From add16527b74394289279912ecdb4c708b7d55e2a Mon Sep 17 00:00:00 2001 From: Rafael Bey-Hernandez <24432403+rafaelbey@users.noreply.github.com> Date: Fri, 3 Jul 2026 13:14:15 -0400 Subject: [PATCH 1/3] Security: remediate open Dependabot alerts (24 of 29) + remediation register (#259) * Add security remediation register for open Dependabot alerts Inventories all 29 open critical/high/medium alerts, groups them into ordered remediation waves with transitive-dependency rationale and per-item blast radius, and documents deferred items blocked by the Java 8 baseline. Intended to be executed one item per PR. * Add CLAUDE.md and correct README JDK requirements The enforcer plugin requires JDK 11/17/21/25 to build; compiled code targets Java 8. README previously said JDK 8. * V01: pin trivy-action to 0.35.0 by commit SHA (CVE-2026-33634) * V02: bump hazelcast to 5.3.8 (CVE-2023-45859, CVE-2023-45860) * V03: bump json-smart to 2.5.2 (CVE-2021-31684, CVE-2023-1370) * V04: bump jetty to 9.4.57.v20241219 (CVE-2024-13009 and 4 medium CVEs) * V05: bump test-scope spring deps (CVE-2023-20883) spring-boot-autoconfigure 2.3.3 -> 2.7.18, spring-test 4.3.24 -> 5.3.39. spring-test 5.x mock-web requires spring-web for cookie handling; added as a test dependency where spring-test is used. * V06: bump jackson family to 2.18.8 and snakeyaml to 2.3 Closes 12 alerts including the snakeyaml Constructor RCE (CVE-2022-1471) and six jackson-databind highs. Imports jackson-bom so the datatype/ module/jaxrs jars Dropwizard pulls transitively stay on one version. * V07: bump nimbus-jose-jwt to 9.37.4 (CVE-2023-52428, CVE-2025-53864) Build and tests green with oauth2-oidc-sdk 8.22, including the mock-IdP token renewal test. Manual OIDC login verification against a real IdP still recommended before release. * Extract dependency management into legend-shared-bom Moves all version properties and dependencyManagement from the root pom into a published BOM module that Legend applications can import to stay aligned with the versions (including the security bumps) managed here. Documented in README; CVE-driven exclusions propagate to importers. * Reconcile WhiteSource findings from PR #259 in remediation register The 4 'new' findings are known unfixable items re-attributed to the bumped jars, not regressions: CVE-2026-2332 (D1, no 9.4.x fix exists on Central despite Mend citing 9.4.60), CVE-2026-54515 (D4, no 2.x patch), CVE-2024-6763 (D5) and CVE-2025-11143 (new D6), both Jetty-12-only. * Document HeroDevs NES option for the unfixable Jetty 9.4 CVEs Mend's suggested 9.4.60 is a commercial HeroDevs NES release (private registry, same GAV). Not adoptable upstream (Central-resolvable deps required; FINOS project), but documented as a deployer-side override for organizations needing CVE-2026-2332/CVE-2025-11143 closed before the Phase-2 migration. --- .github/workflows/docker.yml | 2 +- CLAUDE.md | 55 +++ README.md | 28 +- docs/security-remediation.md | 215 +++++++++++ legend-shared-bom/pom.xml | 529 +++++++++++++++++++++++++++ legend-shared-pac4j-kerberos/pom.xml | 5 + legend-shared-pac4j-ping/pom.xml | 5 + legend-shared-pac4j/pom.xml | 5 + pom.xml | 441 +--------------------- 9 files changed, 850 insertions(+), 435 deletions(-) create mode 100644 CLAUDE.md create mode 100644 docs/security-remediation.md create mode 100644 legend-shared-bom/pom.xml diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index c2462d68..55d69899 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -40,7 +40,7 @@ jobs: # NOTE: if this gets more complicated, consider having this as a bash script run: mkdir -p ./legend-shared-server/target && touch ./legend-shared-server/target/legend-shared-server-dummy.jar && docker build --quiet --tag local/legend-shared-server:${{ github.sha }} ./legend-shared-server - name: Scan image for security issues - uses: aquasecurity/trivy-action@0.2.2 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 with: # TODO: we should probably also setup misconfiguration scanning # See https://github.com/aquasecurity/trivy-action#using-trivy-to-scan-infrastucture-as-code diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 00000000..84553037 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,55 @@ +# CLAUDE.md + +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. + +## What this repo is + +Shared server-side infrastructure used across FINOS Legend applications: pac4j-based authentication, OpenTracing instrumentation, and a Dropwizard static-content server. Published to Maven Central as `org.finos.legend.shared:*`. Two tenets govern changes (from README): code must be genuinely used by the majority of Legend applications, and new dependencies are heavily scrutinized. + +## Build and test + +Maven multi-module build (parent pom at repo root, version `0.35.x`). + +- Build everything: `mvn install` +- Build one module (with its deps): `mvn install -pl legend-shared-pac4j -am` +- Run all tests in a module: `mvn test -pl legend-shared-pac4j` +- Run a single test class: `mvn test -pl legend-shared-pac4j -Dtest=TestMongoDbSessionStore` +- CI runs: `mvn install javadoc:javadoc` + +JDK: the enforcer plugin requires JDK 11, 17, 21, or 25 to *build* (CI uses 25), but `maven.compiler.release` is **8** — source code must stay Java 8 compatible (no `var`, no newer language features or APIs). + +Surefire test reports from all modules aggregate into `legend-shared-test-reports/surefire-reports-aggregate`. Tests use JUnit 4 (plus Mockito; Mongo tests use an in-memory `mongo-java-server`). + +## Checkstyle + +`mvn verify` runs checkstyle with `checkstyle_legend.xml` and **fails on warnings**. Notable enforced style: + +- Allman braces: opening brace on its own line (`LeftCurly` = `nl`), closing brace alone. +- No star imports; custom import order; no tabs; 4-space indentation. +- Every file needs the Apache 2.0 license header (see any existing `.java` file). + +Match the existing brace/format style exactly when editing — checkstyle will block the build otherwise. + +## Module architecture + +**Dependency management:** +- `legend-shared-bom` — the single source of truth for dependency versions. All version properties and `dependencyManagement` live in `legend-shared-bom/pom.xml`; the root pom imports it (`import`), and it is published so Legend applications can import it too. Its parent is `org.finos:finos` (not the root pom — that would create a model cycle), so its `` is a literal kept in lockstep by the release plugin, and it carries its own `docker` profile skip. To change a dependency version, edit the BOM, not the root pom. + +**Authentication (pac4j):** +- `legend-shared-pac4j` — the core. `LegendPac4jBundle` is a Dropwizard bundle (extends `Pac4jBundle`) that Legend apps install to get authentication; it wires pac4j `Client`s from YAML config (`LegendPac4jConfiguration`), sets up security