<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.5.14</version>
        <relativePath/>
    </parent>

    <groupId>com.hiveops</groupId>
    <artifactId>hiveops-bom</artifactId>
    <version>1.0.7</version>
    <packaging>pom</packaging>
    <name>HiveOps BOM</name>
    <description>Bill of Materials for HiveOps microservices — centralizes dependency versions</description>

    <distributionManagement>
        <repository>
            <id>gitea</id>
            <url>https://hiveiq-gitea.directlx.dev/api/packages/hiveops/maven</url>
        </repository>
        <snapshotRepository>
            <id>gitea</id>
            <url>https://hiveiq-gitea.directlx.dev/api/packages/hiveops/maven</url>
        </snapshotRepository>
    </distributionManagement>

    <properties>
        <java.version>21</java.version>
        <hiveops-security-common.version>1.0.1</hiveops-security-common.version>
        <jjwt.version>0.12.6</jjwt.version>
        <springdoc.version>2.8.17</springdoc.version>
        <spring-cloud.version>2025.0.3</spring-cloud.version>
        <thymeleaf.version>3.1.5.RELEASE</thymeleaf.version>
        <!-- #6 (BOM 1.0.7): CVE-2026-54291 (CVSS4 8.2) — channelBinding=require could be silently
             downgraded from SCRAM-SHA-256-PLUS, defeating MITM protection. Affects 42.7.4-42.7.11;
             fixed in 42.7.12. Taking 42.7.13 (latest 42.7.x). -->
        <postgresql.version>42.7.13</postgresql.version>
        <!-- #6 (BOM 1.0.6): spring-ai 1.0.7 CVE-2026-47835 (7.5) — fixed in 1.0.9. ai compiles + OWASP-clean on it. -->
        <spring-ai.version>1.0.9</spring-ai.version>
        <bucket4j.version>8.10.1</bucket4j.version>
        <totp.version>1.7.1</totp.version>
        <zxing.version>3.5.3</zxing.version>
        <hibernate-types.version>2.21.1</hibernate-types.version>
        <lombok.version>1.18.40</lombok.version>

        <!-- Security overrides — patch versions ahead of what Spring Boot 3.5.14 ships,
             to clear HIGH/CRITICAL CVEs (hiveops-bom#3, #6). Revisit on each Boot upgrade;
             drop an entry once Boot ships >= the version below. -->
        <!-- #6 (BOM 1.0.5): 2026-07 NVD batch — spring-framework 6.2.18 (CVE-2026-41855 9.8 + 5x7.5),
             spring-security 6.5.10 (CVE-2026-47838 8.1, 40988 7.5), tomcat 10.1.55
             (CVE-2026-55276 9.1, 53434 9.1, 53404 7.3). Fixes are one patch up. -->
        <spring-framework.version>6.2.19</spring-framework.version>
        <spring-security.version>6.5.11</spring-security.version>
        <tomcat.version>10.1.56</tomcat.version>
        <jackson-bom.version>2.21.4</jackson-bom.version>
        <spring-kafka.version>3.3.16</spring-kafka.version>
        <netty.version>4.1.135.Final</netty.version>

        <!-- #6 (BOM 1.0.7): httpcore5 5.3.6 carries CVE-2026-54399 (7.5, HTTP/1.1 parser DoS) and
             CVE-2026-54428 (7.5, HTTP/2 HPACK decoder unbounded allocation). Both affect <= 5.4.2;
             fixed in 5.4.3.

             httpcore5 arrives transitively via spring-cloud-config-client -> httpclient5. Apache ships
             the two as a matched pair, so we bump the CLIENT and let it pull the fixed core:
                 httpclient5 5.5.2 -> httpcore5 5.3.6   (vulnerable — what Boot 3.5.14 resolves)
                 httpclient5 5.6.2 -> httpcore5 5.4.3   (patched pairing)
             Pinning httpcore5 5.4.3 UNDER httpclient5 5.5.2 would be a combination Apache never ships
             or tests, so both are pinned to the pair Apache actually releases together. -->
        <httpclient5.version>5.6.2</httpclient5.version>
        <httpcore5.version>5.4.3</httpcore5.version>
    </properties>

    <dependencyManagement>
        <dependencies>

            <!-- ============================================================ -->
            <!-- HiveOps shared libraries                                      -->
            <!-- ============================================================ -->
            <dependency>
                <groupId>com.hiveops</groupId>
                <artifactId>hiveops-security-common</artifactId>
                <version>${hiveops-security-common.version}</version>
            </dependency>

