Skip to content

Update jjwt version and bump Spring version#870

Merged
symphony-enrico merged 8 commits into
finos:mainfrom
symphony-enrico:jjwt
May 12, 2026
Merged

Update jjwt version and bump Spring version#870
symphony-enrico merged 8 commits into
finos:mainfrom
symphony-enrico:jjwt

Conversation

@symphony-enrico
Copy link
Copy Markdown
Contributor

@symphony-enrico symphony-enrico commented May 4, 2026

Description

update very old jjwt version to the latest one

@symphony-enrico
Copy link
Copy Markdown
Contributor Author

symphony-enrico commented May 6, 2026

ok to test

@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla Bot commented May 11, 2026
edited
Loading

CLA Signed
The committers listed above are authorized under a signed CLA.

@symphony-enrico
ci: upgrade org.owasp.dependencycheck to 12.2.2
63fedda 
Fixes CI failure caused by CVE-2026-6785/6786 whose NVD reference URLs
exceed the VARCHAR(1000) column limit in the plugin's H2 database schema.
@symphony-enrico
chore(deps): bump Spring Boot/log4j/netty/handlebars to clear CVE-gat…
2b7487d 
…ed scan

Bumps in symphony-bdk-bom so dependencyCheckAggregate stays under the
CVSS-5 fail gate now that OWASP 12.2.2 analysis runs to completion:

- spring-boot-dependencies 3.5.11 -> 3.5.14 (pulls spring-framework
  6.2.18, spring-security 6.5.10, tomcat-embed 10.1.54)
- log4j-bom 2.24.2 -> 2.26.0
- netty-bom 4.1.133.Final added to override Spring Boot's 4.1.132
  (still vulnerable to CVE-2026-41417)
- handlebars 4.3.1 -> 4.5.1 (picks up commons-lang3 3.18.0 fix for
  CVE-2025-48924)

Adds two narrow allow-list.xml suppressions for known false positives:
kotlin-stdlib CVE-2020-29582 (fixed in 1.4.21; CPE overmatches all
1.x) and the handlebars-v4.7.7.js bundled-resource CVEs (JS engine
not used by symphony-bdk-template-handlebars).
@symphony-enrico
ci: remove failOnError=false now that OWASP analyzer crash is fixed
9287e1f 
The buildSrc classloader fix (f337ba6) made the analyzer run to
completion, so the tolerance flag added in 95c8f79 is no longer
needed. Reverting to the default (true) so a future analyzer
regression fails loudly instead of silently passing with an
incomplete report.
@symphony-enrico symphony-enrico changed the title Update jjwt version Update jjwt version and bump Spring version May 12, 2026
@symphony-enrico symphony-enrico merged commit d5c62b5 into finos:main May 12, 2026
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thibauult thibauult thibauult approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@symphony-enrico @thibauult