filters (`internal/SecurityFilterHandler`, `UsernameFilter`), and selects a session store. Session state can live in MongoDB (`mongostore/MongoDbSessionStore`, encrypted via `SessionCrypt`) or Hazelcast (`hazelcaststore/HazelcastSessionStore`), fronted by `internal/HttpSessionStore`; `sessionutil/SessionToken` manages the session cookie. `mongoauthorizer/MongoDbAuthorizer` authorizes against a Mongo collection. +- `legend-shared-pac4j-kerberos`, `-gitlab`, `-ping` — pluggable pac4j clients/authenticators for each identity provider, discovered via Jackson subtypes in app YAML config. The GitLab module includes personal-access-token auth and group-based authorization. + +**Tracing (OpenTracing/Zipkin):** +- `legend-shared-opentracing-base` — core `OpenTracing` setup, span reporters, pluggable `AuthenticationProvider`s for the trace collector. +- `legend-shared-opentracing-jersey` — `JerseyClientSender` for shipping spans over Jersey. +- `legend-shared-opentracing-servlet-filter` — `OpenTracingFilter` and span decorators for inbound requests. +- `legend-shared-opentracing-test` — shared test helper (`ClientSenderTest`). + +**Server:** +- `legend-shared-server` — Dropwizard static-content server (`staticserver/Server` is the main class) plus reusable bundles Legend apps install: `StaticServerBundle`, `LocalAssetBundle`/`LocalAssetServlet`, CORS (`CorsBundleWrapper`), `OpenTracingBundle`, `HtmlRouterRedirectBundle`, `HostnameHeaderBundle`. Has a `Dockerfile`; the docker image is built by the `docker.yml` workflow. + +The dependency direction: `legend-shared-server` consumes the pac4j and opentracing modules; provider modules (`-kerberos`, `-gitlab`, `-ping`) depend on `legend-shared-pac4j`. + +## Releases + +Releases are cut via maven-release-plugin through GitHub workflows (`release.yml`); commits containing `[maven-release-plugin]` are skipped by CI. Don't bump versions manually. diff --git a/README.md b/README.md index 48b73286..4a767abf 100644 --- a/README.md +++ b/README.md @@ -12,9 +12,35 @@ The important tenets for this project are: * Code must be genuinely used by the majority of Legend applications * New dependencies must be carefully scrutinized - the goal is to minimize unnecessary dependencies in apps. +## Using the BOM + +Legend applications can import `legend-shared-bom` to normalize the versions of the +`org.finos.legend.shared:*` modules and the common third-party stack (Jackson, Dropwizard, +pac4j, Jetty, Guava, SLF4J, MongoDB driver, Hazelcast, test libraries, etc.): + +```xml + + + + org.finos.legend.shared + legend-shared-bom + ${legend.shared.version} + pom + import + + + +``` + +Notes: +* Some managed entries carry deliberate `` (e.g. `shiro-core` from `pac4j-core`) that + encode CVE/conflict resolutions; these propagate to importers by design. +* To override a version, declare the artifact in your own `dependencyManagement` before (or instead + of) relying on the import — redefining the BOM's version properties has no effect across an import. + ## Development setup -This application uses Maven 3.6+ and JDK 8. Simply run `mvn install` to compile. +This application uses Maven 3.6+ and JDK 11, 17, 21, or 25 (compiled code targets Java 8). Simply run `mvn install` to compile. ## Roadmap diff --git a/docs/security-remediation.md b/docs/security-remediation.md new file mode 100644 index 00000000..ea51f4f6 --- /dev/null +++ b/docs/security-remediation.md @@ -0,0 +1,215 @@ +# Security Remediation Register + +**Scope:** all open Dependabot alerts of severity **critical, high, and medium** on `finos/legend-shared`. +**Baseline:** 29 open alerts as of 2026-07-03 (1 critical, 17 high, 11 medium), inventoried from the GitHub Dependabot API. +**Constraint:** the library keeps its Java 8 bytecode target (`maven.compiler.release=8` in the root pom). Fixes that require a Java 11+ baseline (Jetty 10+, pac4j 5.x, Dropwizard 2.1+) are deferred to the Phase 2 track at the bottom of this document, with rationale. + +## How to use this document + +Each remediation item below is sized to be executed **one at a time**, one PR per item. For each session: + +1. Refresh the alert list and confirm the item's alerts are still open: + ```sh + gh api 'repos/finos/legend-shared/dependabot/alerts?state=open&severity=critical,high,medium&per_page=100' --paginate \ + --jq '.[] | [.number, .security_advisory.severity, .dependency.package.name, (.security_vulnerability.first_patched_version.identifier // "NONE"), (.security_advisory.cve_id // .security_advisory.ghsa_id)] | @tsv' + ``` +2. Pick the next `☐` item, respecting the wave order (Wave 1 items are order-independent among themselves; Wave 2 before Wave 3). +3. Apply the change described in the item (usually a one-property edit in the root `pom.xml`). +4. Run the item's **Verification** steps. `mvn -B install` runs tests *and* checkstyle for the whole reactor. +5. Confirm the resolved version with `mvn dependency:tree -Dincludes=:` — exactly one version must appear, everywhere. +6. Open one PR per item; after merge, Dependabot re-scans and the alerts should auto-close. Update the item's status here (`☐` → `☑` with date/PR#) in the same PR or a follow-up. + +Items must not be batched across waves in a single PR: a per-item history is what makes a bad bump bisectable and revertable. + +## Register + +| Item | Wave | Component | Current → Target | Alerts closed (severity) | Status | +|------|------|-----------|------------------|--------------------------|--------| +| V01 | 0 | `aquasecurity/trivy-action` (CI) | < 0.35.0 → 0.35.0 (SHA-pinned) | CVE-2026-33634 (critical) | ☑ 2026-07-03 | +| V02 | 1 | `com.hazelcast:hazelcast` | 5.3.1 → 5.3.8 | CVE-2023-45859 (high 7.6), CVE-2023-45860 (high 6.5) | ☑ 2026-07-03 | +| V03 | 1 | `net.minidev:json-smart` | 2.4.2 → 2.5.2 | CVE-2021-31684 (high 7.5), CVE-2023-1370 (high 7.5) | ☑ 2026-07-03 | +| V04 | 1 | `org.eclipse.jetty:*` (9 artifacts, one property) | 9.4.44.v20210927 → 9.4.57.v20241219 | CVE-2024-13009 (high 7.2), CVE-2024-8184 (med 5.9), CVE-2023-26048 (med 5.3), CVE-2023-40167 (med 5.3), CVE-2024-9823 (med 5.3) | ☑ 2026-07-03 | +| V05 | 1 | `spring-boot-autoconfigure` / `spring-test` (test scope) | 2.3.3 → 2.7.18 / 4.3.24 → 5.3.39 | CVE-2023-20883 (high 7.5) | ☑ 2026-07-03 | +| V06 | 2 | Jackson family + snakeyaml (coordinated) | jackson 2.10.5/2.10.5.1/2.11.2 → 2.18.8; snakeyaml 1.33 → 2.3 | 12 alerts — see item | ☑ 2026-07-03 | +| V07 | 3 | `com.nimbusds:nimbus-jose-jwt` | 8.0 → 9.37.4 | CVE-2023-52428 (high 7.5), CVE-2025-53864 (med 5.8) | ☑ 2026-07-03 (manual OIDC check pending) | +| D1 | deferred | `org.eclipse.jetty:jetty-http` | no fix in 9.4 line | CVE-2026-2332 (high 7.4) | accepted risk | +| D2 | deferred | `org.pac4j:pac4j-core` | fix is 5.7.10 (Java 11) | CVE-2026-40458 (high 6.5) | accepted risk | +| D3 | deferred | Dropwizard 1.3.29 EOL | 2.0.x is last Java-8 