            <!-- Security override: force patched bouncycastle. Pulled transitively and NOT
                 managed by Spring Boot's bouncy-castle.version property, so it needs an
                 explicit pin here. Clears CVE-2025-14813 (CRITICAL). See hiveops-bom#3. -->
            <dependency>
                <groupId>org.bouncycastle</groupId>
                <artifactId>bcprov-jdk18on</artifactId>
                <version>1.81.1</version>
            </dependency>

            <!-- Security overrides (transitive, not Boot-managed) — hiveops-bom#3, BOM 1.0.4.
                 commons-io CVE-2024-47554 chain; commons-beanutils CVE-2025-48734. -->
            <dependency>
                <groupId>commons-io</groupId>
                <artifactId>commons-io</artifactId>
                <version>2.14.0</version>
            </dependency>
            <dependency>
                <groupId>commons-beanutils</groupId>
                <artifactId>commons-beanutils</artifactId>
                <version>1.11.0</version>
            </dependency>

            <!-- hiveops-bom#6, BOM 1.0.7 — httpcore5 CVE-2026-54399 / CVE-2026-54428 (7.5 each).
                 Bump the client so it pulls the patched core (Apache ships 5.6.2 <-> 5.4.3 together);
                 core is pinned too so nothing closer in the graph can drag 5.3.6 back in. -->
            <dependency>
                <groupId>org.apache.httpcomponents.client5</groupId>
                <artifactId>httpclient5</artifactId>
                <version>${httpclient5.version}</version>
            </dependency>
            <dependency>
                <groupId>org.apache.httpcomponents.core5</groupId>
                <artifactId>httpcore5</artifactId>
                <version>${httpcore5.version}</version>
            </dependency>
            <dependency>
                <groupId>org.apache.httpcomponents.core5</groupId>
                <artifactId>httpcore5-h2</artifactId>
                <version>${httpcore5.version}</version>
            </dependency>

            <!-- ============================================================ -->
            <!-- JWT (JJWT 0.12.x)                                            -->
            <!-- ============================================================ -->
            <dependency>
                <groupId>io.jsonwebtoken</groupId>
                <artifactId>jjwt-api</artifactId>
                <version>${jjwt.version}</version>
            </dependency>
            <dependency>
                <groupId>io.jsonwebtoken</groupId>
                <artifactId>jjwt-impl</artifactId>
                <version>${jjwt.version}</version>
            </dependency>
            <dependency>
                <groupId>io.jsonwebtoken</groupId>
                <artifactId>jjwt-jackson</artifactId>
                <version>${jjwt.version}</version>
            </dependency>

            <!-- ============================================================ -->
            <!-- OpenAPI / Swagger                                             -->
            <!-- ============================================================ -->
            <dependency>
                <groupId>org.springdoc</groupId>
                <artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
                <version>${springdoc.version}</version>
            </dependency>

            <!-- ============================================================ -->
            <!-- Spring Cloud (re-exported as BOM import)                      -->
            <!-- ============================================================ -->
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>${spring-cloud.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>

            <!-- ============================================================ -->
            <!-- Spring AI (re-exported as BOM import)                         -->
            <!-- ============================================================ -->
            <dependency>
                <groupId>org.springframework.ai</groupId>
                <artifactId>spring-ai-bom</artifactId>
                <version>${spring-ai.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>

            <!-- ============================================================ -->
            <!-- Rate limiting                                                 -->
            <!-- ============================================================ -->
            <dependency>
                <groupId>com.bucket4j</groupId>
                <artifactId>bucket4j-core</artifactId>
                <version>${bucket4j.version}</version>
            </dependency>

            <!-- ============================================================ -->
            <!-- TOTP / QR code (used by hiveops-auth)                        -->
            <!-- ============================================================ -->
            <dependency>
                <groupId>dev.samstevens.totp</groupId>
                <artifactId>totp</artifactId>
                <version>${totp.version}</version>
            </dependency>
            <dependency>
                <groupId>com.google.zxing</groupId>
                <artifactId>core</artifactId>
                <version>${zxing.version}</version>
            </dependency>
            <dependency>
                <groupId>com.google.zxing</groupId>
                <artifactId>javase</artifactId>
                <version>${zxing.version}</version>
            </dependency>

            <!-- ============================================================ -->
            <!-- Lombok (1.18.40 required for Java 25 compatibility)          -->
            <!-- ============================================================ -->
            <dependency>
                <groupId>org.projectlombok</groupId>
                <artifactId>lombok</artifactId>
                <version>${lombok.version}</version>
            </dependency>

            <!-- ============================================================ -->
            <!-- Hibernate extras                                              -->
            <!-- ============================================================ -->
            <dependency>
                <groupId>com.vladmihalcea</groupId>
                <artifactId>hibernate-types-60</artifactId>
                <version>${hibernate-types.version}</version>
            </dependency>

        </dependencies>
    </dependencyManagement>

</project>
