From add16527b74394289279912ecdb4c708b7d55e2a Mon Sep 17 00:00:00 2001
From: Rafael Bey-Hernandez <24432403+rafaelbey@users.noreply.github.com>
Date: Fri, 3 Jul 2026 13:14:15 -0400
Subject: [PATCH 1/3] Security: remediate open Dependabot alerts (24 of 29) +
remediation register (#259)
* Add security remediation register for open Dependabot alerts
Inventories all 29 open critical/high/medium alerts, groups them into
ordered remediation waves with transitive-dependency rationale and
per-item blast radius, and documents deferred items blocked by the
Java 8 baseline. Intended to be executed one item per PR.
* Add CLAUDE.md and correct README JDK requirements
The enforcer plugin requires JDK 11/17/21/25 to build; compiled code
targets Java 8. README previously said JDK 8.
* V01: pin trivy-action to 0.35.0 by commit SHA (CVE-2026-33634)
* V02: bump hazelcast to 5.3.8 (CVE-2023-45859, CVE-2023-45860)
* V03: bump json-smart to 2.5.2 (CVE-2021-31684, CVE-2023-1370)
* V04: bump jetty to 9.4.57.v20241219 (CVE-2024-13009 and 4 medium CVEs)
* V05: bump test-scope spring deps (CVE-2023-20883)
spring-boot-autoconfigure 2.3.3 -> 2.7.18, spring-test 4.3.24 -> 5.3.39.
spring-test 5.x mock-web requires spring-web for cookie handling; added
as a test dependency where spring-test is used.
* V06: bump jackson family to 2.18.8 and snakeyaml to 2.3
Closes 12 alerts including the snakeyaml Constructor RCE (CVE-2022-1471)
and six jackson-databind highs. Imports jackson-bom so the datatype/
module/jaxrs jars Dropwizard pulls transitively stay on one version.
* V07: bump nimbus-jose-jwt to 9.37.4 (CVE-2023-52428, CVE-2025-53864)
Build and tests green with oauth2-oidc-sdk 8.22, including the mock-IdP
token renewal test. Manual OIDC login verification against a real IdP
still recommended before release.
* Extract dependency management into legend-shared-bom
Moves all version properties and dependencyManagement from the root pom
into a published BOM module that Legend applications can import to stay
aligned with the versions (including the security bumps) managed here.
Documented in README; CVE-driven exclusions propagate to importers.
* Reconcile WhiteSource findings from PR #259 in remediation register
The 4 'new' findings are known unfixable items re-attributed to the
bumped jars, not regressions: CVE-2026-2332 (D1, no 9.4.x fix exists on
Central despite Mend citing 9.4.60), CVE-2026-54515 (D4, no 2.x patch),
CVE-2024-6763 (D5) and CVE-2025-11143 (new D6), both Jetty-12-only.
* Document HeroDevs NES option for the unfixable Jetty 9.4 CVEs
Mend's suggested 9.4.60 is a commercial HeroDevs NES release (private
registry, same GAV). Not adoptable upstream (Central-resolvable deps
required; FINOS project), but documented as a deployer-side override
for organizations needing CVE-2026-2332/CVE-2025-11143 closed before
the Phase-2 migration.
---
.github/workflows/docker.yml | 2 +-
CLAUDE.md | 55 +++
README.md | 28 +-
docs/security-remediation.md | 215 +++++++++++
legend-shared-bom/pom.xml | 529 +++++++++++++++++++++++++++
legend-shared-pac4j-kerberos/pom.xml | 5 +
legend-shared-pac4j-ping/pom.xml | 5 +
legend-shared-pac4j/pom.xml | 5 +
pom.xml | 441 +---------------------
9 files changed, 850 insertions(+), 435 deletions(-)
create mode 100644 CLAUDE.md
create mode 100644 docs/security-remediation.md
create mode 100644 legend-shared-bom/pom.xml
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index c2462d68..55d69899 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -40,7 +40,7 @@ jobs:
# NOTE: if this gets more complicated, consider having this as a bash script
run: mkdir -p ./legend-shared-server/target && touch ./legend-shared-server/target/legend-shared-server-dummy.jar && docker build --quiet --tag local/legend-shared-server:${{ github.sha }} ./legend-shared-server
- name: Scan image for security issues
- uses: aquasecurity/trivy-action@0.2.2
+ uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
with:
# TODO: we should probably also setup misconfiguration scanning
# See https://github.com/aquasecurity/trivy-action#using-trivy-to-scan-infrastucture-as-code
diff --git a/CLAUDE.md b/CLAUDE.md
new file mode 100644
index 00000000..84553037
--- /dev/null
+++ b/CLAUDE.md
@@ -0,0 +1,55 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## What this repo is
+
+Shared server-side infrastructure used across FINOS Legend applications: pac4j-based authentication, OpenTracing instrumentation, and a Dropwizard static-content server. Published to Maven Central as `org.finos.legend.shared:*`. Two tenets govern changes (from README): code must be genuinely used by the majority of Legend applications, and new dependencies are heavily scrutinized.
+
+## Build and test
+
+Maven multi-module build (parent pom at repo root, version `0.35.x`).
+
+- Build everything: `mvn install`
+- Build one module (with its deps): `mvn install -pl legend-shared-pac4j -am`
+- Run all tests in a module: `mvn test -pl legend-shared-pac4j`
+- Run a single test class: `mvn test -pl legend-shared-pac4j -Dtest=TestMongoDbSessionStore`
+- CI runs: `mvn install javadoc:javadoc`
+
+JDK: the enforcer plugin requires JDK 11, 17, 21, or 25 to *build* (CI uses 25), but `maven.compiler.release` is **8** — source code must stay Java 8 compatible (no `var`, no newer language features or APIs).
+
+Surefire test reports from all modules aggregate into `legend-shared-test-reports/surefire-reports-aggregate`. Tests use JUnit 4 (plus Mockito; Mongo tests use an in-memory `mongo-java-server`).
+
+## Checkstyle
+
+`mvn verify` runs checkstyle with `checkstyle_legend.xml` and **fails on warnings**. Notable enforced style:
+
+- Allman braces: opening brace on its own line (`LeftCurly` = `nl`), closing brace alone.
+- No star imports; custom import order; no tabs; 4-space indentation.
+- Every file needs the Apache 2.0 license header (see any existing `.java` file).
+
+Match the existing brace/format style exactly when editing — checkstyle will block the build otherwise.
+
+## Module architecture
+
+**Dependency management:**
+- `legend-shared-bom` — the single source of truth for dependency versions. All version properties and `dependencyManagement` live in `legend-shared-bom/pom.xml`; the root pom imports it (`import`), and it is published so Legend applications can import it too. Its parent is `org.finos:finos` (not the root pom — that would create a model cycle), so its `` is a literal kept in lockstep by the release plugin, and it carries its own `docker` profile skip. To change a dependency version, edit the BOM, not the root pom.
