POM Organization & Dependency bumps

Merge Request: Dependency updates

Summary

Version tracking for all packages in pom.xml with updates noted.

Parent Properties

Package	Original	Update
lombok	1.18.34	1.18.36
snakeyaml	2.0	managed by BOM
httpclient	4.5.13	managed by BOM
spring-security	6.3.4	6.3.6
java	17	17
maven.compiler	17	17
os-core-common	3.3.0	3.3.0
spring-framework	6.1.16	6.1.16
spring-boot	3.3.7	3.3.7
log4j	2.21.1	2.21.1
guava	32.1.2-jre	32.1.2-jre
netty	4.1.115.Final	4.1.115.Final

Core Properties

Package	Original	Update
openapi	2.3.0	2.3.0
mockito.core	3.4.0	3.4.0
assertj_core	3.16.1	3.16.1
kotlin_stdlib	1.3.60	1.3.60
cobertura_maven_plugin	2.7	2.7
maven_surefire_plugin	3.0.0-M4	3.0.0-M4
maven_failsafe_plugin	3.0.0-M4	3.0.0-M4
commons-beanutils	1.9.4	1.9.4
xercesImpl	2.12.2	2.12.2
maven-reporting-impl	3.2.0	3.2.0
mockito-inline	3.6.28	3.6.28
plexus-utils	4.0.1	4.0.1
jacoco-maven-plugin	0.8.8	0.8.8
json-smart	2.5.1	2.5.1

GC Provider Properties

Package	Original	Update
libraries-bom	26.29.0	26.29.0
logback-json-classic	0.1.5	0.1.5
logback-jackson	0.1.5	0.1.5
surefire-plugin	2.22.2	2.22.2
jacoco-plugin	0.8.8	0.8.8

Azure Provider Properties

Package	Original	Update
core-lib-azure	2.0.2	2.0.3
surefire-plugin	2.22.2	2.22.2
jacoco-plugin	0.8.12	0.8.12

Resolved Vulnerabilities

1. org.springframework.security:spring-security-bom

• Vulnerability: CVE-2024-3839
  • Severity: High
  • Issue: Authorization bypass vulnerability in Spring Security
  • Resolution: Upgraded from 6.3.4 to 6.3.6

2. org.opengroup.osdu:core-lib-azure

• Vulnerability: CVE-2024-50379
  • Severity: High
  • Issue: Remote Code Execution due to TOCTOU issue in JSP compilation in Tomcat
  • Resolution: Upgraded from 2.0.2 to 2.0.3 which includes Tomcat upgrade from 10.1.33 to 10.1.34

Additional Changes

• Improved POM organization with clearer property groupings
• Normalized dependency management structure across modules
• Consistent formatting and documentation
• Removed redundant netty-bom from GC provider as it's already managed by parent POM
• Added mockito.inline.version property to core POM for better version management
• Reorganized core POM properties into logical groups (Test Scoped, Plugin Versions)

partition-core/pom.xml

@@ -37,6 +37,9 @@
 		<maven_failsafe_plugin_version>3.0.0-M4</maven_failsafe_plugin_version>
 		<commons-beanutils.version>1.9.4</commons-beanutils.version>
 		<json-smart.version>2.5.1</json-smart.version>
+
+		<!-- Security fixes -->
+		<logback.version>1.5.13</logback.version>
 	</properties>
 
 	<dependencyManagement>
@@ -51,6 +54,18 @@
 				<artifactId>maven-reporting-impl</artifactId>
 				<version>3.2.0</version>
 			</dependency>
+
+			<!-- Security fixes -->
+			<dependency>
+				<groupId>ch.qos.logback</groupId>
+				<artifactId>logback-core</artifactId>
+				<version>${logback.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>ch.qos.logback</groupId>
+				<artifactId>logback-classic</artifactId>
+				<version>${logback.version}</version>
+			</dependency>
 		</dependencies>
 	</dependencyManagement>