From 9f432fdce1cd63e63cdc175c6bda83375d7b760b Mon Sep 17 00:00:00 2001
From: Derek Zhang <derekxz@amazon.com>
Date: Fri, 10 Jan 2025 11:28:06 -0800
Subject: [PATCH 1/2] fix: spring cves

---
 pom.xml                       | 2 +-
 provider/register-aws/pom.xml | 4 ++--
 register-core/pom.xml         | 2 ++
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index 4b0e8631b..13f526d57 100644
--- a/pom.xml
+++ b/pom.xml
@@ -35,7 +35,7 @@
         <json-smart.version>2.5.0</json-smart.version>
         <netty.version>4.1.115.Final</netty.version>
         <guava.version>32.1.2-jre</guava.version>
-        <spring-boot.version>3.3.5</spring-boot.version>
+        <spring-boot.version>3.3.7</spring-boot.version>
         <spring-security.version>6.3.4</spring-security.version>
         <argLine>
             --add-opens=java.base/java.util=ALL-UNNAMED
diff --git a/provider/register-aws/pom.xml b/provider/register-aws/pom.xml
index 24748326f..cc24a1faf 100644
--- a/provider/register-aws/pom.xml
+++ b/provider/register-aws/pom.xml
@@ -30,7 +30,7 @@
     <properties>
         <jackson-databind.version>2.16.1</jackson-databind.version>
         <jackson.version>2.16.1</jackson.version>
-        <springframework.version>6.1.13</springframework.version>
+        <springframework.version>6.1.16</springframework.version>
     </properties>
 
     <dependencyManagement>
@@ -107,7 +107,7 @@
         <dependency>
             <groupId>org.apache.tomcat.embed</groupId>
             <artifactId>tomcat-embed-core</artifactId>
-            <version>10.1.25</version>
+            <version>10.1.34</version>
         </dependency>
 
       <dependency>
diff --git a/register-core/pom.xml b/register-core/pom.xml
index 2b168a9df..c6fa7f3ea 100644
--- a/register-core/pom.xml
+++ b/register-core/pom.xml
@@ -31,6 +31,7 @@
     <properties>
         <jackson-databind.version>2.16.1</jackson-databind.version>
         <jackson.version>2.16.1</jackson.version>
+        <tomcat-embed-core.version>10.1.34</tomcat-embed-core.version>
     </properties>
 
      <dependencyManagement>
@@ -46,6 +47,7 @@
         <dependency>
             <groupId>org.apache.tomcat.embed</groupId>
             <artifactId>tomcat-embed-core</artifactId>
+            <version>${tomcat-embed-core.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
-- 
GitLab


From e58818fc13aee6aa7d9fdd6abb1e74fa963019fa Mon Sep 17 00:00:00 2001
From: Derek Zhang <derekxz@amazon.com>
Date: Mon, 13 Jan 2025 09:26:59 -0800
Subject: [PATCH 2/2] Updating NOTICE