line | (enabler, no direct alert) | Phase 2 | +| D4 | watch | `jackson-databind` | no patched version exists yet | CVE-2026-54515 (med 5.3) | watch | +| D5 | deferred | `org.eclipse.jetty:jetty-http` | fix only in Jetty 12.0.12 | CVE-2024-6763 (med 3.7) | accepted risk | +| D6 | deferred | `org.eclipse.jetty:jetty-http` | fix only in Jetty 12.0.31/12.1.5 | CVE-2025-11143 (WhiteSource) | accepted risk | + +All 29 baseline alerts are accounted for: V01 (1), V02 (2), V03 (2), V04 (5), V05 (1), V06 (12), V07 (2), D1 (1), D2 (1), D4 (1), D5 (1). + +--- + +## Wave 0 — CI-only + +### V01 — trivy-action supply-chain pin (CVE-2026-33634, critical) + +- **What/why:** `.github/workflows/docker.yml` uses `aquasecurity/trivy-action` < 0.35.0, whose ecosystem was briefly compromised. CI-only; nothing shipped in the library is affected. +- **How:** bump the action reference to ≥ 0.35.0 in `docker.yml`. Prefer pinning by full commit SHA rather than tag (standard mitigation for action supply-chain risk). +- **Blast radius:** the Docker publish workflow only. No library consumer impact. +- **Verification:** workflow runs green on the PR (`docker.yml` triggers) or via a manual `workflow_dispatch` if it doesn't run on PRs. +- **Status:** ☑ 2026-07-03 — pinned to commit `57a97c7e` (tag 0.35.0). Workflow-green check pending on PR. + +## Wave 1 — independent version-pin bumps (any order) + +### V02 — Hazelcast 5.3.1 → 5.3.8 (CVE-2023-45859, CVE-2023-45860) + +- **What/why:** missing permission checks in Hazelcast client protocol / CSV source connector; both fixed in 5.3.5. Target the latest 5.3.x patch (5.3.8) for the rest of the 5.3 fixes. +- **How:** root `pom.xml`: `5.3.1` → `5.3.8`. +- **Dependency path:** direct dependency of `legend-shared-pac4j` (used only by `HazelcastSessionStore`); reaches downstream apps through that module. +- **Blast radius:** small. Patch-level within 5.3.x, wire-format compatible; only affects deployments configured to use the Hazelcast session store. Note the recent `Fix hazelcast store (#257)` commit — the hazelcaststore tests are current and meaningful coverage. +- **Verification:** `mvn -B install` (the `hazelcaststore` tests in `legend-shared-pac4j` exercise the store end-to-end). +- **Status:** ☑ 2026-07-03 — full reactor build + tests green on 5.3.8. + +### V03 — json-smart 2.4.2 → 2.5.2 (CVE-2021-31684, CVE-2023-1370) + +- **What/why:** out-of-bounds read (fixed 2.4.4) and uncontrolled recursion DoS (fixed 2.4.9) in a JSON parser that sits on the OIDC token-parsing path. +- **How:** root `pom.xml`: `2.4.2` → `2.5.2`. +- **Dependency path (from `mvn dependency:tree`):** `legend-shared-pac4j-gitlab` / `-ping` → `com.nimbusds:nimbus-jose-jwt:8.0` → `net.minidev:json-smart` (version forced to 2.4.2 by the root dependencyManagement pin). +- **Blast radius:** low. json-smart 2.5.x is API-compatible for nimbus 8.0's usage; parses IdP-supplied JWT/JSON during OIDC login in downstream apps. +- **Note:** after V07 (nimbus 9.x) this dependency may leave the tree entirely — nimbus 9.x no longer declares json-smart. When executing V07, check the tree and retire this pin if it's gone. +- **Verification:** `mvn -B install`; `mvn dependency:tree -Dincludes=net.minidev:json-smart` shows only 2.5.2. +- **Status:** ☑ 2026-07-03 — build green; tree shows json-smart/accessors-smart 2.5.2 only. + +### V04 — Jetty 9.4.44 → latest 9.4.x (CVE-2024-13009 + 4 mediums) + +- **What/why:** closes CVE-2024-13009 (GzipHandler request-body leak, high), CVE-2024-8184 (ThreadLimitHandler DoS), CVE-2023-26048 (multipart OOM), CVE-2023-40167 ("+"-prefixed Content-Length smuggling vector), CVE-2024-9823 (DosFilter DoS) — plus already-published 9.4.x highs not currently alerting (CVE-2023-36478 HPACK, CVE-2023-44487 rapid reset, both fixed by 9.4.53). +- **How:** root `pom.xml`: `9.4.44.v20210927` → the newest `9.4.x` on Maven Central at execution time (≥ `9.4.57.v20241219`). One property drives all 9 pinned jetty artifacts. +- **Dependency path:** jetty artifacts arrive transitively via `dropwizard-jetty`/`dropwizard-jersey` (Dropwizard 1.3.29 wants 9.4.z of its own) and are overridden by the root dependencyManagement pins. `jetty-io` and `jetty-xml` are *not* pinned — they follow the pinned artifacts' own requirements, so confirm they land on the same version. +- **Blast radius:** the widest of Wave 1 — this is the HTTP engine of every Legend server. Mitigating: Dropwizard 1.3 is API-compatible with later 9.4.x patches (drop-in), and 9.4.x maintained strict patch-compat. +- **Explicitly NOT fixed:** CVE-2026-2332 (D1) and CVE-2024-6763 (D5) have no 9.4 fix. Merging this must not be read as "jetty is clean". +- **Verification:** `mvn -B install`; `mvn dependency:tree -Dincludes=org.eclipse.jetty:*` shows a single version for all artifacts including jetty-io/jetty-xml; boot the shaded server as a smoke test: + ```sh + java -cp legend-shared-server/target/legend-shared-server-*-shaded.jar \ + org.finos.legend.server.shared.staticserver.Server server legend-shared-server/src/test/resources/testConfig.json + ``` + and confirm it serves the static root and `/admin/healthcheck`. +- **Status:** ☑ 2026-07-03 — build + tests green; tree shows all jetty artifacts (incl. unpinned jetty-io/jetty-xml) at 9.4.57.v20241219; shaded-jar smoke test served `/` (200) and a healthy `/admin/healthcheck`. Note: invoke the smoke test as `Server server ` — with a missing path it falls back to the bundled default config (AnonymousClient, port 8080). + +### V05 — test-scope Spring bumps (CVE-2023-20883) + +- **What/why:** `spring-boot-autoconfigure` 2.3.3.RELEASE (welcome-page DoS, fixed 2.5.15) and EOL `spring-test` 4.3.24. **Test scope only in `legend-shared-pac4j-gitlab` and others — never shipped to consumers.** Fixed for scanner hygiene, not real exposure. +- **How:** root `pom.xml`: `` → `2.7.18` (last 2.x line), `` → `5.3.39`. spring-test 4.3 → 5.3 may need small test adjustments (JUnit 4 runner API is stable; imports unchanged for `spring-test` basics). +- **Blast radius:** zero at runtime (test scope). Risk is limited to compile errors in test code; fix forward within the PR. +- **Verification:** `mvn -B install` (all module test suites). +- **Status:** ☑ 2026-07-03 — done. Gotcha found and fixed: spring-test 5.x `MockHttpServletResponse.addCookie` needs `spring-web` on the classpath (`NoClassDefFoundError: org/springframework/http/HttpHeaders`); added `org.springframework:spring-web` (same version property) as a test dependency in the root DM and in `legend-shared-pac4j`, `-kerberos`, `-ping`. Build green after. + +## Wave 2 — Jackson family + snakeyaml, one coordinated PR + +### V06 — Jackson 2.10.x → 2.18.8 with snakeyaml 2.x (12 alerts) + +Closes, per Dependabot: + +| CVE | Artifact | Severity | Fixed in | +|-----|----------|----------|----------| +| CVE-2026-54512 | jackson-databind | high 8.1 | 2.18.8 | +| CVE-2026-54513 | jackson-databind | high 8.1 | 2.18.8 | +| CVE-2022-42003 | jackson-databind | high 7.5 | 2.12.7.1 | +| CVE-2022-42004 | jackson-databind | high 7.5 | 2.12.7.1 | +| CVE-2020-36518 | jackson-databind | high 7.5 | 2.12.6.1 | +| CVE-2021-46877 | jackson-databind | high 7.5 | 2.12.6 | +| CVE-2025-52999 | jackson-core | high | 2.15.0 | +| CVE-2026-50193 | jackson-databind | medium | 2.14.0 | +| CVE-2026-54514 | jackson-databind | medium 5.3 | 2.18.8 | +| CVE-2025-49128 | jackson-core | medium 4.0 | 2.13.0 | +| GHSA-72hv-8253-57qq | jackson-core | medium | 2.18.6 | +| CVE-2022-1471 | snakeyaml | **high 8.3 (RCE)** | 2.0 | + +- **Why one PR:** these cannot move independently. `jackson-dataformat-yaml` < 2.15 is hard-incompatible with snakeyaml 2.x, so the snakeyaml RCE fix *requires* the jackson bump; and mixed jackson module versions on one classpath is the classic runtime breakage. This is the transitive-ordering pivot of the whole register. +- **How:** + 1. Root pom properties: `jackson.version` 2.10.5 → `2.18.8`, `jackson.databind.version` 2.10.5.1 → `2.18.8`, `jackson.dataformat.yaml.version` 2.11.2 → `2.18.8`, `snakeyaml.version` 1.33 → the version `jackson-dataformat-yaml:2.18.8` declares (2.3 line; confirm from its pom at execution). + 2. **Align Dropwizard's transitive jackson modules.** From the real tree, `dropwizard-jackson:1.3.29` pulls at **2.9.10**: `jackson-datatype-guava`, `jackson-datatype-jsr310`, `jackson-datatype-jdk8`, `jackson-datatype-joda`, `jackson-module-parameter-names`, `jackson-module-afterburner`; `dropwizard-jersey` additionally pulls `jackson-jaxrs-json-provider`/`jackson-jaxrs-base`/`jackson-module-jaxb-annotations` at 2.9.10. Cleanest fix: import the Jackson BOM in `dependencyManagement` **before** other entries: + ```xml + + com.fasterxml.jackson + jackson-bom + 2.18.8 + pom + import + + ``` + then verify no `com.fasterxml.jackson*` artifact resolves below 2.18.8 anywhere in the reactor. +- **Blast radius:** high-touch but well-tested territory: + - Dropwizard 1.3 config parsing (`dropwizard-configuration` + dataformat-yaml + snakeyaml) is how **every downstream Legend app boots**. Dropwizard 1.3 was built against jackson 2.9; jackson's public API has been stable, but `jackson-module-afterburner` (bytecode generation) is the most likely runtime breakage — if the full suite or server boot fails on afterburner, exclude it from `dropwizard-jackson` in the root DM (Dropwizard falls back to plain reflection; minor perf cost, no functional change). + - pac4j profile JSON round-tripping in `legend-shared-pac4j` (`SerializableProfile`, `StringOrArrayDeserializer` and its tests). + - snakeyaml 2.x removes unsafe global-tag construction (the CVE). Dropwizard/jackson-dataformat-yaml don't rely on it; custom YAML anywhere in downstream apps that used snakeyaml 1.x `Constructor` semantics would — flag in the release notes of the next legend-shared release. +- **Exposure context (why this is urgent-but-not-fire):** the two 8.1 CVEs (2026-54512/13) require polymorphic default typing, which this repo does not use (verified: no `enableDefaultTyping`/`activateDefaultTyping` in source). CVE-2022-1471 requires attacker-controlled YAML; here snakeyaml parses trusted server config files. Both worth fixing regardless — downstream apps share this classpath and may have other exposure. +- **Verification:** + - `mvn -B install` — full reactor, all tests, checkstyle. + - `mvn dependency:tree | grep -E 'jackson|snakeyaml'` — every jackson artifact at 2.18.8, snakeyaml at its 2.x target, nothing left at 2.9.10/2.10.x/1.33. + - Boot the shaded static server against a real YAML/JSON config (same smoke test as V04) — this exercises the Dropwizard config-parsing path end-to-end. + - Deserialization round-trip tests in `legend-shared-pac4j` (`deserializer`, `mongostore`, `hazelcaststore` test packages) all green. +- **Status:** ☑ 2026-07-03 — jackson-bom 2.18.8 imported at the top of dependencyManagement; properties bumped (jackson* → 2.18.8, snakeyaml → 2.3). Full build + tests green on first run (afterburner included — no exclusion needed). Tree check: all 13 `com.fasterxml.jackson*` artifacts at 2.18.8, snakeyaml at 2.3, nothing left at 2.9.10/2.10.x/1.33. Shaded-server smoke test: config parsed, healthcheck healthy, `/` 200, no errors logged. + +## Wave 3 — after Wave 2, needs runtime auth verification + +### V07 — nimbus-jose-jwt 8.0 → ≥ 9.37.4 (CVE-2023-52428, CVE-2025-53864) + +- **What/why:** DoS via expensive PBES2 `p2c` values (fixed 9.37.2) and deeply-nested JSON (fixed 9.37.4). Parses IdP-supplied tokens — genuinely attacker-reachable in OIDC deployments. +- **How:** root `pom.xml`: `8.0` → `9.37.4` (or latest 9.37.x/10.x compatible at execution time). +- **Dependency path:** `legend-shared-pac4j-gitlab` and `-ping` depend on nimbus **directly** (pinned 8.0) and exclude the copy from `pac4j-oidc:4.5.8`; `pac4j-oidc` also pulls `com.nimbusds:oauth2-oidc-sdk:8.22`, which was built against nimbus 8.x. +- **Blast radius / why last:** the OIDC login flow of every Legend app that uses `PingIndirectClient`/OIDC. The compile-time API used by this repo is small, but `oauth2-oidc-sdk:8.22` ↔ nimbus 9.x runtime compatibility is the real risk (`NoSuchMethodError` at login time, not at build time). Two-step approach: + 1. Bump nimbus alone; run the full build; then **manually verify a real OIDC login** against a test IdP (or at minimum a downstream Legend app's auth integration test) — unit tests here do not cover the flow. + 2. If incompatible, additionally pin `com.nimbusds:oauth2-oidc-sdk` to a 9.x version compatible with both nimbus 9.37.x and pac4j-oidc 4.5.8's API usage, and re-verify. +- **Cleanup:** checked — json-smart does **not** drop out: it remains in the tree via `oauth2-oidc-sdk:8.22` (not via nimbus). The V03 pin stays load-bearing; do not retire it. +- **Verification:** full build; manual OIDC flow sign-in reaching a profile-authenticated endpoint; sequencing after V06 keeps jackson noise out of any failure triage. +- **Status:** ☑ 2026-07-03 — build + all tests green on nimbus 9.37.4 with oidc-sdk 8.22, including `GitlabClientRenewProfileTest` (token flow against a mock IdP via mockwebserver) and `OidcProfileTest`. **Outstanding before release:** a manual OIDC login against a real IdP (or a downstream Legend app's auth integration environment) — the unit suite does not cover the full authorization-code flow. + +--- + +## Deferred — documented risk, blocked by the Java 8 baseline + +### D1 — Jetty CVE-2026-2332 (request smuggling via chunked-extension parsing, high 7.4) + +Every 9.4.x release is affected and **the 9.4 line is EOL — no fix exists or is coming**. +**Scanner note (2026-07-03, PR #259):** WhiteSource/Mend's suggested "9.4.60" is a **HeroDevs NES (commercial) release**, not an Eclipse