8c7874e37a
OWASP now fails builds on three HIGH CVEs in transitive deps. bom 1.0.7 takes the upstream
patches (no suppressions):
postgresql 42.7.11 -> 42.7.13 CVE-2026-54291 (CVSS4 8.2) — channelBinding=require could be
silently downgraded from SCRAM-SHA-256-PLUS, defeating MITM
protection. Affects 42.7.4-42.7.11.
httpcore5 5.3.6 -> 5.4.3 CVE-2026-54399 (7.5) HTTP/1.1 parser DoS
CVE-2026-54428 (7.5) HTTP/2 HPACK unbounded allocation
httpcore5 arrives transitively via httpclient5, and Apache ships them as a matched pair, so bom 1.0.7
bumps httpclient5 5.5.2 -> 5.6.2 which pulls the fixed core 5.4.3.
Verified locally on this service: builds and tests pass on 1.0.7, and it resolves the patched
versions.
Refs bom#6
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
183 lines
6.0 KiB
XML
183 lines
6.0 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
|
<modelVersion>4.0.0</modelVersion>
|
|
|
|
<groupId>com.hiveops</groupId>
|
|
<artifactId>hiveops-aria</artifactId>
|
|
<version>1.0.0</version>
|
|
<packaging>jar</packaging>
|
|
|
|
<description>ARIA — ATM Threat Monitoring and IOC Detection</description>
|
|
|
|
<parent>
|
|
<groupId>com.hiveops</groupId>
|
|
<artifactId>hiveops-bom</artifactId>
|
|
<version>1.0.7</version>
|
|
<relativePath/>
|
|
</parent>
|
|
|
|
<properties>
|
|
<java.version>21</java.version>
|
|
<maven.compiler.source>21</maven.compiler.source>
|
|
<maven.compiler.target>21</maven.compiler.target>
|
|
</properties>
|
|
|
|
<dependencies>
|
|
<!-- Spring Cloud Config Client -->
|
|
<dependency>
|
|
<groupId>org.springframework.cloud</groupId>
|
|
<artifactId>spring-cloud-starter-config</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.springframework.cloud</groupId>
|
|
<artifactId>spring-cloud-starter-bootstrap</artifactId>
|
|
</dependency>
|
|
|
|
<!-- Spring Boot Web -->
|
|
<dependency>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-web</artifactId>
|
|
</dependency>
|
|
|
|
<!-- Spring Boot Data JPA -->
|
|
<dependency>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-data-jpa</artifactId>
|
|
</dependency>
|
|
|
|
<!-- Spring Security -->
|
|
<dependency>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-security</artifactId>
|
|
</dependency>
|
|
|
|
<!-- Spring Boot Validation -->
|
|
<dependency>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-validation</artifactId>
|
|
</dependency>
|
|
|
|
<!-- Jakarta Validation API -->
|
|
<dependency>
|
|
<groupId>jakarta.validation</groupId>
|
|
<artifactId>jakarta.validation-api</artifactId>
|
|
<version>3.0.2</version>
|
|
<scope>compile</scope>
|
|
</dependency>
|
|
|
|
<!-- Hibernate Validator -->
|
|
<dependency>
|
|
<groupId>org.hibernate.validator</groupId>
|
|
<artifactId>hibernate-validator</artifactId>
|
|
<version>8.0.1.Final</version>
|
|
<scope>compile</scope>
|
|
</dependency>
|
|
|
|
<!-- Spring Boot Cache -->
|
|
<dependency>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-cache</artifactId>
|
|
</dependency>
|
|
|
|
<!-- Caffeine Cache -->
|
|
<dependency>
|
|
<groupId>com.github.ben-manes.caffeine</groupId>
|
|
<artifactId>caffeine</artifactId>
|
|
</dependency>
|
|
|
|
<!-- Spring Boot Actuator -->
|
|
<dependency>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-actuator</artifactId>
|
|
</dependency>
|
|
|
|
<!-- PostgreSQL Driver -->
|
|
<dependency>
|
|
<groupId>org.postgresql</groupId>
|
|
<artifactId>postgresql</artifactId>
|
|
<scope>runtime</scope>
|
|
</dependency>
|
|
|
|
<!-- Flyway DB migrations -->
|
|
<dependency>
|
|
<groupId>org.flywaydb</groupId>
|
|
<artifactId>flyway-core</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.flywaydb</groupId>
|
|
<artifactId>flyway-database-postgresql</artifactId>
|
|
</dependency>
|
|
|
|
<!-- Shared JWT validation -->
|
|
<dependency>
|
|
<groupId>com.hiveops</groupId>
|
|
<artifactId>hiveops-security-common</artifactId>
|
|
<version>1.0.1</version>
|
|
</dependency>
|
|
|
|
<!-- Lombok -->
|
|
<dependency>
|
|
<groupId>org.projectlombok</groupId>
|
|
<artifactId>lombok</artifactId>
|
|
<version>1.18.40</version>
|
|
<scope>provided</scope>
|
|
</dependency>
|
|
|
|
<!-- Kafka -->
|
|
<dependency>
|
|
<groupId>org.springframework.kafka</groupId>
|
|
<artifactId>spring-kafka</artifactId>
|
|
</dependency>
|
|
|
|
<!-- Spring Boot Test -->
|
|
<dependency>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-test</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
</dependencies>
|
|
|
|
<build>
|
|
<plugins>
|
|
<plugin>
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
<artifactId>maven-compiler-plugin</artifactId>
|
|
<version>3.14.0</version>
|
|
<configuration>
|
|
<source>${java.version}</source>
|
|
<target>${java.version}</target>
|
|
<annotationProcessorPaths>
|
|
<path>
|
|
<groupId>org.projectlombok</groupId>
|
|
<artifactId>lombok</artifactId>
|
|
<version>1.18.40</version>
|
|
</path>
|
|
</annotationProcessorPaths>
|
|
</configuration>
|
|
</plugin>
|
|
<plugin>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-maven-plugin</artifactId>
|
|
<configuration>
|
|
<excludes>
|
|
<exclude>
|
|
<groupId>org.projectlombok</groupId>
|
|
<artifactId>lombok</artifactId>
|
|
</exclude>
|
|
</excludes>
|
|
</configuration>
|
|
</plugin>
|
|
</plugins>
|
|
</build>
|
|
|
|
<repositories>
|
|
<repository>
|
|
<id>gitea</id>
|
|
<url>https://hiveiq-gitea.directlx.dev/api/packages/hiveops/maven</url>
|
|
</repository>
|
|
</repositories>
|
|
|
|
</project>
|