+
+**Authentication (pac4j):**
+- `legend-shared-pac4j` — the core. `LegendPac4jBundle` is a Dropwizard bundle (extends `Pac4jBundle`) that Legend apps install to get authentication; it wires pac4j `Client`s from YAML config (`LegendPac4jConfiguration`), sets up security filters (`internal/SecurityFilterHandler`, `UsernameFilter`), and selects a session store. Session state can live in MongoDB (`mongostore/MongoDbSessionStore`, encrypted via `SessionCrypt`) or Hazelcast (`hazelcaststore/HazelcastSessionStore`), fronted by `internal/HttpSessionStore`; `sessionutil/SessionToken` manages the session cookie. `mongoauthorizer/MongoDbAuthorizer` authorizes against a Mongo collection.
+- `legend-shared-pac4j-kerberos`, `-gitlab`, `-ping` — pluggable pac4j clients/authenticators for each identity provider, discovered via Jackson subtypes in app YAML config. The GitLab module includes personal-access-token auth and group-based authorization.
+
+**Tracing (OpenTracing/Zipkin):**
+- `legend-shared-opentracing-base` — core `OpenTracing` setup, span reporters, pluggable `AuthenticationProvider`s for the trace collector.
+- `legend-shared-opentracing-jersey` — `JerseyClientSender` for shipping spans over Jersey.
+- `legend-shared-opentracing-servlet-filter` — `OpenTracingFilter` and span decorators for inbound requests.
+- `legend-shared-opentracing-test` — shared test helper (`ClientSenderTest`).
+
+**Server:**
+- `legend-shared-server` — Dropwizard static-content server (`staticserver/Server` is the main class) plus reusable bundles Legend apps install: `StaticServerBundle`, `LocalAssetBundle`/`LocalAssetServlet`, CORS (`CorsBundleWrapper`), `OpenTracingBundle`, `HtmlRouterRedirectBundle`, `HostnameHeaderBundle`. Has a `Dockerfile`; the docker image is built by the `docker.yml` workflow.
+
+The dependency direction: `legend-shared-server` consumes the pac4j and opentracing modules; provider modules (`-kerberos`, `-gitlab`, `-ping`) depend on `legend-shared-pac4j`.
+
+## Releases
+
+Releases are cut via maven-release-plugin through GitHub workflows (`release.yml`); commits containing `[maven-release-plugin]` are skipped by CI. Don't bump versions manually.
diff --git a/README.md b/README.md
index 48b73286..4a767abf 100644
--- a/README.md
+++ b/README.md
@@ -12,9 +12,35 @@ The important tenets for this project are:
* Code must be genuinely used by the majority of Legend applications
* New dependencies must be carefully scrutinized - the goal is to minimize unnecessary dependencies in apps.
+## Using the BOM
+
+Legend applications can import `legend-shared-bom` to normalize the versions of the
+`org.finos.legend.shared:*` modules and the common third-party stack (Jackson, Dropwizard,
+pac4j, Jetty, Guava, SLF4J, MongoDB driver, Hazelcast, test libraries, etc.):
+
+```xml
+
+
+
+ org.finos.legend.shared
+ legend-shared-bom
+ ${legend.shared.version}
+ pom
+ import
+
+
+
+```
+
+Notes:
+* Some managed entries carry deliberate `` (e.g. `shiro-core` from `pac4j-core`) that
+ encode CVE/conflict resolutions; these propagate to importers by design.
+* To override a version, declare the artifact in your own `dependencyManagement` before (or instead
+ of) relying on the import — redefining the BOM's version properties has no effect across an import.
+
## Development setup
-This application uses Maven 3.6+ and JDK 8. Simply run `mvn install` to compile.
+This application uses Maven 3.6+ and JDK 11, 17, 21, or 25 (compiled code targets Java 8). Simply run `mvn install` to compile.
## Roadmap
diff --git a/docs/security-remediation.md b/docs/security-remediation.md
new file mode 100644
index 00000000..ea51f4f6
--- /dev/null
+++ b/docs/security-remediation.md
@@ -0,0 +1,215 @@
+# Security Remediation Register
+
+**Scope:** all open Dependabot alerts of severity **critical, high, and medium** on `finos/legend-shared`.
+**Baseline:** 29 open alerts as of 2026-07-03 (1 critical, 17 high, 11 medium), inventoried from the GitHub Dependabot API.
+**Constraint:** the library keeps its Java 8 bytecode target (`maven.compiler.release=8` in the root pom). Fixes that require a Java 11+ baseline (Jetty 10+, pac4j 5.x, Dropwizard 2.1+) are deferred to the Phase 2 track at the bottom of this document, with rationale.
+
+## How to use this document
+
+Each remediation item below is sized to be executed **one at a time**, one PR per item. For each session:
+
+1. Refresh the alert list and confirm the item's alerts are still open:
+ ```sh
+ gh api 'repos/finos/legend-shared/dependabot/alerts?state=open&severity=critical,high,medium&per_page=100' --paginate \
+ --jq '.[] | [.number, .security_advisory.severity, .dependency.package.name, (.security_vulnerability.first_patched_version.identifier // "NONE"), (.security_advisory.cve_id // .security_advisory.ghsa_id)] | @tsv'
+ ```
+2. Pick the next `☐` item, respecting the wave order (Wave 1 items are order-independent among themselves; Wave 2 before Wave 3).
+3. Apply the change described in the item (usually a one-property edit in the root `pom.xml`).
+4. Run the item's **Verification** steps. `mvn -B install` runs tests *and* checkstyle for the whole reactor.
+5. Confirm the resolved version with `mvn dependency:tree -Dincludes=:` — exactly one version must appear, everywhere.
+6. Open one PR per item; after merge, Dependabot re-scans and the alerts should auto-close. Update the item's status here (`☐` → `☑` with date/PR#) in the same PR or a follow-up.
+
+Items must not be batched across waves in a single PR: a per-item history is what makes a bad bump bisectable and revertable.
