2.3.0 |
| mockito.core | 3.4.0 | 3.4.0 |
| assertj_core | 3.16.1 | 3.16.1 |
| kotlin_stdlib | 1.3.60 | 1.3.60 |
| cobertura_maven_plugin | 2.7 | 2.7 |
| maven_surefire_plugin | 3.0.0-M4 | 3.0.0-M4 |
| maven_failsafe_plugin | 3.0.0-M4 | 3.0.0-M4 |
| commons-beanutils | 1.9.4 | 1.9.4 |
| xercesImpl | 2.12.2 | 2.12.2 |
| maven-reporting-impl | 3.2.0 | 3.2.0 |
| mockito-inline | 3.6.28 | 3.6.28 |
| plexus-utils | 4.0.1 | 4.0.1 |
| jacoco-maven-plugin | 0.8.8 | 0.8.8 |
| json-smart | 2.5.1 | 2.5.1 |
GC Provider Properties
| Package | Original | Update |
|---|---|---|
| libraries-bom | 26.29.0 | 26.29.0 |
| logback-json-classic | 0.1.5 | 0.1.5 |
| logback-jackson | 0.1.5 | 0.1.5 |
| surefire-plugin | 2.22.2 | 2.22.2 |
| jacoco-plugin | 0.8.8 | 0.8.8 |
Azure Provider Properties
| Package | Original | Update |
|---|---|---|
| core-lib-azure | 2.0.2 | 2.0.3 |
| surefire-plugin | 2.22.2 | 2.22.2 |
| jacoco-plugin | 0.8.12 | 0.8.12 |
Resolved Vulnerabilities
org.springframework.security:spring-security-bom
-
Vulnerability: CVE-2024-3839
- Severity: High
- Issue: Authorization bypass vulnerability in Spring Security
-
Resolution: Upgraded from
6.3.4to6.3.6
org.opengroup.osdu:core-lib-azure
-
Vulnerability: CVE-2024-50379
- Severity: High
- Issue: Remote Code Execution due to TOCTOU issue in JSP compilation in Tomcat
-
Resolution: Upgraded from
2.0.2to2.0.3which includes Tomcat upgrade from10.1.33to10.1.34
Additional Changes
- Improved POM organization with clearer property groupings
- Normalized dependency management structure across modules
- Consistent formatting and documentation
- Removed redundant netty-bom from GC provider as it's already managed by parent POM
- Added mockito.inline.version property to core POM for better version management
- Reorganized core POM properties into logical groups (Test Scoped, Plugin Versions)
Edited by Daniel Scholl (MS]