Pull request #51: Upgrade libraries and plugins

Merge in EDELIVERY/smp from EDELIVERY-12589-upgrade-libraries-and-plugins to development

* commit '026fd8ca':
  Upgrade libraries and plugins
  Upgrade libraries and plugins

owasp-false-positive-warnings.xml

 <?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
+<suppressions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"
+              xsi:schemaLocation="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd
+              https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <!--suppress>
         <notes><![CDATA[
    file name: spring-security-crypto-5.8.*.jar
+   The data serialized by the application is trusted
+   NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
         <vulnerabilityName>CVE-2020-5408</vulnerabilityName>
@@ -11,6 +16,7 @@
     <suppress>
         <notes><![CDATA[
    file name: spring-web-5.3.*.jar
+   CVE-2016-1000027 - The data serialized by the application are from authenticated users and trusted
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-(web|core)@.*$</packageUrl>
         <cve>CVE-2016-1000027</cve>
@@ -18,9 +24,11 @@
     </suppress>
     <suppress>
         <notes><![CDATA[
-   file name: smp.war: spring-core-5.3.30.jar
+   file name: smp.war: spring-core-5.3.31.jar
+   The data serialized by the application are from authenticated users and trusted
+   NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
    ]]></notes>
-        <sha1>cd2b09bf9bdb45c3cf2b771317b6dd0d6b2f6a25</sha1>
+        <sha1>368e76f732a3c331b970f69cafec1525d27b34d3</sha1>
         <cve>CVE-2016-1000027</cve>
     </suppress>
     <suppress>
@@ -32,6 +40,17 @@
     <suppress>
         <notes><![CDATA[
    file name: guava-30.1-jre.jar
+   CVE-2020-8908 -  we don't use com.google.common.io.Files.createTempDir()
+   CVE-2023-2976 - we don't use FileBackedOutputStream
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+        <cve>CVE-2020-8908</cve>
+        <cve>CVE-2023-2976</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        CVE-2020-8908 -  we don't use com.google.common.io.Files.createTempDir()
+        CVE-2023-2976 - we don't use FileBackedOutputStream
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
         <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
@@ -39,7 +58,10 @@
     </suppress>
     <suppress>
         <notes><![CDATA[
-   file name: snakeyaml-1.30.jar part of spring boot - just for demo and testing
+   file name: snakeyaml-1.30.jar
+   The vulnerability is not impacting smp.war,
+   because is part of spring boot - intended only for demo and testing. Also Yaml configuration is not exposed
+   to external users.
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
         <cve>CVE-2022-1471</cve>
@@ -53,13 +75,18 @@
     <suppress>
         <notes><![CDATA[
    file name: jackson-databind-2.15.2.jar
+   The vulnerability is not exploitable by SMP usage of the library.
+   NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing
+   a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
         <cve>CVE-2023-35116</cve>
     </suppress>
     <suppress>
-        <notes><![CDATA[Only for demo and testing
+        <notes><![CDATA[
    file name: tomcat-embed-websocket-9.0.x.jar
+   The vulnerability is not impacting smp.war,
+   because is part of spring boot - intended only for demo and testing.
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed\-websocket@.*$</packageUrl>
         <cve>CVE-2023-41080</cve>
@@ -67,7 +94,7 @@
     <suppress>
         <notes><![CDATA[
    file name: dom4j-2.1.3/4.jar
-    Used internally by hibernate-envers
+    Used internally by hibernate-envers not exposed to external users/attackers
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.dom4j/dom4j@.*$</packageUrl>
         <cve>CVE-2023-45960</cve>
@@ -75,9 +102,9 @@
     <suppress>
         <notes><![CDATA[
    file name: bdmsl-webapp.war: dom4j-2.1.3.jar
-      Used internally by hibernate-envers
+      Used internally by hibernate-envers not exposed to external users/attackers
    ]]></notes>
         <sha1>a75914155a9f5808963170ec20653668a2ffd2fd</sha1>
         <cve>CVE-2023-45960</cve>
-    </suppress>
+    </suppress -->
 </suppressions>

