Pull request #151: [EDELIVERY-13982] upgrade libraries

Merge in EDELIVERY/smp from EDELIVERY-13982-upgrade-libraries-and-plugins to development

* commit '58acf23e':
  [EDELIVERY-13982] upgrade libraries

owasp-false-positive-warnings.xml

@@ -92,4 +92,23 @@
         <packageUrl regex="true">^pkg:maven/joda\-time/joda\-time@.*$</packageUrl>
         <vulnerabilityName>CVE-2024-23080</vulnerabilityName>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: protobuf-java-3.25.1.jar
+   This is the transitive library of the mysql-connector-j:jar:8.4.0: Check if this is needed when using Mysql-connector-java is upgrades.
+   The is added only for the spring boot demo module which is used only for the Demo and testing. Final smp.war artefact does not include this library.
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf-java@.*$</packageUrl>
+        <vulnerabilityName>CVE-2024-7254</vulnerabilityName>
+    </suppress>
+
+    <suppress>
+        <notes><![CDATA[
+   file name: spring-webmvc-5.3.39.jar
+    The vulnerability is not exploitable by SMP usage of the library.
+    The application does not serve static resources through the functional web frameworks WebMvc.fn or WebFlux.
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework/spring-webmvc@.*$</packageUrl>
+        <vulnerabilityName>CVE-2024-38816</vulnerabilityName>
+    </suppress>
 </suppressions>

pom.xml

@@ -57,7 +57,7 @@ See the Licence for the specific language governing permissions and limitations
         <bdmsl-api.version>4.3</bdmsl-api.version>
         <!-- plugin versions -->
         <maven-enforcer-plugin.version>3.4.1</maven-enforcer-plugin.version>
-        <plugin.dependency-check-maven.version>10.0.1</plugin.dependency-check-maven.version>
+        <plugin.dependency-check-maven.version>10.0.4</plugin.dependency-check-maven.version>
         <plugin.jacoco-maven-plugin.version>0.8.11</plugin.jacoco-maven-plugin.version>
         <plugin.license-maven-plugin.version>2.4.0</plugin.license-maven-plugin.version>
         <plugin.maven-antrun-plugin.version>3.1.0</plugin.maven-antrun-plugin.version>
@@ -72,16 +72,16 @@ See the Licence for the specific language governing permissions and limitations
         <plugin.maven-surefire-plugin.version>3.2.2</plugin.maven-surefire-plugin.version>
         <plugin.maven-war-plugin.version>3.4.0</plugin.maven-war-plugin.version>
 
-        <aspectj.version>1.9.22</aspectj.version>
+        <aspectj.version>1.9.22.1</aspectj.version>
         <commons-beanutils.version>1.9.4</commons-beanutils.version>
         <commons-collections.version>3.2.2</commons-collections.version>
-        <commons-io.version>2.15.1</commons-io.version>
-        <commons-lang3.version>3.14.0</commons-lang3.version>
+        <commons-io.version>2.17.0</commons-io.version>
+        <commons-lang3.version>3.17.0</commons-lang3.version>
         <commons-fileupload.version>1.5</commons-fileupload.version>
-        <commons-net.version>3.10.0</commons-net.version>
-        <commons-validator.version>1.8.0</commons-validator.version>
-        <cxf-xjc-runtime.version>3.3.2</cxf-xjc-runtime.version>
-        <cxf.version>3.5.8</cxf.version>
+        <commons-net.version>3.11.1</commons-net.version>
+        <commons-validator.version>1.9.0</commons-validator.version>
+        <cxf-xjc-runtime.version>3.3.4</cxf-xjc-runtime.version>
+        <cxf.version>3.5.9</cxf.version>
         <ehcache.version>3.10.8</ehcache.version>
         <h2.version>2.2.224</h2.version>
         <hamcrest.version>2.2</hamcrest.version>
@@ -89,30 +89,30 @@ See the Licence for the specific language governing permissions and limitations
         <hibernate.validator.version>7.0.5.Final</hibernate.validator.version>
         <hibernate.version>5.6.15.Final</hibernate.version>
         <httpclient.version>4.5.14</httpclient.version>
-        <jackson.version>2.17.0</jackson.version>
+        <jackson.version>2.17.2</jackson.version>
         <javaee-api.version>7.0</javaee-api.version>
         <javax.annotation.version>1.3.2</javax.annotation.version>
         <javax.mail.version>1.6.2</javax.mail.version>
         <jaxb2-basics.version>1.11.1</jaxb2-basics.version>
         <org.glassfish.jaxb.jaxb-runtime.version>2.3.9</org.glassfish.jaxb.jaxb-runtime.version>
         <jakarta.xml.bind-api.version>2.3.3</jakarta.xml.bind-api.version>
-        <junit-jupiter.version>5.10.2</junit-jupiter.version>
+        <junit-jupiter.version>5.11.0</junit-jupiter.version>
         <junit-platform-surefire-provider.version>1.3.2</junit-platform-surefire-provider.version>
         <junitparams.version>1.1.1</junitparams.version>
         <!-- Use logback 1.2.x because is the one used by springboot 5.7. Changing to 1.3+ will break springboot logging. -->
         <slf4j.version>1.7.36</slf4j.version>
         <logback.version>1.2.13</logback.version>
-        <mysql.jdbc.version>8.3.0</mysql.jdbc.version>
+        <mysql.jdbc.version>8.4.0</mysql.jdbc.version>
         <metro.version>2.2.1-1</metro.version>
         <mockito.version>4.11.0</mockito.version>
         <jakarta.servlet-api.version>4.0.2</jakarta.servlet-api.version>
 
         <spring-modules-jakarta-commons.version>0.8</spring-modules-jakarta-commons.version>
         <spring-boot.version>2.7.18</spring-boot.version>
-        <spring-boot.tomcat.version>9.0.88</spring-boot.tomcat.version>
-        <spring.security.version>5.8.12</spring.security.version>
-        <spring.version>5.3.36</spring.version>
-        <xmlunit.version>2.9.1</xmlunit.version>
+        <spring-boot.tomcat.version>9.0.95</spring-boot.tomcat.version>
+        <spring.security.version>5.8.14</spring.security.version>
+        <spring.version>5.3.39</spring.version>
+        <xmlunit.version>2.10.0</xmlunit.version>
 
         <!-- plugins -->
         <plugin.frontend-maven-plugin.version>1.15.0</plugin.frontend-maven-plugin.version>