---
 NOTICE | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/NOTICE b/NOTICE
index 17432af12..82848bbc7 100644
--- a/NOTICE
+++ b/NOTICE
@@ -119,7 +119,7 @@ The following software have components provided under the terms of this license:
 - Jackson-module-parameter-names (from https://repo1.maven.org/maven2/com/fasterxml/jackson/module/jackson-module-parameter-names)
 - Jakarta Dependency Injection (from https://github.com/eclipse-ee4j/injection-api)
 - Jakarta Expression Language API (from https://projects.eclipse.org/projects/ee4j.el)
-- Jakarta RESTful WS API (from https://github.com/eclipse-ee4j/jaxrs-api, https://repo1.maven.org/maven2/jakarta/ws/rs/jakarta.ws.rs-api)
+- Jakarta RESTful WS API (from https://github.com/eclipse-ee4j/jaxrs-api, https://maven.atlassian.com/3rdparty/jakarta/ws/rs/jakarta.ws.rs-api, https://repo1.maven.org/maven2/jakarta/ws/rs/jakarta.ws.rs-api)
 - Jakarta Servlet (from https://projects.eclipse.org/projects/ee4j.servlet)
 - Jakarta Validation API (from https://beanvalidation.org)
 - Java Architecture for XML Binding (from http://jaxb.java.net/, https://repo1.maven.org/maven2/javax/xml/bind/jaxb-api)
@@ -327,7 +327,7 @@ The following software have components provided under the terms of this license:
 - Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
 - Jakarta Expression Language API (from https://projects.eclipse.org/projects/ee4j.el)
 - Jakarta Messaging API (from https://projects.eclipse.org/projects/ee4j.jms)
-- Jakarta RESTful WS API (from https://github.com/eclipse-ee4j/jaxrs-api, https://repo1.maven.org/maven2/jakarta/ws/rs/jakarta.ws.rs-api)
+- Jakarta RESTful WS API (from https://github.com/eclipse-ee4j/jaxrs-api, https://maven.atlassian.com/3rdparty/jakarta/ws/rs/jakarta.ws.rs-api, https://repo1.maven.org/maven2/jakarta/ws/rs/jakarta.ws.rs-api)
 - Jakarta XML Binding API (from https://repo1.maven.org/maven2/jakarta/xml/bind/jakarta.xml.bind-api, https://repo1.maven.org/maven2/org/jboss/spec/javax/xml/bind/jboss-jaxb-api_2.3_spec)
 - Kryo (from https://repo1.maven.org/maven2/com/esotericsoftware/kryo)
 - Lucene Core (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-core)
@@ -440,7 +440,7 @@ The following software have components provided under the terms of this license:
 - Jakarta Dependency Injection (from https://github.com/eclipse-ee4j/injection-api)
 - Jakarta Expression Language API (from https://projects.eclipse.org/projects/ee4j.el)
 - Jakarta Messaging API (from https://projects.eclipse.org/projects/ee4j.jms)
-- Jakarta RESTful WS API (from https://github.com/eclipse-ee4j/jaxrs-api, https://repo1.maven.org/maven2/jakarta/ws/rs/jakarta.ws.rs-api)
+- Jakarta RESTful WS API (from https://github.com/eclipse-ee4j/jaxrs-api, https://maven.atlassian.com/3rdparty/jakarta/ws/rs/jakarta.ws.rs-api, https://repo1.maven.org/maven2/jakarta/ws/rs/jakarta.ws.rs-api)
 - Jakarta Servlet (from https://projects.eclipse.org/projects/ee4j.servlet)
 - Jakarta Validation API (from https://beanvalidation.org)
 - Jakarta XML Binding API (from https://repo1.maven.org/maven2/jakarta/xml/bind/jakarta.xml.bind-api, https://repo1.maven.org/maven2/org/jboss/spec/javax/xml/bind/jboss-jaxb-api_2.3_spec)
@@ -469,7 +469,7 @@ The following software have components provided under the terms of this license:
 - Jakarta Dependency Injection (from https://github.com/eclipse-ee4j/injection-api)
 - Jakarta Expression Language API (from https://projects.eclipse.org/projects/ee4j.el)
 - Jakarta Messaging API (from https://projects.eclipse.org/projects/ee4j.jms)
-- Jakarta RESTful WS API (from https://github.com/eclipse-ee4j/jaxrs-api, https://repo1.maven.org/maven2/jakarta/ws/rs/jakarta.ws.rs-api)
+- Jakarta RESTful WS API (from https://github.com/eclipse-ee4j/jaxrs-api, https://maven.atlassian.com/3rdparty/jakarta/ws/rs/jakarta.ws.rs-api, https://repo1.maven.org/maven2/jakarta/ws/rs/jakarta.ws.rs-api)
 - Jakarta Servlet (from https://projects.eclipse.org/projects/ee4j.servlet)
 - Jakarta Validation API (from https://beanvalidation.org)
 - Jakarta XML Binding API (from https://repo1.maven.org/maven2/jakarta/xml/bind/jakarta.xml.bind-api, https://repo1.maven.org/maven2/org/jboss/spec/javax/xml/bind/jboss-jaxb-api_2.3_spec)
@@ -615,7 +615,7 @@ efsl-1.0
 ========================================================================
 The following software have components provided under the terms of this license:
 
-- Jakarta RESTful WS API (from https://github.com/eclipse-ee4j/jaxrs-api, https://repo1.maven.org/maven2/jakarta/ws/rs/jakarta.ws.rs-api)
+- Jakarta RESTful WS API (from https://github.com/eclipse-ee4j/jaxrs-api, https://maven.atlassian.com/3rdparty/jakarta/ws/rs/jakarta.ws.rs-api, https://repo1.maven.org/maven2/jakarta/ws/rs/jakarta.ws.rs-api)
 
 ========================================================================
 gpl-2.0-classpath
-- 
GitLab