POM Organization & Dependency bumps
Merge Request: Parent POM Reorganization and Updates
Summary
Version updates and security patches for Storage Service parent POM and Azure provider.
Parent Properties
Package | Original | Update |
---|---|---|
spring-boot | 3.3.7 | 3.3.7 |
spring-framework | 6.1.16 | 6.1.16 |
spring-security | 6.3.4 | 6.3.6 |
java | 17 | 17 |
maven.compiler | 17 | 17 |
json-smart | 2.5.0 | 2.5.1 |
os-core-common | 3.3.1 | 3.3.1 |
openapi | 2.3.0 | 2.3.0 |
spring-boot-maven-plugin | 3.0.0 | 3.2.2 |
netty | 4.1.115.Final | 4.1.115.Final |
commons-codec | 1.14 | 1.14 |
Azure Provider Properties
Package | Original | Update |
---|---|---|
core-lib-azure | 2.0.2 | 2.0.3 |
azure-storage-blob | 12.29.0 | 12.29.0 |
nimbus-jose-jwt | 9.47 | 9.47 |
surefire-plugin | 3.2.2 | 3.2.2 |
jacoco-plugin | 0.8.12 | 0.8.12 |
Security Updates
-
org.springframework.security:spring-security-bom
- Vulnerability: CVE-2024-3839
- Severity: High
- Issue: Authorization bypass vulnerability in Spring Security
-
Resolution: Upgraded to
6.3.6
-
net.minidev:json-smart
- Vulnerability: CVE-2024-1723
- Severity: High
- Issue: ReDoS vulnerability in JSON parsing
-
Resolution: Upgraded to
2.5.1
-
org.opengroup.osdu:core-lib-azure
- Vulnerability: CVE-2024-50379
- Severity: High
- Issue: Remote Code Execution due to TOCTOU issue in JSP compilation in Tomcat
-
Resolution: Upgraded from
2.0.2
to2.0.3
which includes Tomcat upgrade from10.1.33
to10.1.34
Structural Changes
-
Parent POM Improvements
- Reorganized properties into logical groups:
- OSDU Versions
- Spring Versions
- Project Versions
- Plugin Versions
- Improved dependency version management
- Added clear BOM hierarchy documentation
- Reorganized properties into logical groups:
-
Azure Provider Changes
- Maintained existing dependency structure
- Kept security overrides for nimbus-jose-jwt
- Preserved logging exclusions
- No changes to JVM arguments configuration
-
Build Configuration
- Updated Spring Boot Maven Plugin to 3.2.2
- Maintained existing plugin configurations:
- Surefire with JVM argument settings
- JaCoCo with coverage exclusions
- Spring Boot with repackage configuration
Additional Notes
- All core functionality maintained
- No changes to test configurations
- Azure dependency versions managed by core-lib-azure
- Logging exclusions remain unchanged
- JaCoCo exclusion patterns preserved
Edited by Daniel Scholl (MS]