artifact — nothing ≥ 9.4.59 exists on Maven Central (latest is 9.4.58.v20250814, still inside the GH advisory's vulnerable range ≤ 9.4.59). +**Commercial mitigation option (deployer-side, not upstream):** HeroDevs Never-Ending Support publishes drop-in Jetty 9.4.x patches under the same `org.eclipse.jetty` coordinates from their private registry (`registry.nes.herodevs.com/maven/`, subscription + access token required): 9.4.59 fixes CVE-2025-11143 (D6), 9.4.60 fixes CVE-2026-2332 (this item), 9.4.61 additionally fixes CVE-2026-5795. **legend-shared itself cannot adopt these**: it publishes to Maven Central, where all dependencies must be publicly resolvable, and a FINOS project cannot make a paid artifact a mandatory dependency. Organizations deploying Legend that need these CVEs closed before Phase 2 can subscribe to NES and override `jetty.version` (or the jetty entries) in their own dependencyManagement — the same-GAV design makes it a build-time swap with no code changes. Mirror the NES artifacts through your internal repository manager and verify provenance per your supply-chain policy. The fixed lines require Jetty 10/11/12 → Dropwizard ≥ 2.1/3.x → Java 11 baseline (Phase 2). +**Interim mitigation (operators):** request smuggling requires a parsing disagreement between a front proxy and Jetty. Legend deployments front these servers with a reverse proxy/LB; ensure it normalizes or rejects chunked-extension quoted strings and does not reuse backend connections across clients. Document in deployment guidance. +**Revisit:** Phase 2, or immediately if a 9.4 backport ever appears (check the alert). + +### D2 — pac4j-core CVE-2026-40458 (CSRF, high 6.5; fixed in 5.7.10) + +pac4j 5.x requires Java 11, and the upgrade is invasive far beyond a version pin: + +- this repo subclasses/implements pac4j internals that changed across 4.x → 5.x: `LegendSecurityLogic` (extends `DefaultSecurityLogic`), `HttpSessionStore` (implements `SessionStore`), `JEEContext` usage, `LegendClientFinder`, custom matchers; +- session state is Java-serialized into MongoDB/Hazelcast via pac4j's `JavaSerializationHelper` (`MongoDbSessionStore`, `HazelcastSessionStore`) — pac4j profile classes changed shape across majors, so an upgrade **invalidates or errors on live sessions** during rolling deploys of downstream apps (users forced to re-login; mixed-version fleets may throw on deserialization). + +**Exposure assessment:** legend-shared does not wire pac4j's CSRF authorizer/token machinery at all — authorizers come solely from app config (`LegendPac4jConfiguration.authorizers`, default empty). The vulnerable pac4j CSRF code paths are therefore not exercised by legend-shared's default wiring; a downstream app would have to opt into pac4j's `CsrfAuthorizer` in its own config to be exposed. Confirm per-app before treating this as urgent. +**Revisit:** Phase 2. + +### D3 — Dropwizard 1.3.29 EOL (enabler, no direct alert) + +Dropwizard 1.3 has been EOL since 2020 and is the structural blocker behind D1/D2. The last Java-8-compatible line is 2.0.x, which still ships Jetty 9.4 — so a 2.0 hop alone buys none of the deferred CVEs and is not worth its migration cost. The real path is Phase 2 below. + +### D4 — jackson-databind CVE-2026-54515 (medium 5.3) — WATCH + +Case-insensitive deserialization bypass; **no patched version exists yet** (vulnerable range `< 2.18.9`, fix expected in 2.18.9; WhiteSource cites only jackson-databind **3.1.4** — a 3.x major, not a drop-in). Nothing to upgrade to; V06 lands us on 2.18.8. **Each session: re-run the alert query; when a 2.18.9 appears, fold it into a one-line patch bump.** + +### D5 — Jetty CVE-2024-6763 (URI authority parsing, medium 3.7) + +Fixed only in **Jetty 12.0.12** — even Jetty 10/11 are affected, so this outlives a Phase-2 Dropwizard 3.x migration unless that lands on Jetty 12 (Dropwizard 4.x/5.x territory). Low CVSS, parsing-hygiene issue. Accepted risk alongside D1. + +### D6 — Jetty CVE-2025-11143 (jetty-http) + +Surfaced by WhiteSource on PR #259 (not in the Dependabot baseline). Fixed only in **Jetty 12.0.31 / 12.1.5** on the open-source line — same Jetty-12-only situation as D5. Also fixed in the commercial HeroDevs NES 9.4.59 (see the mitigation note under D1). Accepted risk alongside D1/D5; revisit with the Phase-2 track. + +### Scanner reconciliation (WhiteSource, PR #259) + +The WhiteSource check on PR #259 reported "37 vulnerabilities remediated, 4 new". The "4 new" are **not regressions** — WhiteSource attributes findings to jar versions, so the bumped jars (jetty-http 9.4.57, jackson-databind 2.18.8) count as "newly introduced" carriers of the already-known unfixable items: CVE-2026-2332 (D1), CVE-2026-54515 (D4), CVE-2024-6763 (D5), CVE-2025-11143 (D6). None has a shippable fix on the Java-8-compatible stack today. + +## Phase 2 track (separate effort, FINOS/Legend-wide decision) + +Unlocking D1/D2/D3 (and improving D5) requires raising the compiled bytecode target from Java 8 — a breaking change for any downstream consumer still building on Java 8, so it needs coordination across the Legend project (legend-engine, legend-sdlc, etc. already build on 11+; the constraint is published-artifact consumers). Sequence when approved: + +1. Raise `maven.compiler.release` to 11 (major version bump of legend-shared). +2. Dropwizard 1.3 → 3.x (javax namespace retained, Jetty 10) or 4.x (jakarta namespace, Jetty 11) — decide against downstream servlet-API expectations; verify the `dropwizard-pac4j` compatibility matrix at that time. +3. pac4j 4.5.8 → 5.7.10+ (closes CVE-2026-40458): rewrite the subclassed internals listed in D2, plan a session-store invalidation/migration for Mongo/Hazelcast-persisted profiles, coordinate downstream deploys. +4. Jetty follows Dropwizard (closes CVE-2026-2332; CVE-2024-6763 only if the target line is Jetty 12). + +## Out-of-scope hygiene noted during analysis (no open alert) + +- `legend-shared-server/Dockerfile` base image `eclipse-temurin:11.0.17_8-jdk-jammy` is a 2022 JDK patch level — bump to a current temurin tag (and prefer `-jre`) next time the image is touched. +- The OpenTracing/Brave stack (opentracing deprecated upstream) and Jersey 2.23.2 are old but carry no open high/medium alerts; revisit in Phase 2. diff --git a/legend-shared-bom/pom.xml b/legend-shared-bom/pom.xml new file mode 100644 index 00000000..8e371cab --- /dev/null +++ b/legend-shared-bom/pom.xml @@ -0,0 +1,529 @@ + + + + + 4.0.0 + + + + org.finos + finos + 7 + + + Legend Shared - BOM + Bill of Materials for Legend Shared modules and their shared third-party dependency stack + org.finos.legend.shared + legend-shared-bom + 0.35.4-SNAPSHOT + pom + https://legend.finos.org + + + scm:git:https://github.com/finos/legend-shared + HEAD + + + + + 3.18.0 + 1.10.0 + 1.3.29 + 4.0.0 + 33.4.6-jre + 2.18.8 + 2.18.8 + 2.18.8 + 2.3.2 + 2.1.1 + 1.1.1 + 3.1.0 + 2.3.0 + 2.3.2 + 2.23.2 + 2.23.1 + 9.4.57.v20241219 + 4.13.1 + 1.7.36 + 0.1.3.3 + 4.9.0 + 5.21.0 + 5.2.0 + 5.3.1 + 1.46.0 + 9.37.4 + 0.5.0 + 0.37.2 + 0.32.0 + 4.5.8 + 0.8.1 + 2.3 + 5.3.39 + 2.7.18 + 2.5.2 + 5.3.8 + + + + + + + com.fasterxml.jackson + jackson-bom + ${jackson.version} + pom + import + + + + + org.finos.legend.shared + legend-shared-server + ${project.version} + + + org.finos.legend.shared + legend-shared-pac4j + ${project.version} + + + org.finos.legend.shared + legend-shared-pac4j-kerberos + ${project.version} + + + org.finos.legend.shared + legend-shared-pac4j-gitlab + ${project.version} + + + org.finos.legend.shared + legend-shared-pac4j-ping + ${project.version} + + + org.finos.legend.shared + legend-shared-opentracing-base + ${project.version} + + + org.finos.legend.shared + legend-shared-opentracing-jersey + ${project.version} + + + org.finos.legend.shared + legend-shared-opentracing-test + ${project.version} + + + org.finos.legend.shared + legend-shared-opentracing-servlet-filter + ${project.version} + + + + + + org.slf4j + slf4j-api + ${slf4j.version} + + + + + + org.springframework + spring-test + ${spring.test.version} + + + + org.springframework + spring-web + ${spring.test.version} + + + org.springframework.boot + spring-boot-autoconfigure + ${spring.boot.autoconfigure.version} + + + + + + org.pac4j + pac4j-kerberos + ${pac4j.version} + + + org.springframework + spring-core + + + + + org.pac4j + pac4j-oidc + ${pac4j.version} + + + com.nimbusds + nimbus-jose-jwt + + + + + org.pac4j + pac4j-http + ${pac4j.version} + + + org.pac4j + pac4j-core + ${pac4j.version} + + + + org.apache.shiro + shiro-core + + + + + org.pac4j + dropwizard-pac4j + ${dropwizard.pac4j.version} + + + org.pac4j + pac4j-core + + + + + + + + com.fasterxml.jackson.core + jackson-annotations + ${jackson.version} + + + com.fasterxml.jackson.core + jackson-core + ${jackson.version} + + + com.fasterxml.jackson.core + jackson-databind + ${jackson.databind.version} + + + com.fasterxml.jackson.dataformat + jackson-dataformat-yaml + ${jackson.dataformat.yaml.version} + + + + + + io.dropwizard + dropwizard-assets + ${dropwizard.version} + + + com.fasterxml.jackson.dataformat + jackson-dataformat-yaml + + + + + io.dropwizard + dropwizard-core + ${dropwizard.version} + + + io.dropwizard + dropwizard-testing + ${dropwizard.version} + + + + + + io.opentracing.contrib + opentracing-jaxrs2 + ${opentracing.jaxrs2.version} + + + io.opentracing.brave + brave-opentracing + ${opentracing.brave.version} + + + io.opentracing + opentracing-mock + ${opentracing.api.version} + + + + + + io.prometheus + simpleclient + ${prometheus.version} + + + + + + org.glassfish.jersey.test-framework.providers + jersey-test-framework-provider-grizzly2 + ${jersey.test.framework.version} + + + org.glassfish.jersey.core + jersey-client + ${jersey.client.version} + + + + + + org.mongodb + mongodb-driver-sync + ${mongo.driver.version} + + + de.bwaldvogel + mongo-java-server + ${mongo.server.version} + + + de.bwaldvogel + mongo-java-server-core + ${mongo.server.version} + + + de.bwaldvogel + mongo-java-server-memory-backend + ${mongo.server.version} + + + + + + junit + junit + ${junit.version} + + + + + + javax.xml.bind + jaxb-api + ${jaxb.version} + + + com.sun.xml.bind + jaxb-core + ${jaxb.version} + + + com.sun.xml.bind + jaxb-impl + ${jaxb.version} + + + + + + org.glassfish.jaxb + jaxb-runtime + ${jaxb.runtime.version} + + + + + javax.servlet + javax.servlet-api + ${javax.servlet.api.version} + + + javax.activation + activation + ${javax.activation.version} + + + + javax.ws.rs + javax.ws.rs-api + ${javax.jax-rs.version} + + + + + + jakarta.xml.bind + jakarta.xml.bind-api + ${jakarta.xml.bind.version} + + + + + org.apache.commons + commons-lang3 + ${commons.lang3.version} + + + org.apache.commons + commons-text + ${commons.text.version} + + + + + + com.google.guava + guava + ${guava.version} + + + + + net.minidev + json-smart + ${json-smart.version} + + + + com.hazelcast + hazelcast + ${hazelcast.version} + + + + com.squareup.okhttp3 + mockwebserver + ${mockwebserver.version} + + + org.mockito + mockito-core + ${mockito.version} + + + org.mockito + mockito-inline + ${mockito-inline.version} + + + com.nimbusds + nimbus-jose-jwt + ${nimbus.jwt.version} + + + org.commonjava.mimeparse + mimeparse + ${mimeparse.version} + + + commons-lang + commons-lang + + + + + org.eclipse.jetty + jetty-http + ${jetty.version} + + + org.eclipse.jetty + jetty-server + ${jetty.version} + + + org.eclipse.jetty + jetty-servlets + ${jetty.version} + + + org.eclipse.jetty + jetty-util + ${jetty.version} + + + org.eclipse.jetty + jetty-util-ajax + ${jetty.version} + + + org.eclipse.jetty + jetty-security + ${jetty.version} + + + org.eclipse.jetty + jetty-webapp + ${jetty.version} + + + org.eclipse.jetty + jetty-servlet + ${jetty.version} + + + org.eclipse.jetty + jetty-continuation + ${jetty.version} + + + + org.yaml + snakeyaml + ${snakeyaml.version} + + + + + + + docker + + + + + com.spotify + dockerfile-maven-plugin + 1.4.13 + + true + + + + + + + diff --git a/legend-shared-pac4j-kerberos/pom.xml b/legend-shared-pac4j-kerberos/pom.xml index 72cd8a30..403405c7 100644 --- a/legend-shared-pac4j-kerberos/pom.xml +++ b/legend-shared-pac4j-kerberos/pom.xml @@ -81,6 +81,11 @@ spring-test test + + org.springframework + spring-web + test + diff --git a/legend-shared-pac4j-ping/pom.xml b/legend-shared-pac4j-ping/pom.xml index 0d168671..74e92761 100644 --- a/legend-shared-pac4j-ping/pom.xml +++ b/legend-shared-pac4j-ping/pom.xml @@ -97,6 +97,11 @@ spring-test test + + org.springframework + spring-web + test + \ No newline at end of file diff --git a/legend-shared-pac4j/pom.xml b/legend-shared-pac4j/pom.xml index 89d39a5d..4f4369d4 100644 --- a/legend-shared-pac4j/pom.xml +++ b/legend-shared-pac4j/pom.xml @@ -87,6 +87,11 @@ spring-test test + + org.springframework + spring-web + test + de.bwaldvogel mongo-java-server diff --git a/pom.xml b/pom.xml index a60b497b..5cffcebc 100644 --- a/pom.xml +++ b/pom.xml @@ -42,43 +42,7 @@ [11,12),[17,18),[21,22),[25,26) central - - 3.18.0 - 1.10.0 - 1.3.29 - 4.0.0 - 33.4.6-jre - 2.10.5 - 2.10.5.1 - 2.11.2 - 2.3.2 - 2.1.1 - 1.1.1 - 3.1.0 - 2.3.0 - 2.3.2 - 2.23.2 - 2.23.1 - 9.4.44.v20210927 - 4.13.1 - 1.7.36 - 0.1.3.3 - 4.9.0 - 5.21.0 - 5.2.0 - 5.3.1 - 1.46.0 - 8.0 - 0.5.0 - 0.37.2 - 0.32.0 - 4.5.8 - 0.8.1 - 1.33 - 4.3.24.RELEASE - 2.3.3.RELEASE - 2.4.2 - 5.3.1 + 3.3.1 @@ -105,6 +69,8 @@ + legend-shared-bom + legend-shared-test-reports legend-shared-pac4j @@ -316,405 +282,14 @@ - - - org.finos.legend.shared - legend-shared-server - ${project.version} - - - org.finos.legend.shared - legend-shared-pac4j - ${project.version} - - - org.finos.legend.shared - legend-shared-pac4j-kerberos - ${project.version} - - - org.finos.legend.shared - legend-shared-pac4j-gitlab - ${project.version} - - - org.finos.legend.shared - legend-shared-opentracing-base - ${project.version} - - - org.finos.legend.shared - legend-shared-opentracing-jersey - ${project.version} - + org.finos.legend.shared - legend-shared-opentracing-test + legend-shared-bom ${project.version} - - - org.finos.legend.shared - legend-shared-opentracing-servlet-filter - ${project.version} - - - - - - org.slf4j - slf4j-api - ${slf4j.version} - - - - - - org.springframework - spring-test - ${spring.test.version} - - - org.springframework.boot - spring-boot-autoconfigure - ${spring.boot.autoconfigure.version} - - - - - - org.pac4j - pac4j-kerberos - ${pac4j.version} - - - org.springframework - spring-core - - - - - org.pac4j - pac4j-oidc - ${pac4j.version} - - - com.nimbusds - nimbus-jose-jwt - - - - - org.pac4j - pac4j-http - ${pac4j.version} - - - org.pac4j - pac4j-core - ${pac4j.version} - - - - org.apache.shiro - shiro-core - - - - - org.pac4j - dropwizard-pac4j - ${dropwizard.pac4j.version} - - - org.pac4j - pac4j-core - - - - - - - - com.fasterxml.jackson.core - jackson-annotations - ${jackson.version} - - - com.fasterxml.jackson.core - jackson-core - ${jackson.version} - - - com.fasterxml.jackson.core - jackson-databind - ${jackson.databind.version} - - - com.fasterxml.jackson.dataformat - jackson-dataformat-yaml - ${jackson.dataformat.yaml.version} - - - - - - io.dropwizard - dropwizard-assets - ${dropwizard.version} - - - com.fasterxml.jackson.dataformat - jackson-dataformat-yaml - - - - - io.dropwizard - dropwizard-core - ${dropwizard.version} - - - io.dropwizard - dropwizard-testing - ${dropwizard.version} - - - - - - io.opentracing.contrib - opentracing-jaxrs2 - ${opentracing.jaxrs2.version} - - - io.opentracing.brave - brave-opentracing - ${opentracing.brave.version} - - - io.opentracing - opentracing-mock - ${opentracing.api.version} - - - - - - io.prometheus - simpleclient - ${prometheus.version} - - - - - - org.glassfish.jersey.test-framework.providers - jersey-test-framework-provider-grizzly2 - ${jersey.test.framework.version} - - - org.glassfish.jersey.core - jersey-client - ${jersey.client.version} - - - - - - org.mongodb - mongodb-driver-sync - ${mongo.driver.version} - - - de.bwaldvogel - mongo-java-server - ${mongo.server.version} - - - de.bwaldvogel - mongo-java-server-core - ${mongo.server.version} - - - de.bwaldvogel - mongo-java-server-memory-backend - ${mongo.server.version} - - - - - - junit - junit - ${junit.version} - - - - - - javax.xml.bind - jaxb-api - ${jaxb.version} - - - com.sun.xml.bind - jaxb-core - ${jaxb.version} - - - com.sun.xml.bind - jaxb-impl - ${jaxb.version} - - - - - - org.glassfish.jaxb - jaxb-runtime - ${jaxb.runtime.version} - - - - - javax.servlet - javax.servlet-api - ${javax.servlet.api.version} - - - javax.activation - activation - ${javax.activation.version} - - - - javax.ws.rs - javax.ws.rs-api - ${javax.jax-rs.version} - - - - - - jakarta.xml.bind - jakarta.xml.bind-api - ${jakarta.xml.bind.version} - - - - - org.apache.commons - commons-lang3 - ${commons.lang3.version} - - - org.apache.commons - commons-text - ${commons.text.version} - - - - - - com.google.guava - guava - ${guava.version} - - - - - net.minidev - json-smart - ${json-smart.version} - - - - com.hazelcast - hazelcast - ${hazelcast.version} - - - - com.squareup.okhttp3 - mockwebserver - ${mockwebserver.version} - - - org.mockito - mockito-core - ${mockito.version} - - - org.mockito - mockito-inline - ${mockito-inline.version} - - - com.nimbusds - nimbus-jose-jwt - ${nimbus.jwt.version} - - - org.commonjava.mimeparse - mimeparse - ${mimeparse.version} - - - commons-lang - commons-lang - - - - - org.eclipse.jetty - jetty-http - ${jetty.version} - - - org.eclipse.jetty - jetty-server - ${jetty.version} - - - org.eclipse.jetty - jetty-servlets - ${jetty.version} - - - org.eclipse.jetty - jetty-util - ${jetty.version} - - - org.eclipse.jetty - jetty-util-ajax - ${jetty.version} - - - org.eclipse.jetty - jetty-security - ${jetty.version} - - - org.eclipse.jetty - jetty-webapp - ${jetty.version} - - - org.eclipse.jetty - jetty-servlet - ${jetty.version} - - - org.eclipse.jetty - jetty-continuation - ${jetty.version} - - - - org.yaml - snakeyaml - ${snakeyaml.version} + pom + import From 72018351eab442c5fbc5966574ae250a02bae56e Mon Sep 17 00:00:00 2001 From: FINOS Administrator <37706051+finos-admin@users.noreply.github.com> Date: Fri, 3 Jul 2026 17:15:44 +0000 Subject: [PATCH 2/3] [maven-release-plugin] prepare release legend-shared-0.36.0-RC1 --- legend-shared-bom/pom.xml | 4 ++-- legend-shared-opentracing-base/pom.xml | 2 +- legend-shared-opentracing-jersey/pom.xml | 2 +- legend-shared-opentracing-servlet-filter/pom.xml | 2 +- legend-shared-opentracing-test/pom.xml | 2 +- legend-shared-pac4j-gitlab/pom.xml | 2 +- legend-shared-pac4j-kerberos/pom.xml | 2 +- legend-shared-pac4j-ping/pom.xml | 2 +- legend-shared-pac4j/pom.xml | 2 +- legend-shared-server/pom.xml | 2 +- legend-shared-test-reports/pom.xml | 2 +- pom.xml | 4 ++-- 12 files changed, 14 insertions(+), 14 deletions(-) diff --git a/legend-shared-bom/pom.xml b/legend-shared-bom/pom.xml index 8e371cab..9b5259ea 100644 --- a/legend-shared-bom/pom.xml +++ b/legend-shared-bom/pom.xml @@ -33,13 +33,13 @@ Bill of Materials for Legend Shared modules and their shared third-party dependency stack org.finos.legend.shared legend-shared-bom - 0.35.4-SNAPSHOT + 0.36.0-RC1 pom https://legend.finos.org scm:git:https://github.com/finos/legend-shared - HEAD + legend-shared-0.36.0-RC1 diff --git a/legend-shared-opentracing-base/pom.xml b/legend-shared-opentracing-base/pom.xml index 927e2c0b..a0e841b8 100644 --- a/legend-shared-opentracing-base/pom.xml +++ b/legend-shared-opentracing-base/pom.xml @@ -21,7 +21,7 @@ org.finos.legend.shared legend-shared - 0.35.4-SNAPSHOT + 0.36.0-RC1 legend-shared-opentracing-base diff --git a/legend-shared-opentracing-jersey/pom.xml b/legend-shared-opentracing-jersey/pom.xml index e8f99c36..074f6dec 100644 --- a/legend-shared-opentracing-jersey/pom.xml +++ b/legend-shared-opentracing-jersey/pom.xml @@ -21,7 +21,7 @@ legend-shared org.finos.legend.shared - 0.35.4-SNAPSHOT + 0.36.0-RC1 legend-shared-opentracing-jersey diff --git a/legend-shared-opentracing-servlet-filter/pom.xml b/legend-shared-opentracing-servlet-filter/pom.xml index 14c95e1a..24c9623d 100644 --- a/legend-shared-opentracing-servlet-filter/pom.xml +++ b/legend-shared-opentracing-servlet-filter/pom.xml @@ -21,7 +21,7 @@ org.finos.legend.shared legend-shared - 0.35.4-SNAPSHOT + 0.36.0-RC1 legend-shared-opentracing-servlet-filter diff --git a/legend-shared-opentracing-test/pom.xml b/legend-shared-opentracing-test/pom.xml index 9da2b1f0..3732fc12 100644 --- a/legend-shared-opentracing-test/pom.xml +++ b/legend-shared-opentracing-test/pom.xml @@ -22,7 +22,7 @@ org.finos.legend.shared legend-shared - 0.35.4-SNAPSHOT + 0.36.0-RC1 legend-shared-opentracing-test