[MS-43510] remediate tomcat vulnerability

4a874fa5 · VidyaDharani Lokam · 63a47284 · 4a874fa5 · 4a874fa5 · 4a874fa5
Commit 4a874fa5 authored 9 months ago by VidyaDharani Lokam
--- a/NOTICE
+++ b/NOTICE
@@ -71,8 +71,8 @@ The following software have components provided under the terms of this license:
 - Byte Buddy (without dependencies) (from https://repo1.maven.org/maven2/net/bytebuddy/byte-buddy)
 - Byte Buddy Java agent (from https://repo1.maven.org/maven2/net/bytebuddy/byte-buddy-agent)
 - ClassMate (from http://github.com/cowtowncoder/java-classmate)
- Cloud Key Management Service (KMS) API v1-rev20240613-2.0.0 (from https://repo1.maven.org/maven2/com/google/apis/google-api-services-cloudkms)
- Cloud Storage JSON API v1-rev20240621-2.0.0 (from https://repo1.maven.org/maven2/com/google/apis/google-api-services-storage)
+- Cloud Key Management Service (KMS) API (from https://repo1.maven.org/maven2/com/google/apis/google-api-services-cloudkms)
+- Cloud Storage JSON API (from https://repo1.maven.org/maven2/com/google/apis/google-api-services-storage)
 - Collections (from https://repo1.maven.org/maven2/commons-collections/commons-collections)
 - Commons Digester (from http://commons.apache.org/digester/)
 - Converter: Jackson (from https://github.com/square/retrofit, https://repo1.maven.org/maven2/com/squareup/retrofit2/converter-jackson)
@@ -271,6 +271,7 @@ The following software have components provided under the terms of this license:
 - io.grpc:grpc-stub (from https://github.com/grpc/grpc-java)
 - io.grpc:grpc-util (from https://github.com/grpc/grpc-java)
 - io.grpc:grpc-xds (from https://github.com/grpc/grpc-java)
+- ion-java (from https://github.com/amzn/ion-java/, https://github.com/amznlabs/ion-java/)
 - jackson-coreutils (from https://github.com/java-json-tools/jackson-coreutils)
 - jackson-databind (from http://github.com/FasterXML/jackson, http://wiki.fasterxml.com/JacksonHome, https://github.com/FasterXML/jackson)
 - java-cloudant (from https://cloudant.com)
@@ -281,7 +282,7 @@ The following software have components provided under the terms of this license:
 - jersey-core-common (from https://repo1.maven.org/maven2/org/glassfish/jersey/core/jersey-common)
 - jersey-repackaged-guava (from https://repo1.maven.org/maven2/org/glassfish/jersey/bundles/repackaged/jersey-guava)
 - jose4j (from https://bitbucket.org/b_c/jose4j/)
- json-patch (from https://github.com/java-json-tools/json-patch)
+- json-patch (from https://github.com/fge/json-patch, https://github.com/java-json-tools/json-patch)
 - json-path (from http://code.google.com/p/json-path/, https://github.com/jayway/JsonPath)
 - lettuce (from http://github.com/mp911de/lettuce/wiki, https://github.com/lettuce-io/lettuce-core/wiki)
 - micrometer-commons (from https://github.com/micrometer-metrics/micrometer)
@@ -305,7 +306,6 @@ The following software have components provided under the terms of this license:
 - proto-google-iam-v1 (from https://github.com/googleapis/googleapis, https://github.com/googleapis/java-iam/proto-google-iam-v1, https://github.com/googleapis/sdk-platform-java)
 - resilience4j (from https://github.com/resilience4j/resilience4j, https://resilience4j.readme.io, ttps://resilience4j.readme.io)
 - snappy-java (from https://github.com/xerial/snappy-java)
- software.amazon.ion:ion-java (from https://github.com/amzn/ion-java/)
 - spring-security-oauth2-client (from http://spring.io/spring-security, https://spring.io/projects/spring-security, https://spring.io/spring-security)
 - spring-security-oauth2-core (from http://spring.io/spring-security, https://spring.io/projects/spring-security, https://spring.io/spring-security)
 - spring-security-oauth2-jose (from http://spring.io/spring-security, https://spring.io/projects/spring-security, https://spring.io/spring-security)
@@ -580,6 +580,7 @@ The following software have components provided under the terms of this license:
 - JGraphT - Core (from https://repo1.maven.org/maven2/org/jgrapht/jgrapht-core)
 - Java Native Access (from https://github.com/java-native-access/jna, https://github.com/twall/jna)
 - Java Native Access Platform (from https://github.com/java-native-access/jna)
+- Javassist (from http://www.javassist.org/, https://www.javassist.org/)
 - Logback Classic Module (from http://logback.qos.ch, https://repo1.maven.org/maven2/ch/qos/logback/logback-classic)
 - Logback Contrib :: JSON :: Classic (from https://repo1.maven.org/maven2/ch/qos/logback/contrib/logback-json-classic)
 - Logback Contrib :: JSON :: Core (from https://repo1.maven.org/maven2/ch/qos/logback/contrib/logback-json-core)
@@ -605,7 +606,7 @@ The following software have components provided under the terms of this license:

 - btf (from https://github.com/java-json-tools/btf)
 - jackson-coreutils (from https://github.com/java-json-tools/jackson-coreutils)
- json-patch (from https://github.com/java-json-tools/json-patch)
+- json-patch (from https://github.com/fge/json-patch, https://github.com/java-json-tools/json-patch)
 - msg-simple (from https://github.com/java-json-tools/msg-simple)

 ========================================================================
@@ -675,13 +676,6 @@ The following software have components provided under the terms of this license:
 - msal4j (from https://github.com/AzureAD/microsoft-authentication-library-for-java)
 - msal4j-persistence-extension (from https://github.com/AzureAD/microsoft-authentication-extensions-for-java, https://github.com/AzureAD/microsoft-authentication-library-for-java)

-========================================================================
-MPL-1.1
-========================================================================
-The following software have components provided under the terms of this license:
-
- Javassist (from http://www.javassist.org/, https://www.javassist.org/)
-
 ========================================================================
 MPL-2.0
 ========================================================================
@@ -750,5 +744,5 @@ The following software have components provided under the terms of this license:

 - btf (from https://github.com/java-json-tools/btf)
 - jackson-coreutils (from https://github.com/java-json-tools/jackson-coreutils)
- json-patch (from https://github.com/java-json-tools/json-patch)
+- json-patch (from https://github.com/fge/json-patch, https://github.com/java-json-tools/json-patch)
 - msg-simple (from https://github.com/java-json-tools/msg-simple)
--- a/pom.xml
+++ b/pom.xml
@@ -37,9 +37,9 @@
        <woodstox-core.version>6.5.1</woodstox-core.version>
        <json-smart.version>2.5.0</json-smart.version>
        <jackson.version>2.16.1</jackson.version>
-        <spring-framework-version>6.1.5</spring-framework-version>
-        <spring-boot.version>3.2.5</spring-boot.version>
-        <spring-security.version>6.2.3</spring-security.version>
+        <spring-framework-version>6.1.10</spring-framework-version>
+        <spring-boot.version>3.3.1</spring-boot.version>
+        <spring-security.version>6.3.1</spring-security.version>
    </properties>

    <licenses>

--- a/provider/storage-azure/pom.xml
+++ b/provider/storage-azure/pom.xml
@@ -32,14 +32,13 @@
        <java.version>17</java.version>
        <maven.compiler.target>17</maven.compiler.target>
        <maven.compiler.source>17</maven.compiler.source>
-        <core-lib-azure-spring6.version>0.26.0</core-lib-azure-spring6.version>
+        <core-lib-azure-spring6.version>0.27.0-rc3</core-lib-azure-spring6.version>
        <osdu.storage-core.version>0.27.0-SNAPSHOT</osdu.storage-core.version>
        <junit.version>4.12</junit.version>
        <mockito.version>1.10.19</mockito.version>
        <nimbus-jose-jwt-azure.version>9.30.2</nimbus-jose-jwt-azure.version>
        <azure-storage-blob.version>12.25.2</azure-storage-blob.version>
        <azure-spring-data-cosmos.version>5.9.1</azure-spring-data-cosmos.version>
-        <netty.version>4.1.109.Final</netty.version>
        <woodstox-core.version>6.4.0</woodstox-core.version>
        <argLine>
            --add-opens=java.base/java.util=ALL-UNNAMED
@@ -54,15 +53,6 @@

    <dependencyManagement>
        <dependencies>
-            <!-- netty-bom dependency to be declared before spring-boot-dependencies,
-           to pull all netty-transitive dependencies with same version -->
-            <dependency>
-                <groupId>io.netty</groupId>
-                <artifactId>netty-bom</artifactId>
-                <version>${netty.version}</version>
-                <type>pom</type>
-                <scope>import</scope>
-            </dependency>
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-dependencies</artifactId>
@@ -96,7 +86,7 @@
        <dependency>
            <groupId>com.azure.spring</groupId>
            <artifactId>spring-cloud-azure-starter-active-directory</artifactId>
-            <version>5.10.0</version>
+            <version>5.13.0</version>
            <exclusions>
                <exclusion>
                    <groupId>org.springframework.boot</groupId>