+
+## Register
+
+| Item | Wave | Component | Current → Target | Alerts closed (severity) | Status |
+|------|------|-----------|------------------|--------------------------|--------|
+| V01 | 0 | `aquasecurity/trivy-action` (CI) | < 0.35.0 → 0.35.0 (SHA-pinned) | CVE-2026-33634 (critical) | ☑ 2026-07-03 |
+| V02 | 1 | `com.hazelcast:hazelcast` | 5.3.1 → 5.3.8 | CVE-2023-45859 (high 7.6), CVE-2023-45860 (high 6.5) | ☑ 2026-07-03 |
+| V03 | 1 | `net.minidev:json-smart` | 2.4.2 → 2.5.2 | CVE-2021-31684 (high 7.5), CVE-2023-1370 (high 7.5) | ☑ 2026-07-03 |
+| V04 | 1 | `org.eclipse.jetty:*` (9 artifacts, one property) | 9.4.44.v20210927 → 9.4.57.v20241219 | CVE-2024-13009 (high 7.2), CVE-2024-8184 (med 5.9), CVE-2023-26048 (med 5.3), CVE-2023-40167 (med 5.3), CVE-2024-9823 (med 5.3) | ☑ 2026-07-03 |
+| V05 | 1 | `spring-boot-autoconfigure` / `spring-test` (test scope) | 2.3.3 → 2.7.18 / 4.3.24 → 5.3.39 | CVE-2023-20883 (high 7.5) | ☑ 2026-07-03 |
+| V06 | 2 | Jackson family + snakeyaml (coordinated) | jackson 2.10.5/2.10.5.1/2.11.2 → 2.18.8; snakeyaml 1.33 → 2.3 | 12 alerts — see item | ☑ 2026-07-03 |
+| V07 | 3 | `com.nimbusds:nimbus-jose-jwt` | 8.0 → 9.37.4 | CVE-2023-52428 (high 7.5), CVE-2025-53864 (med 5.8) | ☑ 2026-07-03 (manual OIDC check pending) |
+| D1 | deferred | `org.eclipse.jetty:jetty-http` | no fix in 9.4 line | CVE-2026-2332 (high 7.4) | accepted risk |
+| D2 | deferred | `org.pac4j:pac4j-core` | fix is 5.7.10 (Java 11) | CVE-2026-40458 (high 6.5) | accepted risk |
+| D3 | deferred | Dropwizard 1.3.29 EOL | 2.0.x is last Java-8 line | (enabler, no direct alert) | Phase 2 |
+| D4 | watch | `jackson-databind` | no patched version exists yet | CVE-2026-54515 (med 5.3) | watch |
+| D5 | deferred | `org.eclipse.jetty:jetty-http` | fix only in Jetty 12.0.12 | CVE-2024-6763 (med 3.7) | accepted risk |
+| D6 | deferred | `org.eclipse.jetty:jetty-http` | fix only in Jetty 12.0.31/12.1.5 | CVE-2025-11143 (WhiteSource) | accepted risk |
+
+All 29 baseline alerts are accounted for: V01 (1), V02 (2), V03 (2), V04 (5), V05 (1), V06 (12), V07 (2), D1 (1), D2 (1), D4 (1), D5 (1).
+
+---
+
+## Wave 0 — CI-only
+
+### V01 — trivy-action supply-chain pin (CVE-2026-33634, critical)
+
+- **What/why:** `.github/workflows/docker.yml` uses `aquasecurity/trivy-action` < 0.35.0, whose ecosystem was briefly compromised. CI-only; nothing shipped in the library is affected.
+- **How:** bump the action reference to ≥ 0.35.0 in `docker.yml`. Prefer pinning by full commit SHA rather than tag (standard mitigation for action supply-chain risk).
+- **Blast radius:** the Docker publish workflow only. No library consumer impact.
+- **Verification:** workflow runs green on the PR (`docker.yml` triggers) or via a manual `workflow_dispatch` if it doesn't run on PRs.
+- **Status:** ☑ 2026-07-03 — pinned to commit `57a97c7e` (tag 0.35.0). Workflow-green check pending on PR.
+
+## Wave 1 — independent version-pin bumps (any order)
+
+### V02 — Hazelcast 5.3.1 → 5.3.8 (CVE-2023-45859, CVE-2023-45860)
+
+- **What/why:** missing permission checks in Hazelcast client protocol / CSV source connector; both fixed in 5.3.5. Target the latest 5.3.x patch (5.3.8) for the rest of the 5.3 fixes.
+- **How:** root `pom.xml`: `5.3.1` → `5.3.8`.
+- **Dependency path:** direct dependency of `legend-shared-pac4j` (used only by `HazelcastSessionStore`); reaches downstream apps through that module.
+- **Blast radius:** small. Patch-level within 5.3.x, wire-format compatible; only affects deployments configured to use the Hazelcast session store. Note the recent `Fix hazelcast store (#257)` commit — the hazelcaststore tests are current and meaningful coverage.
+- **Verification:** `mvn -B install` (the `hazelcaststore` tests in `legend-shared-pac4j` exercise the store end-to-end).
+- **Status:** ☑ 2026-07-03 — full reactor build + tests green on 5.3.8.
+
+### V03 — json-smart 2.4.2 → 2.5.2 (CVE-2021-31684, CVE-2023-1370)
+
+- **What/why:** out-of-bounds read (fixed 2.4.4) and uncontrolled recursion DoS (fixed 2.4.9) in a JSON parser that sits on the OIDC token-parsing path.
+- **How:** root `pom.xml`: `2.4.2` → `2.5.2`.
+- **Dependency path (from `mvn dependency:tree`):** `legend-shared-pac4j-gitlab` / `-ping` → `com.nimbusds:nimbus-jose-jwt:8.0` → `net.minidev:json-smart` (version forced to 2.4.2 by the root dependencyManagement pin).
+- **Blast radius:** low. json-smart 2.5.x is API-compatible for nimbus 8.0's usage; parses IdP-supplied JWT/JSON during OIDC login in downstream apps.
+- **Note:** after V07 (nimbus 9.x) this dependency may leave the tree entirely — nimbus 9.x no longer declares json-smart. When executing V07, check the tree and retire this pin if it's gone.
+- **Verification:** `mvn -B install`; `mvn dependency:tree -Dincludes=net.minidev:json-smart` shows only 2.5.2.
+- **Status:** ☑ 2026-07-03 — build green; tree shows json-smart/accessors-smart 2.5.2 only.
+
+### V04 — Jetty 9.4.44 → latest 9.4.x (CVE-2024-13009 + 4 mediums)
+
+- **What/why:** closes CVE-2024-13009 (GzipHandler request-body leak, high), CVE-2024-8184 (ThreadLimitHandler DoS), CVE-2023-26048 (multipart OOM), CVE-2023-40167 ("+"-prefixed Content-Length smuggling vector), CVE-2024-9823 (DosFilter DoS) — plus already-published 9.4.x highs not currently alerting (CVE-2023-36478 HPACK, CVE-2023-44487 rapid reset, both fixed by 9.4.53).
+- **How:** root `pom.xml`: `9.4.44.v20210927` → the newest `9.4.x` on Maven Central at execution time (≥ `9.4.57.v20241219`). One property drives all 9 pinned jetty artifacts.
+- **Dependency path:** jetty artifacts arrive transitively via `dropwizard-jetty`/`dropwizard-jersey` (Dropwizard 1.3.29 wants 9.4.z of its own) and are overridden by the root dependencyManagement pins. `jetty-io` and `jetty-xml` are *not* pinned — they follow the pinned artifacts' own requirements, so confirm they land on the same version.
