POM Organization & Dependency bumps

Daniel Scholl (MS]requested to merge
dependencies into master

Merge Request: Parent POM Reorganization and Updates

Summary

Version updates and security patches for Storage Service parent POM and Azure provider.

Parent Properties

Package Original Update
spring-boot 3.3.7 3.3.7
spring-framework 6.1.16 6.1.16
spring-security 6.3.4 6.3.6
java 17 17
maven.compiler 17 17
json-smart 2.5.0 2.5.1
os-core-common 3.3.1 3.3.1
openapi 2.3.0 2.3.0
spring-boot-maven-plugin 3.0.0 3.2.2
netty 4.1.115.Final 4.1.115.Final
commons-codec 1.14 1.14

Azure Provider Properties

Package Original Update
core-lib-azure 2.0.2 2.0.3
azure-storage-blob 12.29.0 12.29.0
nimbus-jose-jwt 9.47 9.47
surefire-plugin 3.2.2 3.2.2
jacoco-plugin 0.8.12 0.8.12

Security Updates

  1. org.springframework.security:spring-security-bom
    • Vulnerability: CVE-2024-3839
    • Severity: High
    • Issue: Authorization bypass vulnerability in Spring Security
    • Resolution: Upgraded to 6.3.6
  2. net.minidev:json-smart
    • Vulnerability: CVE-2024-1723
    • Severity: High
    • Issue: ReDoS vulnerability in JSON parsing
    • Resolution: Upgraded to 2.5.1
  3. org.opengroup.osdu:core-lib-azure
    • Vulnerability: CVE-2024-50379
    • Severity: High
    • Issue: Remote Code Execution due to TOCTOU issue in JSP compilation in Tomcat
    • Resolution: Upgraded from 2.0.2 to 2.0.3 which includes Tomcat upgrade from 10.1.33 to 10.1.34

Structural Changes

  1. Parent POM Improvements
    • Reorganized properties into logical groups:
      • OSDU Versions
      • Spring Versions
      • Project Versions
      • Plugin Versions
    • Improved dependency version management
    • Added clear BOM hierarchy documentation
  2. Azure Provider Changes
    • Maintained existing dependency structure
    • Kept security overrides for nimbus-jose-jwt
    • Preserved logging exclusions
    • No changes to JVM arguments configuration
  3. Build Configuration
    • Updated Spring Boot Maven Plugin to 3.2.2
    • Maintained existing plugin configurations:
      • Surefire with JVM argument settings
      • JaCoCo with coverage exclusions
      • Spring Boot with repackage configuration

Additional Notes

  • All core functionality maintained
  • No changes to test configurations
  • Azure dependency versions managed by core-lib-azure
  • Logging exclusions remain unchanged
  • JaCoCo exclusion patterns preserved
Edited by Daniel Scholl (MS]

Merge request reports