Skip to content

POM Organization & Dependency bumps

Daniel Scholl (MS] requested to merge dependencies into master

Merge Request: Parent POM Reorganization and Updates

Summary

Structural improvements to parent POM organization and security updates for Azure provider.

Parent Properties

Package Original Update
spring-boot 3.3.7 3.3.7
spring-framework 6.1.16 6.1.16
spring-security 6.3.4 6.3.6
java 17 17
maven.compiler 17 17
json-smart 2.5.0 2.5.1
os-core-common 0.26.0-rc2 0.26.0-rc2
openapi 2.5.0 2.5.0
spring-boot-maven-plugin 3.2.2 3.2.2
git-commit-id-plugin 8.0.2 8.0.2

Azure Provider Properties

Package Original Update
core-lib-azure 2.0.2 2.0.3
jakarta.json 2.1.3 2.1.3
jakarta.json.glassfish 2.0.1 2.0.1
parsson 1.1.7 1.1.7
cucumber 7.20.1 7.20.1
surefire-plugin 3.2.2 3.2.2
jacoco-plugin 0.8.12 0.8.12

Security Updates

  1. org.opengroup.osdu:core-lib-azure
  • Vulnerability: CVE-2024-50379
  • Severity: High
  • Issue: Remote Code Execution due to TOCTOU issue in JSP compilation in Tomcat
  • Resolution: Upgraded from 2.0.2 to 2.0.3 which includes Tomcat upgrade from 10.1.33 to 10.1.34

Structural Changes

  1. Parent POM Improvements
  • Reorganized properties into logical groups:
    • OSDU Versions
    • Spring Versions
    • Project Versions
    • Plugin Versions
  • Added detailed documentation for BOM hierarchy
  • Added explicit section markers for better organization
  • Changed os-core-common-spring6 dependency scope to 'provided'
  1. Azure Provider Organization
  • Maintained clear grouping of dependencies:
    • OSDU Dependencies
    • Spring Dependencies
    • Azure Dependencies
    • Project Dependencies
    • Test Dependencies
  1. Build Configuration
  • Consistent plugin versioning
  • Maintained JaCoCo configuration
  • Spring Boot Maven plugin settings unchanged

Additional Notes

  • Parent POM modifications focus on improved organization and maintainability
  • Azure provider update addresses critical security vulnerability
  • All Spring Boot dependencies remain managed by parent POM
  • Azure dependencies continue to be managed by core-lib-azure
  • No changes to test configurations or logging exclusions
Edited by Daniel Scholl (MS]

Merge request reports

Loading