+- **Blast radius:** the widest of Wave 1 — this is the HTTP engine of every Legend server. Mitigating: Dropwizard 1.3 is API-compatible with later 9.4.x patches (drop-in), and 9.4.x maintained strict patch-compat.
+- **Explicitly NOT fixed:** CVE-2026-2332 (D1) and CVE-2024-6763 (D5) have no 9.4 fix. Merging this must not be read as "jetty is clean".
+- **Verification:** `mvn -B install`; `mvn dependency:tree -Dincludes=org.eclipse.jetty:*` shows a single version for all artifacts including jetty-io/jetty-xml; boot the shaded server as a smoke test:
+ ```sh
+ java -cp legend-shared-server/target/legend-shared-server-*-shaded.jar \
+ org.finos.legend.server.shared.staticserver.Server server legend-shared-server/src/test/resources/testConfig.json
+ ```
+ and confirm it serves the static root and `/admin/healthcheck`.
+- **Status:** ☑ 2026-07-03 — build + tests green; tree shows all jetty artifacts (incl. unpinned jetty-io/jetty-xml) at 9.4.57.v20241219; shaded-jar smoke test served `/` (200) and a healthy `/admin/healthcheck`. Note: invoke the smoke test as `Server server ` — with a missing path it falls back to the bundled default config (AnonymousClient, port 8080).
+
+### V05 — test-scope Spring bumps (CVE-2023-20883)
+
+- **What/why:** `spring-boot-autoconfigure` 2.3.3.RELEASE (welcome-page DoS, fixed 2.5.15) and EOL `spring-test` 4.3.24. **Test scope only in `legend-shared-pac4j-gitlab` and others — never shipped to consumers.** Fixed for scanner hygiene, not real exposure.
+- **How:** root `pom.xml`: `` → `2.7.18` (last 2.x line), `` → `5.3.39`. spring-test 4.3 → 5.3 may need small test adjustments (JUnit 4 runner API is stable; imports unchanged for `spring-test` basics).
+- **Blast radius:** zero at runtime (test scope). Risk is limited to compile errors in test code; fix forward within the PR.
+- **Verification:** `mvn -B install` (all module test suites).
+- **Status:** ☑ 2026-07-03 — done. Gotcha found and fixed: spring-test 5.x `MockHttpServletResponse.addCookie` needs `spring-web` on the classpath (`NoClassDefFoundError: org/springframework/http/HttpHeaders`); added `org.springframework:spring-web` (same version property) as a test dependency in the root DM and in `legend-shared-pac4j`, `-kerberos`, `-ping`. Build green after.
+
+## Wave 2 — Jackson family + snakeyaml, one coordinated PR
+
+### V06 — Jackson 2.10.x → 2.18.8 with snakeyaml 2.x (12 alerts)
+
+Closes, per Dependabot:
+
+| CVE | Artifact | Severity | Fixed in |
+|-----|----------|----------|----------|
+| CVE-2026-54512 | jackson-databind | high 8.1 | 2.18.8 |
+| CVE-2026-54513 | jackson-databind | high 8.1 | 2.18.8 |
+| CVE-2022-42003 | jackson-databind | high 7.5 | 2.12.7.1 |
+| CVE-2022-42004 | jackson-databind | high 7.5 | 2.12.7.1 |
+| CVE-2020-36518 | jackson-databind | high 7.5 | 2.12.6.1 |
+| CVE-2021-46877 | jackson-databind | high 7.5 | 2.12.6 |
+| CVE-2025-52999 | jackson-core | high | 2.15.0 |
+| CVE-2026-50193 | jackson-databind | medium | 2.14.0 |
+| CVE-2026-54514 | jackson-databind | medium 5.3 | 2.18.8 |
+| CVE-2025-49128 | jackson-core | medium 4.0 | 2.13.0 |
+| GHSA-72hv-8253-57qq | jackson-core | medium | 2.18.6 |
+| CVE-2022-1471 | snakeyaml | **high 8.3 (RCE)** | 2.0 |
+
+- **Why one PR:** these cannot move independently. `jackson-dataformat-yaml` < 2.15 is hard-incompatible with snakeyaml 2.x, so the snakeyaml RCE fix *requires* the jackson bump; and mixed jackson module versions on one classpath is the classic runtime breakage. This is the transitive-ordering pivot of the whole register.
+- **How:**
+ 1. Root pom properties: `jackson.version` 2.10.5 → `2.18.8`, `jackson.databind.version` 2.10.5.1 → `2.18.8`, `jackson.dataformat.yaml.version` 2.11.2 → `2.18.8`, `snakeyaml.version` 1.33 → the version `jackson-dataformat-yaml:2.18.8` declares (2.3 line; confirm from its pom at execution).
+ 2. **Align Dropwizard's transitive jackson modules.** From the real tree, `dropwizard-jackson:1.3.29` pulls at **2.9.10**: `jackson-datatype-guava`, `jackson-datatype-jsr310`, `jackson-datatype-jdk8`, `jackson-datatype-joda`, `jackson-module-parameter-names`, `jackson-module-afterburner`; `dropwizard-jersey` additionally pulls `jackson-jaxrs-json-provider`/`jackson-jaxrs-base`/`jackson-module-jaxb-annotations` at 2.9.10. Cleanest fix: import the Jackson BOM in `dependencyManagement` **before** other entries:
+ ```xml
+
+ com.fasterxml.jackson
+ jackson-bom
+ 2.18.8
+ pom
+ import
+
+ ```
+ then verify no `com.fasterxml.jackson*` artifact resolves below 2.18.8 anywhere in the reactor.
+- **Blast radius:** high-touch but well-tested territory:
+ - Dropwizard 1.3 config parsing (`dropwizard-configuration` + dataformat-yaml + snakeyaml) is how **every downstream Legend app boots**. Dropwizard 1.3 was built against jackson 2.9; jackson's public API has been stable, but `jackson-module-afterburner` (bytecode generation) is the most likely runtime breakage — if the full suite or server boot fails on afterburner, exclude it from `dropwizard-jackson` in the root DM (Dropwizard falls back to plain reflection; minor perf cost, no functional change).
+ - pac4j profile JSON round-tripping in `legend-shared-pac4j` (`SerializableProfile`, `StringOrArrayDeserializer` and its tests).
+ - snakeyaml 2.x removes unsafe global-tag construction (the CVE). Dropwizard/jackson-dataformat-yaml don't rely on it; custom YAML anywhere in downstream apps that used snakeyaml 1.x `Constructor` semantics would — flag in the release notes of the next legend-shared release.
+- **Exposure context (why this is urgent-but-not-fire):** the two 8.1 CVEs (2026-54512/13) require polymorphic default typing, which this repo does not use (verified: no `enableDefaultTyping`/`activateDefaultTyping` in source). CVE-2022-1471 requires attacker-controlled YAML; here snakeyaml parses trusted server config files. Both worth fixing regardless — downstream apps share this classpath and may have other exposure.