diff --git a/legend-shared-pac4j-gitlab/pom.xml b/legend-shared-pac4j-gitlab/pom.xml index 878aa86e..8ca9fe7c 100644 --- a/legend-shared-pac4j-gitlab/pom.xml +++ b/legend-shared-pac4j-gitlab/pom.xml @@ -22,7 +22,7 @@ org.finos.legend.shared legend-shared - 0.35.4-SNAPSHOT + 0.36.0-RC1 legend-shared-pac4j-gitlab diff --git a/legend-shared-pac4j-kerberos/pom.xml b/legend-shared-pac4j-kerberos/pom.xml index 403405c7..22948f64 100644 --- a/legend-shared-pac4j-kerberos/pom.xml +++ b/legend-shared-pac4j-kerberos/pom.xml @@ -22,7 +22,7 @@ org.finos.legend.shared legend-shared - 0.35.4-SNAPSHOT + 0.36.0-RC1 legend-shared-pac4j-kerberos diff --git a/legend-shared-pac4j-ping/pom.xml b/legend-shared-pac4j-ping/pom.xml index 74e92761..b43b2959 100644 --- a/legend-shared-pac4j-ping/pom.xml +++ b/legend-shared-pac4j-ping/pom.xml @@ -20,7 +20,7 @@ legend-shared org.finos.legend.shared - 0.35.4-SNAPSHOT + 0.36.0-RC1 legend-shared-pac4j-ping diff --git a/legend-shared-pac4j/pom.xml b/legend-shared-pac4j/pom.xml index 4f4369d4..21de1309 100644 --- a/legend-shared-pac4j/pom.xml +++ b/legend-shared-pac4j/pom.xml @@ -22,7 +22,7 @@ org.finos.legend.shared legend-shared - 0.35.4-SNAPSHOT + 0.36.0-RC1 legend-shared-pac4j diff --git a/legend-shared-server/pom.xml b/legend-shared-server/pom.xml index ce95a6a8..3096f8c8 100644 --- a/legend-shared-server/pom.xml +++ b/legend-shared-server/pom.xml @@ -21,7 +21,7 @@ org.finos.legend.shared legend-shared - 0.35.4-SNAPSHOT + 0.36.0-RC1 legend-shared-server diff --git a/legend-shared-test-reports/pom.xml b/legend-shared-test-reports/pom.xml index 47f3e5f8..37131973 100644 --- a/legend-shared-test-reports/pom.xml +++ b/legend-shared-test-reports/pom.xml @@ -21,7 +21,7 @@ org.finos.legend.shared legend-shared - 0.35.4-SNAPSHOT + 0.36.0-RC1 legend-shared-test-reports diff --git a/pom.xml b/pom.xml index 5cffcebc..4e79355e 100644 --- a/pom.xml +++ b/pom.xml @@ -27,7 +27,7 @@ Legend Shared org.finos.legend.shared legend-shared - 0.35.4-SNAPSHOT + 0.36.0-RC1 pom @@ -65,7 +65,7 @@ scm:git:https://github.com/finos/legend-shared - HEAD + legend-shared-0.36.0-RC1 From c76d7da1710308ed48233402424289428347b1a7 Mon Sep 17 00:00:00 2001 From: FINOS Administrator <37706051+finos-admin@users.noreply.github.com> Date: Fri, 3 Jul 2026 17:15:46 +0000 Subject: [PATCH 3/3] [maven-release-plugin] prepare for next development iteration --- legend-shared-bom/pom.xml | 4 ++-- legend-shared-opentracing-base/pom.xml | 2 +- legend-shared-opentracing-jersey/pom.xml | 2 +- legend-shared-opentracing-servlet-filter/pom.xml | 2 +- legend-shared-opentracing-test/pom.xml | 2 +- legend-shared-pac4j-gitlab/pom.xml | 2 +- legend-shared-pac4j-kerberos/pom.xml | 2 +- legend-shared-pac4j-ping/pom.xml | 2 +- legend-shared-pac4j/pom.xml | 2 +- legend-shared-server/pom.xml | 2 +- legend-shared-test-reports/pom.xml | 2 +- pom.xml | 4 ++-- 12 files changed, 14 insertions(+), 14 deletions(-) diff --git a/legend-shared-bom/pom.xml b/legend-shared-bom/pom.xml index 9b5259ea..ef5163d4 100644 --- a/legend-shared-bom/pom.xml +++ b/legend-shared-bom/pom.xml @@ -33,13 +33,13 @@ Bill of Materials for Legend Shared modules and their shared third-party dependency stack org.finos.legend.shared legend-shared-bom - 0.36.0-RC1 + 0.36.1-SNAPSHOT pom https://legend.finos.org scm:git:https://github.com/finos/legend-shared - legend-shared-0.36.0-RC1 + HEAD diff --git a/legend-shared-opentracing-base/pom.xml b/legend-shared-opentracing-base/pom.xml index a0e841b8..45e1ac4a 100644 --- a/legend-shared-opentracing-base/pom.xml +++ b/legend-shared-opentracing-base/pom.xml @@ -21,7 +21,7 @@ org.finos.legend.shared legend-shared - 0.36.0-RC1 + 0.36.1-SNAPSHOT legend-shared-opentracing-base diff --git a/legend-shared-opentracing-jersey/pom.xml b/legend-shared-opentracing-jersey/pom.xml index 074f6dec..bf720fe2 100644 --- a/legend-shared-opentracing-jersey/pom.xml +++ b/legend-shared-opentracing-jersey/pom.xml @@ -21,7 +21,7 @@ legend-shared org.finos.legend.shared - 0.36.0-RC1 + 0.36.1-SNAPSHOT legend-shared-opentracing-jersey diff --git a/legend-shared-opentracing-servlet-filter/pom.xml b/legend-shared-opentracing-servlet-filter/pom.xml index 24c9623d..27ecdc38 100644 --- a/legend-shared-opentracing-servlet-filter/pom.xml +++ b/legend-shared-opentracing-servlet-filter/pom.xml @@ -21,7 +21,7 @@ org.finos.legend.shared legend-shared - 0.36.0-RC1 + 0.36.1-SNAPSHOT legend-shared-opentracing-servlet-filter diff --git a/legend-shared-opentracing-test/pom.xml b/legend-shared-opentracing-test/pom.xml index 3732fc12..46f65dd0 100644 --- a/legend-shared-opentracing-test/pom.xml +++ b/legend-shared-opentracing-test/pom.xml @@ -22,7 +22,7 @@ org.finos.legend.shared legend-shared - 0.36.0-RC1 + 0.36.1-SNAPSHOT legend-shared-opentracing-test diff --git a/legend-shared-pac4j-gitlab/pom.xml b/legend-shared-pac4j-gitlab/pom.xml index 8ca9fe7c..e5fca8f1 100644 --- a/legend-shared-pac4j-gitlab/pom.xml +++ b/legend-shared-pac4j-gitlab/pom.xml @@ -22,7 +22,7 @@ org.finos.legend.shared legend-shared - 0.36.0-RC1 + 0.36.1-SNAPSHOT legend-shared-pac4j-gitlab diff --git a/legend-shared-pac4j-kerberos/pom.xml b/legend-shared-pac4j-kerberos/pom.xml index 22948f64..e7e937d5 100644 --- a/legend-shared-pac4j-kerberos/pom.xml +++ b/legend-shared-pac4j-kerberos/pom.xml @@ -22,7 +22,7 @@ org.finos.legend.shared legend-shared - 0.36.0-RC1 + 0.36.1-SNAPSHOT legend-shared-pac4j-kerberos diff --git a/legend-shared-pac4j-ping/pom.xml b/legend-shared-pac4j-ping/pom.xml index b43b2959..26c50cf6 100644 --- a/legend-shared-pac4j-ping/pom.xml +++ b/legend-shared-pac4j-ping/pom.xml @@ -20,7 +20,7 @@ legend-shared org.finos.legend.shared - 0.36.0-RC1 + 0.36.1-SNAPSHOT legend-shared-pac4j-ping diff --git a/legend-shared-pac4j/pom.xml b/legend-shared-pac4j/pom.xml index 21de1309..46289ce8 100644 --- a/legend-shared-pac4j/pom.xml +++ b/legend-shared-pac4j/pom.xml @@ -22,7 +22,7 @@ org.finos.legend.shared legend-shared - 0.36.0-RC1 + 0.36.1-SNAPSHOT legend-shared-pac4j diff --git a/legend-shared-server/pom.xml b/legend-shared-server/pom.xml index 3096f8c8..38650a44 100644 --- a/legend-shared-server/pom.xml +++ b/legend-shared-server/pom.xml @@ -21,7 +21,7 @@ org.finos.legend.shared legend-shared - 0.36.0-RC1 + 0.36.1-SNAPSHOT legend-shared-server diff --git a/legend-shared-test-reports/pom.xml b/legend-shared-test-reports/pom.xml index 37131973..2c0f44d8 100644 --- a/legend-shared-test-reports/pom.xml +++ b/legend-shared-test-reports/pom.xml @@ -21,7 +21,7 @@ org.finos.legend.shared legend-shared - 0.36.0-RC1 + 0.36.1-SNAPSHOT legend-shared-test-reports diff --git a/pom.xml b/pom.xml index 4e79355e..77e5cf67 100644 --- a/pom.xml +++ b/pom.xml @@ -27,7 +27,7 @@ Legend Shared org.finos.legend.shared legend-shared - 0.36.0-RC1 + 0.36.1-SNAPSHOT pom @@ -65,7 +65,7 @@ scm:git:https://github.com/finos/legend-shared - legend-shared-0.36.0-RC1 + HEAD