POM Organization & Dependency bumps
Merge Request: Parent POM Reorganization and Updates
Summary
Structural improvements to parent POM organization and security updates for Azure provider.
Parent Properties
Package | Original | Update |
---|---|---|
spring-boot | 3.3.7 | 3.3.7 |
spring-framework | 6.1.16 | 6.1.16 |
spring-security | 6.3.4 | 6.3.6 |
java | 17 | 17 |
maven.compiler | 17 | 17 |
json-smart | 2.5.0 | 2.5.1 |
os-core-common | 0.26.0-rc2 | 0.26.0-rc2 |
openapi | 2.5.0 | 2.5.0 |
spring-boot-maven-plugin | 3.2.2 | 3.2.2 |
git-commit-id-plugin | 8.0.2 | 8.0.2 |
Azure Provider Properties
Package | Original | Update |
---|---|---|
core-lib-azure | 2.0.2 | 2.0.3 |
jakarta.json | 2.1.3 | 2.1.3 |
jakarta.json.glassfish | 2.0.1 | 2.0.1 |
parsson | 1.1.7 | 1.1.7 |
cucumber | 7.20.1 | 7.20.1 |
surefire-plugin | 3.2.2 | 3.2.2 |
jacoco-plugin | 0.8.12 | 0.8.12 |
Security Updates
org.opengroup.osdu:core-lib-azure
- Vulnerability: CVE-2024-50379
- Severity: High
- Issue: Remote Code Execution due to TOCTOU issue in JSP compilation in Tomcat
-
Resolution: Upgraded from
2.0.2
to2.0.3
which includes Tomcat upgrade from10.1.33
to10.1.34
Structural Changes
- Parent POM Improvements
- Reorganized properties into logical groups:
- OSDU Versions
- Spring Versions
- Project Versions
- Plugin Versions
- Added detailed documentation for BOM hierarchy
- Added explicit section markers for better organization
- Changed os-core-common-spring6 dependency scope to 'provided'
- Azure Provider Organization
- Maintained clear grouping of dependencies:
- OSDU Dependencies
- Spring Dependencies
- Azure Dependencies
- Project Dependencies
- Test Dependencies
- Build Configuration
- Consistent plugin versioning
- Maintained JaCoCo configuration
- Spring Boot Maven plugin settings unchanged
Additional Notes
- Parent POM modifications focus on improved organization and maintainability
- Azure provider update addresses critical security vulnerability
- All Spring Boot dependencies remain managed by parent POM
- Azure dependencies continue to be managed by core-lib-azure
- No changes to test configurations or logging exclusions
Edited by Daniel Scholl (MS]