+- **Verification:**
+ - `mvn -B install` — full reactor, all tests, checkstyle.
+ - `mvn dependency:tree | grep -E 'jackson|snakeyaml'` — every jackson artifact at 2.18.8, snakeyaml at its 2.x target, nothing left at 2.9.10/2.10.x/1.33.
+ - Boot the shaded static server against a real YAML/JSON config (same smoke test as V04) — this exercises the Dropwizard config-parsing path end-to-end.
+ - Deserialization round-trip tests in `legend-shared-pac4j` (`deserializer`, `mongostore`, `hazelcaststore` test packages) all green.
+- **Status:** ☑ 2026-07-03 — jackson-bom 2.18.8 imported at the top of dependencyManagement; properties bumped (jackson* → 2.18.8, snakeyaml → 2.3). Full build + tests green on first run (afterburner included — no exclusion needed). Tree check: all 13 `com.fasterxml.jackson*` artifacts at 2.18.8, snakeyaml at 2.3, nothing left at 2.9.10/2.10.x/1.33. Shaded-server smoke test: config parsed, healthcheck healthy, `/` 200, no errors logged.
+
+## Wave 3 — after Wave 2, needs runtime auth verification
+
+### V07 — nimbus-jose-jwt 8.0 → ≥ 9.37.4 (CVE-2023-52428, CVE-2025-53864)
+
+- **What/why:** DoS via expensive PBES2 `p2c` values (fixed 9.37.2) and deeply-nested JSON (fixed 9.37.4). Parses IdP-supplied tokens — genuinely attacker-reachable in OIDC deployments.
+- **How:** root `pom.xml`: `8.0` → `9.37.4` (or latest 9.37.x/10.x compatible at execution time).
+- **Dependency path:** `legend-shared-pac4j-gitlab` and `-ping` depend on nimbus **directly** (pinned 8.0) and exclude the copy from `pac4j-oidc:4.5.8`; `pac4j-oidc` also pulls `com.nimbusds:oauth2-oidc-sdk:8.22`, which was built against nimbus 8.x.
+- **Blast radius / why last:** the OIDC login flow of every Legend app that uses `PingIndirectClient`/OIDC. The compile-time API used by this repo is small, but `oauth2-oidc-sdk:8.22` ↔ nimbus 9.x runtime compatibility is the real risk (`NoSuchMethodError` at login time, not at build time). Two-step approach:
+ 1. Bump nimbus alone; run the full build; then **manually verify a real OIDC login** against a test IdP (or at minimum a downstream Legend app's auth integration test) — unit tests here do not cover the flow.
+ 2. If incompatible, additionally pin `com.nimbusds:oauth2-oidc-sdk` to a 9.x version compatible with both nimbus 9.37.x and pac4j-oidc 4.5.8's API usage, and re-verify.
+- **Cleanup:** checked — json-smart does **not** drop out: it remains in the tree via `oauth2-oidc-sdk:8.22` (not via nimbus). The V03 pin stays load-bearing; do not retire it.
+- **Verification:** full build; manual OIDC flow sign-in reaching a profile-authenticated endpoint; sequencing after V06 keeps jackson noise out of any failure triage.
+- **Status:** ☑ 2026-07-03 — build + all tests green on nimbus 9.37.4 with oidc-sdk 8.22, including `GitlabClientRenewProfileTest` (token flow against a mock IdP via mockwebserver) and `OidcProfileTest`. **Outstanding before release:** a manual OIDC login against a real IdP (or a downstream Legend app's auth integration environment) — the unit suite does not cover the full authorization-code flow.
+
+---
+
+## Deferred — documented risk, blocked by the Java 8 baseline
+
+### D1 — Jetty CVE-2026-2332 (request smuggling via chunked-extension parsing, high 7.4)
+
+Every 9.4.x release is affected and **the 9.4 line is EOL — no fix exists or is coming**.
+**Scanner note (2026-07-03, PR #259):** WhiteSource/Mend's suggested "9.4.60" is a **HeroDevs NES (commercial) release**, not an Eclipse artifact — nothing ≥ 9.4.59 exists on Maven Central (latest is 9.4.58.v20250814, still inside the GH advisory's vulnerable range ≤ 9.4.59).
+**Commercial mitigation option (deployer-side, not upstream):** HeroDevs Never-Ending Support publishes drop-in Jetty 9.4.x patches under the same `org.eclipse.jetty` coordinates from their private registry (`registry.nes.herodevs.com/maven/`, subscription + access token required): 9.4.59 fixes CVE-2025-11143 (D6), 9.4.60 fixes CVE-2026-2332 (this item), 9.4.61 additionally fixes CVE-2026-5795. **legend-shared itself cannot adopt these**: it publishes to Maven Central, where all dependencies must be publicly resolvable, and a FINOS project cannot make a paid artifact a mandatory dependency. Organizations deploying Legend that need these CVEs closed before Phase 2 can subscribe to NES and override `jetty.version` (or the jetty entries) in their own dependencyManagement — the same-GAV design makes it a build-time swap with no code changes. Mirror the NES artifacts through your internal repository manager and verify provenance per your supply-chain policy. The fixed lines require Jetty 10/11/12 → Dropwizard ≥ 2.1/3.x → Java 11 baseline (Phase 2).
+**Interim mitigation (operators):** request smuggling requires a parsing disagreement between a front proxy and Jetty. Legend deployments front these servers with a reverse proxy/LB; ensure it normalizes or rejects chunked-extension quoted strings and does not reuse backend connections across clients. Document in deployment guidance.
+**Revisit:** Phase 2, or immediately if a 9.4 backport ever appears (check the alert).
+
+### D2 — pac4j-core CVE-2026-40458 (CSRF, high 6.5; fixed in 5.7.10)
+
+pac4j 5.x requires Java 11, and the upgrade is invasive far beyond a version pin:
+
+- this repo subclasses/implements pac4j internals that changed across 4.x → 5.x: `LegendSecurityLogic` (extends `DefaultSecurityLogic`), `HttpSessionStore` (implements `SessionStore`), `JEEContext` usage, `LegendClientFinder`, custom matchers;
+- session state is Java-serialized into MongoDB/Hazelcast via pac4j's `JavaSerializationHelper` (`MongoDbSessionStore`, `HazelcastSessionStore`) — pac4j profile classes changed shape across majors, so an upgrade **invalidates or errors on live sessions** during rolling deploys of downstream apps (users forced to re-login; mixed-version fleets may throw on deserialization).