pom.xml

@@ -38,24 +38,22 @@
         <maven.compiler.source>1.8</maven.compiler.source>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <edelivery.ssl-auth.version>1.15-SNAPSHOT</edelivery.ssl-auth.version>
-        <edelivery.dynamic-discovery-client.version>2.1-SNAPSHOT</edelivery.dynamic-discovery-client.version>
+        <edelivery.dynamic-discovery-client.version>2.1.1-SNAPSHOT</edelivery.dynamic-discovery-client.version>
         <bdmsl-api.version>4.3</bdmsl-api.version>
         <!-- plugin versions -->
-        <plugin.build-helper-maven-plugin.version>1.9.1</plugin.build-helper-maven-plugin.version>
-        <plugin.dependency-check-maven.version>8.4.2</plugin.dependency-check-maven.version>
+        <plugin.dependency-check-maven.version>9.0.3</plugin.dependency-check-maven.version>
         <plugin.jacoco-maven-plugin.version>0.8.11</plugin.jacoco-maven-plugin.version>
-        <plugin.license-maven-plugin.version>2.0.0</plugin.license-maven-plugin.version>
+        <plugin.license-maven-plugin.version>2.3.0</plugin.license-maven-plugin.version>
         <plugin.maven-antrun-plugin.version>3.1.0</plugin.maven-antrun-plugin.version>
         <plugin.maven-assembly-plugin.version>3.6.0</plugin.maven-assembly-plugin.version>
-        <plugin.maven-bundle-plugin.version>3.0.0</plugin.maven-bundle-plugin.version>
-        <plugin.maven-clean-plugin.version>3.3.1</plugin.maven-clean-plugin.version>
+        <plugin.maven-clean-plugin.version>3.3.2</plugin.maven-clean-plugin.version>
         <plugin.maven-compiler-plugin.version>3.11.0</plugin.maven-compiler-plugin.version>
-        <plugin.maven-dependency-plugin.version>3.6.0</plugin.maven-dependency-plugin.version>
+        <plugin.maven-dependency-plugin.version>3.6.1</plugin.maven-dependency-plugin.version>
         <plugin.maven-failsafe-plugin.version>3.1.2</plugin.maven-failsafe-plugin.version>
         <plugin.maven-jar-plugin.version>3.3.0</plugin.maven-jar-plugin.version>
         <plugin.maven-release-plugin.version>3.0.1</plugin.maven-release-plugin.version>
         <plugin.maven-resources-plugin.version>3.3.1</plugin.maven-resources-plugin.version>
-        <plugin.maven-surefire-plugin.version>3.1.2</plugin.maven-surefire-plugin.version>
+        <plugin.maven-surefire-plugin.version>3.2.2</plugin.maven-surefire-plugin.version>
         <plugin.maven-war-plugin.version>3.4.0</plugin.maven-war-plugin.version>
 
         
@@ -65,11 +63,11 @@
         
         <commons-beanutils.version>1.9.4</commons-beanutils.version>
         <commons-collections.version>3.2.2</commons-collections.version>
-        <commons-io.version>2.14.0</commons-io.version>
-        <commons-lang3.version>3.13.0</commons-lang3.version>
+        <commons-io.version>2.15.0</commons-io.version>
+        <commons-lang3.version>3.14.0</commons-lang3.version>
         <commons-fileupload.version>1.5</commons-fileupload.version>
-        <commons-net.version>3.9.0</commons-net.version>
-        <commons-validator.version>1.7</commons-validator.version>
+        <commons-net.version>3.10.0</commons-net.version>
+        <commons-validator.version>1.8.0</commons-validator.version>
         <cxf-xjc-runtime.version>3.3.2</cxf-xjc-runtime.version>
         <cxf.version>3.5.7</cxf.version>
         <ehcache.version>2.10.9.2</ehcache.version>
@@ -91,29 +89,26 @@
         <jakarta.xml.bind-api.version>2.3.3</jakarta.xml.bind-api.version>
         <jstl.version>1.2</jstl.version>
         <junit.version>4.13.2</junit.version>
-        <junit-jupiter.version>5.10.0</junit-jupiter.version>
+        <junit-jupiter.version>5.10.1</junit-jupiter.version>
         <junit-platform-surefire-provider.version>1.3.2</junit-platform-surefire-provider.version>
         <junitparams.version>1.1.1</junitparams.version>
         <!-- Use logback 1.2.x because is the one used by springboot 5.7. Changing to 1.3+ will break springboot logging. -->
         <slf4j.version>1.7.36</slf4j.version>
-        <logback.version>1.2.12</logback.version>
+        <logback.version>1.2.13</logback.version>
         <mysql.jdbc.version>8.2.0</mysql.jdbc.version>
         <metro.version>2.2.1-1</metro.version>
         <mockito.version>4.11.0</mockito.version>
-        <orika.version>1.5.4</orika.version>
         <servlet-api.version>3.0.1</servlet-api.version>
 
