POM Organization & Dependency bumps
Merge Request: Dependency updates
Summary
Version tracking for all packages in pom.xml with updates noted.
Parent Properties
Package | Original | Update |
---|---|---|
lombok | 1.18.34 | 1.18.36 |
snakeyaml | 2.0 | managed by BOM |
httpclient | 4.5.13 | managed by BOM |
spring-security | 6.3.4 | 6.3.6 |
java | 17 | 17 |
maven.compiler | 17 | 17 |
os-core-common | 3.3.0 | 3.3.0 |
spring-framework | 6.1.16 | 6.1.16 |
spring-boot | 3.3.7 | 3.3.7 |
log4j | 2.21.1 | 2.21.1 |
guava | 32.1.2-jre | 32.1.2-jre |
netty | 4.1.115.Final | 4.1.115.Final |
Core Properties
Package | Original | Update |
---|---|---|
openapi | 2.3.0 | 2.3.0 |
mockito.core | 3.4.0 | 3.4.0 |
assertj_core | 3.16.1 | 3.16.1 |
kotlin_stdlib | 1.3.60 | 1.3.60 |
cobertura_maven_plugin | 2.7 | 2.7 |
maven_surefire_plugin | 3.0.0-M4 | 3.0.0-M4 |
maven_failsafe_plugin | 3.0.0-M4 | 3.0.0-M4 |
commons-beanutils | 1.9.4 | 1.9.4 |
xercesImpl | 2.12.2 | 2.12.2 |
maven-reporting-impl | 3.2.0 | 3.2.0 |
mockito-inline | 3.6.28 | 3.6.28 |
plexus-utils | 4.0.1 | 4.0.1 |
jacoco-maven-plugin | 0.8.8 | 0.8.8 |
json-smart | 2.5.1 | 2.5.1 |
GC Provider Properties
Package | Original | Update |
---|---|---|
libraries-bom | 26.29.0 | 26.29.0 |
logback-json-classic | 0.1.5 | 0.1.5 |
logback-jackson | 0.1.5 | 0.1.5 |
surefire-plugin | 2.22.2 | 2.22.2 |
jacoco-plugin | 0.8.8 | 0.8.8 |
Azure Provider Properties
Package | Original | Update |
---|---|---|
core-lib-azure | 2.0.2 | 2.0.3 |
surefire-plugin | 2.22.2 | 2.22.2 |
jacoco-plugin | 0.8.12 | 0.8.12 |
Resolved Vulnerabilities
org.springframework.security:spring-security-bom
-
Vulnerability: CVE-2024-3839
- Severity: High
- Issue: Authorization bypass vulnerability in Spring Security
-
Resolution: Upgraded from
6.3.4
to6.3.6
org.opengroup.osdu:core-lib-azure
-
Vulnerability: CVE-2024-50379
- Severity: High
- Issue: Remote Code Execution due to TOCTOU issue in JSP compilation in Tomcat
-
Resolution: Upgraded from
2.0.2
to2.0.3
which includes Tomcat upgrade from10.1.33
to10.1.34
Additional Changes
- Improved POM organization with clearer property groupings
- Normalized dependency management structure across modules
- Consistent formatting and documentation
- Removed redundant netty-bom from GC provider as it's already managed by parent POM
- Added mockito.inline.version property to core POM for better version management
- Reorganized core POM properties into logical groups (Test Scoped, Plugin Versions)
Edited by Daniel Scholl (MS]