+
+**Exposure assessment:** legend-shared does not wire pac4j's CSRF authorizer/token machinery at all — authorizers come solely from app config (`LegendPac4jConfiguration.authorizers`, default empty). The vulnerable pac4j CSRF code paths are therefore not exercised by legend-shared's default wiring; a downstream app would have to opt into pac4j's `CsrfAuthorizer` in its own config to be exposed. Confirm per-app before treating this as urgent.
+**Revisit:** Phase 2.
+
+### D3 — Dropwizard 1.3.29 EOL (enabler, no direct alert)
+
+Dropwizard 1.3 has been EOL since 2020 and is the structural blocker behind D1/D2. The last Java-8-compatible line is 2.0.x, which still ships Jetty 9.4 — so a 2.0 hop alone buys none of the deferred CVEs and is not worth its migration cost. The real path is Phase 2 below.
+
+### D4 — jackson-databind CVE-2026-54515 (medium 5.3) — WATCH
+
+Case-insensitive deserialization bypass; **no patched version exists yet** (vulnerable range `< 2.18.9`, fix expected in 2.18.9; WhiteSource cites only jackson-databind **3.1.4** — a 3.x major, not a drop-in). Nothing to upgrade to; V06 lands us on 2.18.8. **Each session: re-run the alert query; when a 2.18.9 appears, fold it into a one-line patch bump.**
+
+### D5 — Jetty CVE-2024-6763 (URI authority parsing, medium 3.7)
+
+Fixed only in **Jetty 12.0.12** — even Jetty 10/11 are affected, so this outlives a Phase-2 Dropwizard 3.x migration unless that lands on Jetty 12 (Dropwizard 4.x/5.x territory). Low CVSS, parsing-hygiene issue. Accepted risk alongside D1.
+
+### D6 — Jetty CVE-2025-11143 (jetty-http)
+
+Surfaced by WhiteSource on PR #259 (not in the Dependabot baseline). Fixed only in **Jetty 12.0.31 / 12.1.5** on the open-source line — same Jetty-12-only situation as D5. Also fixed in the commercial HeroDevs NES 9.4.59 (see the mitigation note under D1). Accepted risk alongside D1/D5; revisit with the Phase-2 track.
+
+### Scanner reconciliation (WhiteSource, PR #259)
+
+The WhiteSource check on PR #259 reported "37 vulnerabilities remediated, 4 new". The "4 new" are **not regressions** — WhiteSource attributes findings to jar versions, so the bumped jars (jetty-http 9.4.57, jackson-databind 2.18.8) count as "newly introduced" carriers of the already-known unfixable items: CVE-2026-2332 (D1), CVE-2026-54515 (D4), CVE-2024-6763 (D5), CVE-2025-11143 (D6). None has a shippable fix on the Java-8-compatible stack today.
+
+## Phase 2 track (separate effort, FINOS/Legend-wide decision)
+
+Unlocking D1/D2/D3 (and improving D5) requires raising the compiled bytecode target from Java 8 — a breaking change for any downstream consumer still building on Java 8, so it needs coordination across the Legend project (legend-engine, legend-sdlc, etc. already build on 11+; the constraint is published-artifact consumers). Sequence when approved:
+
+1. Raise `maven.compiler.release` to 11 (major version bump of legend-shared).
+2. Dropwizard 1.3 → 3.x (javax namespace retained, Jetty 10) or 4.x (jakarta namespace, Jetty 11) — decide against downstream servlet-API expectations; verify the `dropwizard-pac4j` compatibility matrix at that time.
+3. pac4j 4.5.8 → 5.7.10+ (closes CVE-2026-40458): rewrite the subclassed internals listed in D2, plan a session-store invalidation/migration for Mongo/Hazelcast-persisted profiles, coordinate downstream deploys.
+4. Jetty follows Dropwizard (closes CVE-2026-2332; CVE-2024-6763 only if the target line is Jetty 12).
+
+## Out-of-scope hygiene noted during analysis (no open alert)
+
+- `legend-shared-server/Dockerfile` base image `eclipse-temurin:11.0.17_8-jdk-jammy` is a 2022 JDK patch level — bump to a current temurin tag (and prefer `-jre`) next time the image is touched.
+- The OpenTracing/Brave stack (opentracing deprecated upstream) and Jersey 2.23.2 are old but carry no open high/medium alerts; revisit in Phase 2.
diff --git a/legend-shared-bom/pom.xml b/legend-shared-bom/pom.xml
new file mode 100644
index 00000000..8e371cab
--- /dev/null
+++ b/legend-shared-bom/pom.xml
@@ -0,0 +1,529 @@
+
+
+
+
+ 4.0.0
+
+
+
+ org.finos
+ finos
+ 7
+
+
+ Legend Shared - BOM
+ Bill of Materials for Legend Shared modules and their shared third-party dependency stack
+ org.finos.legend.shared
+ legend-shared-bom
+ 0.35.4-SNAPSHOT
+ pom
+ https://legend.finos.org
+
+
+ scm:git:https://github.com/finos/legend-shared
+ HEAD
+
+
+
+
+ 3.18.0
+ 1.10.0
+ 1.3.29
+ 4.0.0
+ 33.4.6-jre
+ 2.18.8
+ 2.18.8
+ 2.18.8
+ 2.3.2
+ 2.1.1
+ 1.1.1
+ 3.1.0
+ 2.3.0
+ 2.3.2
+ 2.23.2
+ 2.23.1
+ 9.4.57.v20241219
+ 4.13.1
+ 1.7.36
+ 0.1.3.3
+ 4.9.0
+ 5.21.0
+ 5.2.0
+ 5.3.1
+ 1.46.0
+ 9.37.4
+ 0.5.0
+ 0.37.2
+ 0.32.0
+ 4.5.8
+ 0.8.1
+ 2.3
+ 5.3.39
+ 2.7.18
+ 2.5.2
+ 5.3.8
+
+
+
+
+
+
+ com.fasterxml.jackson
+ jackson-bom
+ ${jackson.version}
+ pom
+ import
+
+
+
+
+ org.finos.legend.shared
+ legend-shared-server
+ ${project.version}
+
+
+ org.finos.legend.shared
+ legend-shared-pac4j