         <spring-modules-jakarta-commons.version>0.8</spring-modules-jakarta-commons.version>
         <spring-boot.version>2.7.18</spring-boot.version>
-        <spring-boot.tomcat.version>9.0.82</spring-boot.tomcat.version>
+        <spring-boot.tomcat.version>9.0.83</spring-boot.tomcat.version>
         <spring.security.version>5.8.8</spring.security.version>
-        <spring.version>5.3.30</spring.version>
+        <spring.version>5.3.31</spring.version>
         <xmlunit.version>2.9.1</xmlunit.version>
 
         <!-- plugins -->
         <plugin.frontend-maven-plugin.version>1.15.0</plugin.frontend-maven-plugin.version>
-        <plugin.exec-maven-plugin.version>1.6.0</plugin.exec-maven-plugin.version>
-
         <sonar.jacoco.remotePort>${jacocoRemotePort}</sonar.jacoco.remotePort>
         <sonar.jacoco.remoteAddress>${jacocoRemoteAddress}</sonar.jacoco.remoteAddress>
 
@@ -145,6 +140,9 @@
         </release.arguments>
         <project.scm.id>edelivery-scm</project.scm.id>
     </properties>
+    <prerequisites>
+        <maven>3.6.0</maven>
+    </prerequisites>
 
     <scm>
         <developerConnection>scm:git:https://ec.europa.eu/digital-building-blocks/code/scm/edelivery/smp.git
@@ -359,6 +357,10 @@
                         <groupId>org.bouncycastle</groupId>
                         <artifactId>bcprov-jdk15on</artifactId>
                     </exclusion>
+                    <exclusion>
+                        <groupId>org.bouncycastle</groupId>
+                        <artifactId>bcpkix-jdk15on</artifactId>
+                    </exclusion>
                 </exclusions>
             </dependency>
             <dependency>
@@ -428,13 +430,13 @@
                 <version>${aspectj.version}</version>
             </dependency>
             <dependency>
-                <groupId>ma.glasnost.orika</groupId>
-                <artifactId>orika-core</artifactId>
-                <version>${orika.version}</version>
+                <groupId>ch.qos.logback</groupId>
+                <artifactId>logback-classic</artifactId>
+                <version>${logback.version}</version>
             </dependency>
             <dependency>
                 <groupId>ch.qos.logback</groupId>
-                <artifactId>logback-classic</artifactId>
+                <artifactId>logback-core</artifactId>
                 <version>${logback.version}</version>
             </dependency>
             <dependency>
@@ -699,11 +701,6 @@
                     <artifactId>sonar-maven-plugin</artifactId>
                     <version>${plugin.sonar-maven-plugin.version}</version>
                 </plugin>
-                <plugin>
-                    <groupId>org.codehaus.mojo</groupId>
-                    <artifactId>build-helper-maven-plugin</artifactId>
-                    <version>${plugin.build-helper-maven-plugin.version}</version>
-                </plugin>
                 <plugin>
                     <groupId>org.apache.cxf</groupId>
                     <artifactId>cxf-codegen-plugin</artifactId>
@@ -749,11 +746,6 @@
                     <artifactId>maven-compiler-plugin</artifactId>
                     <version>${plugin.maven-compiler-plugin.version}</version>
                 </plugin>
-                <plugin>
-                    <groupId>org.apache.felix</groupId>
-                    <artifactId>maven-bundle-plugin</artifactId>
-                    <version>${plugin.maven-bundle-plugin.version}</version>
-                </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-jar-plugin</artifactId>
@@ -764,11 +756,6 @@
                     <artifactId>frontend-maven-plugin</artifactId>
                     <version>${plugin.frontend-maven-plugin.version}</version>
                 </plugin>
-                <plugin>
-                    <groupId>org.codehaus.mojo</groupId>
-                    <artifactId>exec-maven-plugin</artifactId>
-                    <version>${plugin.exec-maven-plugin.version}</version>
-                </plugin>
             </plugins>
         </pluginManagement>
         <plugins>