POM Organization & Dependency bumps
All threads resolved!
All threads resolved!
Merge Request: Parent POM Reorganization and Updates
Summary
Version updates and security patches for Storage Service parent POM and Azure provider.
Parent Properties
| Package | Original | Update |
|---|---|---|
| spring-boot | 3.3.7 | 3.3.7 |
| spring-framework | 6.1.16 | 6.1.16 |
| spring-security | 6.3.4 | 6.3.6 |
| java | 17 | 17 |
| maven.compiler | 17 | 17 |
| json-smart | 2.5.0 | 2.5.1 |
| os-core-common | 3.3.1 | 3.3.1 |
| openapi | 2.3.0 | 2.3.0 |
| spring-boot-maven-plugin | 3.0.0 | 3.2.2 |
| netty | 4.1.115.Final | 4.1.115.Final |
| commons-codec | 1.14 | 1.14 |
Azure Provider Properties
| Package | Original | Update |
|---|---|---|
| core-lib-azure | 2.0.2 | 2.0.3 |
| azure-storage-blob | 12.29.0 | 12.29.0 |
| nimbus-jose-jwt | 9.47 | 9.47 |
| surefire-plugin | 3.2.2 | 3.2.2 |
| jacoco-plugin | 0.8.12 | 0.8.12 |
Security Updates
-
org.springframework.security:spring-security-bom- Vulnerability: CVE-2024-3839
- Severity: High
- Issue: Authorization bypass vulnerability in Spring Security
-
Resolution: Upgraded to
6.3.6
-
net.minidev:json-smart- Vulnerability: CVE-2024-1723
- Severity: High
- Issue: ReDoS vulnerability in JSON parsing
-
Resolution: Upgraded to
2.5.1
-
org.opengroup.osdu:core-lib-azure- Vulnerability: CVE-2024-50379
- Severity: High
- Issue: Remote Code Execution due to TOCTOU issue in JSP compilation in Tomcat
-
Resolution: Upgraded from
2.0.2to2.0.3which includes Tomcat upgrade from10.1.33to10.1.34
Structural Changes
-
Parent POM Improvements
- Reorganized properties into logical groups:
- OSDU Versions
- Spring Versions
- Project Versions
- Plugin Versions
- Improved dependency version management
- Added clear BOM hierarchy documentation
- Reorganized properties into logical groups:
-
Azure Provider Changes
- Maintained existing dependency structure
- Kept security overrides for nimbus-jose-jwt
- Preserved logging exclusions
- No changes to JVM arguments configuration
-
Build Configuration
- Updated Spring Boot Maven Plugin to 3.2.2
- Maintained existing plugin configurations:
- Surefire with JVM argument settings
- JaCoCo with coverage exclusions
- Spring Boot with repackage configuration
Additional Notes
- All core functionality maintained
- No changes to test configurations
- Azure dependency versions managed by core-lib-azure
- Logging exclusions remain unchanged
- JaCoCo exclusion patterns preserved
Edited by Daniel Scholl (MS]
Merge request reports
![Marc Burnie [AWS]](/uploads/-/system/user/avatar/13502/avatar.png?width=48){kind=avatar}
![Daniel Scholl (MS]](https://secure.gravatar.com/avatar/4b98f2e25f83d067f827cf9d9e878f0c54687e00c7e0647530d5c916467c0ec4?s=80&d=identicon){kind=avatar}
Activity
changed milestone to %M25 - Release 0.28
assigned to @danielscholl
enabled an automatic merge when all merge checks for b56cc7d2 pass
reset approvals from @Stanislav_Riabokon, @marcburnie, and @ashley_beitz by pushing to the branch
mentioned in commit 2c65321b
mentioned in issue osdu/platform/ci-cd-pipelines#51
Please register or sign in to reply