+ ${project.version}
+
+
+ org.finos.legend.shared
+ legend-shared-pac4j-kerberos
+ ${project.version}
+
+
+ org.finos.legend.shared
+ legend-shared-pac4j-gitlab
+ ${project.version}
+
+
+ org.finos.legend.shared
+ legend-shared-pac4j-ping
+ ${project.version}
+
+
+ org.finos.legend.shared
+ legend-shared-opentracing-base
+ ${project.version}
+
+
+ org.finos.legend.shared
+ legend-shared-opentracing-jersey
+ ${project.version}
+
+
+ org.finos.legend.shared
+ legend-shared-opentracing-test
+ ${project.version}
+
+
+ org.finos.legend.shared
+ legend-shared-opentracing-servlet-filter
+ ${project.version}
+
+
+
+
+
+ org.slf4j
+ slf4j-api
+ ${slf4j.version}
+
+
+
+
+
+ org.springframework
+ spring-test
+ ${spring.test.version}
+
+
+
+ org.springframework
+ spring-web
+ ${spring.test.version}
+
+
+ org.springframework.boot
+ spring-boot-autoconfigure
+ ${spring.boot.autoconfigure.version}
+
+
+
+
+
+ org.pac4j
+ pac4j-kerberos
+ ${pac4j.version}
+
+
+ org.springframework
+ spring-core
+
+
+
+
+ org.pac4j
+ pac4j-oidc
+ ${pac4j.version}
+
+
+ com.nimbusds
+ nimbus-jose-jwt
+
+
+
+
+ org.pac4j
+ pac4j-http
+ ${pac4j.version}
+
+
+ org.pac4j
+ pac4j-core
+ ${pac4j.version}
+
+
+
+ org.apache.shiro
+ shiro-core
+
+
+
+
+ org.pac4j
+ dropwizard-pac4j
+ ${dropwizard.pac4j.version}
+
+
+ org.pac4j
+ pac4j-core
+
+
+
+
+
+
+
+ com.fasterxml.jackson.core
+ jackson-annotations
+ ${jackson.version}
+
+
+ com.fasterxml.jackson.core
+ jackson-core
+ ${jackson.version}
+
+
+ com.fasterxml.jackson.core
+ jackson-databind
+ ${jackson.databind.version}
+
+
+ com.fasterxml.jackson.dataformat
+ jackson-dataformat-yaml
+ ${jackson.dataformat.yaml.version}
+
+
+
+
+
+ io.dropwizard
+ dropwizard-assets
+ ${dropwizard.version}
+
+
+ com.fasterxml.jackson.dataformat
+ jackson-dataformat-yaml
+
+
+
+
+ io.dropwizard
+ dropwizard-core
+ ${dropwizard.version}
+
+
+ io.dropwizard
+ dropwizard-testing
+ ${dropwizard.version}
+
+
+
+
+
+ io.opentracing.contrib
+ opentracing-jaxrs2
+ ${opentracing.jaxrs2.version}
+
+
+ io.opentracing.brave
+ brave-opentracing
+ ${opentracing.brave.version}
+
+
+ io.opentracing
+ opentracing-mock
+ ${opentracing.api.version}
+
+
+
+
+
+ io.prometheus
+ simpleclient
+ ${prometheus.version}
+
+
+
+
+
+ org.glassfish.jersey.test-framework.providers
+ jersey-test-framework-provider-grizzly2
+ ${jersey.test.framework.version}
+
+
+ org.glassfish.jersey.core
+ jersey-client
+ ${jersey.client.version}
+
+
+
+
+
+ org.mongodb
+ mongodb-driver-sync
+ ${mongo.driver.version}
+
+
+ de.bwaldvogel
+ mongo-java-server
+ ${mongo.server.version}
+
+
+ de.bwaldvogel
+ mongo-java-server-core
+ ${mongo.server.version}
+
+
+ de.bwaldvogel
+ mongo-java-server-memory-backend
+ ${mongo.server.version}
+
+
+
+
+
+ junit
+ junit
+ ${junit.version}
+
+
+
+
+
+ javax.xml.bind
+ jaxb-api
+ ${jaxb.version}
+
+
+ com.sun.xml.bind
+ jaxb-core
+ ${jaxb.version}
+
+
+ com.sun.xml.bind
+ jaxb-impl
+ ${jaxb.version}
+
+
+
+
+
+ org.glassfish.jaxb
+ jaxb-runtime
+ ${jaxb.runtime.version}
+
+
+
+
+ javax.servlet
+ javax.servlet-api
+ ${javax.servlet.api.version}
+
+
+ javax.activation
+ activation
+ ${javax.activation.version}
+
+
+
+ javax.ws.rs
+ javax.ws.rs-api
+ ${javax.jax-rs.version}
+
+
+
+
+
+ jakarta.xml.bind
+ jakarta.xml.bind-api
+ ${jakarta.xml.bind.version}
+
+
+
+
+ org.apache.commons
+ commons-lang3
+ ${commons.lang3.version}
+
+
+ org.apache.commons
+ commons-text
+ ${commons.text.version}
+
+
+
+
+
+ com.google.guava
+ guava
+ ${guava.version}
+
+
+
+
+ net.minidev
+ json-smart
+ ${json-smart.version}
+
+
+
+ com.hazelcast
+ hazelcast
+ ${hazelcast.version}
+
+
+
+ com.squareup.okhttp3
+ mockwebserver
+ ${mockwebserver.version}
+
+
+ org.mockito
+ mockito-core
+ ${mockito.version}
+
+
+ org.mockito
+ mockito-inline
+ ${mockito-inline.version}
+
+
+ com.nimbusds
+ nimbus-jose-jwt
+ ${nimbus.jwt.version}
+
+
+ org.commonjava.mimeparse
+ mimeparse
+ ${mimeparse.version}
+
+
+ commons-lang
+ commons-lang
+
+
+
+
+ org.eclipse.jetty
+ jetty-http
+ ${jetty.version}
+
+
+ org.eclipse.jetty
+ jetty-server
+ ${jetty.version}
+
+
+ org.eclipse.jetty
+ jetty-servlets
+ ${jetty.version}
+
+
+ org.eclipse.jetty
+ jetty-util
+ ${jetty.version}
+
+
+ org.eclipse.jetty
+ jetty-util-ajax
+ ${jetty.version}
+
+
+ org.eclipse.jetty
+ jetty-security
+ ${jetty.version}
+
+
+ org.eclipse.jetty
+ jetty-webapp
+ ${jetty.version}
+
+
+ org.eclipse.jetty
+ jetty-servlet
+ ${jetty.version}
+
+
+ org.eclipse.jetty
+ jetty-continuation
+ ${jetty.version}
+
+
+
+ org.yaml
+ snakeyaml
+ ${snakeyaml.version}
+
+
+
+
+
+
+ docker
+
+
+
+
+ com.spotify
+ dockerfile-maven-plugin
+ 1.4.13
+
+ true
+
+
+
+
+
+
+
diff --git a/legend-shared-pac4j-kerberos/pom.xml b/legend-shared-pac4j-kerberos/pom.xml
index 72cd8a30..403405c7 100644
--- a/legend-shared-pac4j-kerberos/pom.xml
+++ b/legend-shared-pac4j-kerberos/pom.xml
@@ -81,6 +81,11 @@
spring-test
test
+
+ org.springframework
+ spring-web
