Skip to content

POM Organization & Dependency bumps

Daniel Scholl (MS] requested to merge vulnerabilities into master

Merge Request: Dependency updates

Summary

Version tracking for all packages in pom.xml with updates noted.

Parent Properties

Package Original Update
lombok 1.18.34 1.18.36
snakeyaml 2.0 managed by BOM
httpclient 4.5.13 managed by BOM
spring-security 6.3.4 6.3.6
java 17 17
maven.compiler 17 17
os-core-common 3.3.0 3.3.0
spring-framework 6.1.16 6.1.16
spring-boot 3.3.7 3.3.7
log4j 2.21.1 2.21.1
guava 32.1.2-jre 32.1.2-jre
netty 4.1.115.Final 4.1.115.Final

Core Properties

Package Original Update
openapi 2.3.0 2.3.0
mockito.core 3.4.0 3.4.0
assertj_core 3.16.1 3.16.1
kotlin_stdlib 1.3.60 1.3.60
cobertura_maven_plugin 2.7 2.7
maven_surefire_plugin 3.0.0-M4 3.0.0-M4
maven_failsafe_plugin 3.0.0-M4 3.0.0-M4
commons-beanutils 1.9.4 1.9.4
xercesImpl 2.12.2 2.12.2
maven-reporting-impl 3.2.0 3.2.0
mockito-inline 3.6.28 3.6.28
plexus-utils 4.0.1 4.0.1
jacoco-maven-plugin 0.8.8 0.8.8
json-smart 2.5.1 2.5.1

GC Provider Properties

Package Original Update
libraries-bom 26.29.0 26.29.0
logback-json-classic 0.1.5 0.1.5
logback-jackson 0.1.5 0.1.5
surefire-plugin 2.22.2 2.22.2
jacoco-plugin 0.8.8 0.8.8

Azure Provider Properties

Package Original Update
core-lib-azure 2.0.2 2.0.3
surefire-plugin 2.22.2 2.22.2
jacoco-plugin 0.8.12 0.8.12

Resolved Vulnerabilities

  1. org.springframework.security:spring-security-bom
  • Vulnerability: CVE-2024-3839
    • Severity: High
    • Issue: Authorization bypass vulnerability in Spring Security
    • Resolution: Upgraded from 6.3.4 to 6.3.6
  1. org.opengroup.osdu:core-lib-azure
  • Vulnerability: CVE-2024-50379
    • Severity: High
    • Issue: Remote Code Execution due to TOCTOU issue in JSP compilation in Tomcat
    • Resolution: Upgraded from 2.0.2 to 2.0.3 which includes Tomcat upgrade from 10.1.33 to 10.1.34

Additional Changes

  • Improved POM organization with clearer property groupings
  • Normalized dependency management structure across modules
  • Consistent formatting and documentation
  • Removed redundant netty-bom from GC provider as it's already managed by parent POM
  • Added mockito.inline.version property to core POM for better version management
  • Reorganized core POM properties into logical groups (Test Scoped, Plugin Versions)
Edited by Daniel Scholl (MS]

Merge request reports

Loading