chore(deps): Security dependency remediation - Spring Boot 3.5.8 and library updates

Daniel Scholl (MS]requested to merge
agent/dep-remediation-20251205 into master

Summary

Security dependency remediation to address 242 identified vulnerabilities by updating to patched library versions.

Closes #137 (closed)

Changes

partition/pom.xml

  • os-core-common: 3.6.1 → trusted-agent-dep-remediation-20251205-SNAPSHOT
  • spring-boot: 3.3.13 → 3.5.8
  • spring-security: 6.5.1 → 6.5.7
  • spring-framework: 6.2.9 → 6.2.14
  • lombok: 1.18.38 → 1.18.42
  • guava: 33.4.8-jre → 33.5.0-jre

partition-core/pom.xml

  • springdoc-openapi: 2.3.0 → 2.8.14

partition/provider/partition-azure/pom.xml

  • core-lib-azure: 2.2.8 → trusted-agent-dep-remediation-20251205-SNAPSHOT
  • Removed explicit ${spring-boot.version} override on spring-boot-starter-security

partition-core/SwaggerConfiguration.java

  • Added explicit Property schema registration to fix OpenAPI 3.1 compatibility

Breaking Change Fix: springdoc-openapi 2.8.x

The upgrade from springdoc-openapi 2.3.0 to 2.8.14 introduced a breaking change:

Problem: Starting with springdoc-openapi 2.8.0, OpenAPI 3.1 is the default spec version. The existing SwaggerConfiguration defined a "Map" schema that referenced #/components/schemas/Property, but the Property schema was never explicitly registered. In OpenAPI 3.0, springdoc auto-discovered this schema, but OpenAPI 3.1's stricter JSON Schema handling caused a 500 error on /api-docs.

Fix: Explicitly register the Property schema before the Map schema that references it:

.addSchemas("Property",
    new ObjectSchema()
        .addProperty("sensitive", new BooleanSchema())
        .addProperty("value", new ObjectSchema()))

This ensures the $ref to #/components/schemas/Property resolves correctly under OpenAPI 3.1.

CVEs Addressed (29 fixed)

Critical/High Priority

  • CVE-2025-24813: Tomcat RCE
  • CVE-2025-22235: Spring Boot security bypass
  • CVE-2025-41249: Spring Core authorization bypass
  • CVE-2025-41248: Spring Security authorization bypass
  • CVE-2025-41242: Spring WebMVC path traversal
  • CVE-2025-24970: Netty native crash via SSL
  • CVE-2025-58057: Netty codec DoS

Via Library Updates

  • CVE-2023-52428, CVE-2025-53864: nimbus-jose-jwt DoS
  • CVE-2024-47535: lettuce-core vulnerability
  • CVE-2025-22227: reactor-netty credential leak
  • CVE-2021-29425: Commons IO path traversal
  • CVE-2025-11226: Logback ACE
  • CVE-2025-48924: Commons Lang3 DoS

Testing

  • All 122 unit tests passing locally
  • CI pipeline build
  • Integration tests

Notes

  • Snapshot versions used for validation - will be updated to release versions once libraries are published
  • Test modules (partition-acceptance-test) are out of scope for this MR - will be addressed separately
Edited by Daniel Scholl (MS]

Merge request reports