+ test
+
diff --git a/legend-shared-pac4j-ping/pom.xml b/legend-shared-pac4j-ping/pom.xml
index 0d168671..74e92761 100644
--- a/legend-shared-pac4j-ping/pom.xml
+++ b/legend-shared-pac4j-ping/pom.xml
@@ -97,6 +97,11 @@
spring-test
test
+
+ org.springframework
+ spring-web
+ test
+
\ No newline at end of file
diff --git a/legend-shared-pac4j/pom.xml b/legend-shared-pac4j/pom.xml
index 89d39a5d..4f4369d4 100644
--- a/legend-shared-pac4j/pom.xml
+++ b/legend-shared-pac4j/pom.xml
@@ -87,6 +87,11 @@
spring-test
test
+
+ org.springframework
+ spring-web
+ test
+
de.bwaldvogel
mongo-java-server
diff --git a/pom.xml b/pom.xml
index a60b497b..5cffcebc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -42,43 +42,7 @@
[11,12),[17,18),[21,22),[25,26)
central
-
- 3.18.0
- 1.10.0
- 1.3.29
- 4.0.0
- 33.4.6-jre
- 2.10.5
- 2.10.5.1
- 2.11.2
- 2.3.2
- 2.1.1
- 1.1.1
- 3.1.0
- 2.3.0
- 2.3.2
- 2.23.2
- 2.23.1
- 9.4.44.v20210927
- 4.13.1
- 1.7.36
- 0.1.3.3
- 4.9.0
- 5.21.0
- 5.2.0
- 5.3.1
- 1.46.0
- 8.0
- 0.5.0
- 0.37.2
- 0.32.0
- 4.5.8
- 0.8.1
- 1.33
- 4.3.24.RELEASE
- 2.3.3.RELEASE
- 2.4.2
- 5.3.1
+
3.3.1
@@ -105,6 +69,8 @@
+ legend-shared-bom
+
legend-shared-test-reports
legend-shared-pac4j
@@ -316,405 +282,14 @@
-
-
- org.finos.legend.shared
- legend-shared-server
- ${project.version}
-
-
- org.finos.legend.shared
- legend-shared-pac4j
- ${project.version}
-
-
- org.finos.legend.shared
- legend-shared-pac4j-kerberos
- ${project.version}
-
-
- org.finos.legend.shared
- legend-shared-pac4j-gitlab
- ${project.version}
-
-
- org.finos.legend.shared
- legend-shared-opentracing-base
- ${project.version}
-
-
- org.finos.legend.shared
- legend-shared-opentracing-jersey
- ${project.version}
-
+
org.finos.legend.shared
- legend-shared-opentracing-test
+ legend-shared-bom
${project.version}
-
-
- org.finos.legend.shared
- legend-shared-opentracing-servlet-filter
- ${project.version}
-
-
-
-
-
- org.slf4j
- slf4j-api
- ${slf4j.version}
-
-
-
-
-
- org.springframework
- spring-test
- ${spring.test.version}
-
-
- org.springframework.boot
- spring-boot-autoconfigure
- ${spring.boot.autoconfigure.version}
-
-
-
-
-
- org.pac4j
- pac4j-kerberos
- ${pac4j.version}
-
-
- org.springframework
- spring-core
-
-
-
-
- org.pac4j
- pac4j-oidc
- ${pac4j.version}
-
-
- com.nimbusds
- nimbus-jose-jwt
-
-
-
-
- org.pac4j
- pac4j-http
- ${pac4j.version}
-
-
- org.pac4j
- pac4j-core
- ${pac4j.version}
-
-
-
- org.apache.shiro
- shiro-core
-
-
-
-
- org.pac4j
- dropwizard-pac4j
- ${dropwizard.pac4j.version}
-
-
- org.pac4j
- pac4j-core
-
-
-
-
-
-
-
- com.fasterxml.jackson.core
- jackson-annotations
- ${jackson.version}
-
-
- com.fasterxml.jackson.core
- jackson-core
- ${jackson.version}
-
-
- com.fasterxml.jackson.core
- jackson-databind
- ${jackson.databind.version}
-
-
- com.fasterxml.jackson.dataformat
- jackson-dataformat-yaml
- ${jackson.dataformat.yaml.version}
-
-
-
-
-
- io.dropwizard
- dropwizard-assets
- ${dropwizard.version}
-
-
- com.fasterxml.jackson.dataformat
- jackson-dataformat-yaml
-
-
-
-
- io.dropwizard
- dropwizard-core
- ${dropwizard.version}
-
-
- io.dropwizard
- dropwizard-testing
- ${dropwizard.version}
-
-
-
-
-
- io.opentracing.contrib
- opentracing-jaxrs2
- ${opentracing.jaxrs2.version}
-
-
- io.opentracing.brave
- brave-opentracing
- ${opentracing.brave.version}
-
-
- io.opentracing
- opentracing-mock
- ${opentracing.api.version}
-
-
-
-
-
- io.prometheus
- simpleclient
- ${prometheus.version}
-
-
-
-
-
- org.glassfish.jersey.test-framework.providers
- jersey-test-framework-provider-grizzly2
- ${jersey.test.framework.version}
-
-
- org.glassfish.jersey.core
- jersey-client
- ${jersey.client.version}
-
-
-
-
-
- org.mongodb
- mongodb-driver-sync
- ${mongo.driver.version}
-
-
- de.bwaldvogel
- mongo-java-server
- ${mongo.server.version}
-
-
- de.bwaldvogel
- mongo-java-server-core
- ${mongo.server.version}
-
-
- de.bwaldvogel
- mongo-java-server-memory-backend
- ${mongo.server.version}
-
-
-
-
-
- junit
- junit
- ${junit.version}
-
-
-
-
-
- javax.xml.bind
- jaxb-api
- ${jaxb.version}
-
-
- com.sun.xml.bind
- jaxb-core
- ${jaxb.version}
-
-
- com.sun.xml.bind
- jaxb-impl
- ${jaxb.version}
-
-
-
-
-
- org.glassfish.jaxb
- jaxb-runtime
- ${jaxb.runtime.version}
-
-
-
-
- javax.servlet
- javax.servlet-api
- ${javax.servlet.api.version}
-
-
- javax.activation
- activation
- ${javax.activation.version}
-
-
-
- javax.ws.rs
- javax.ws.rs-api
- ${javax.jax-rs.version}
-
-
-
-
-
- jakarta.xml.bind
- jakarta.xml.bind-api
- ${jakarta.xml.bind.version}
-
-
-
-
- org.apache.commons
- commons-lang3
- ${commons.lang3.version}
-
-
- org.apache.commons
- commons-text
- ${commons.text.version}
-
-
-
-
-
- com.google.guava
- guava
- ${guava.version}
-
-
-
-
- net.minidev
- json-smart
- ${json-smart.version}
-
-
-
- com.hazelcast
- hazelcast
- ${hazelcast.version}
-
-
-
- com.squareup.okhttp3
- mockwebserver
- ${mockwebserver.version}
-
-
- org.mockito
- mockito-core
- ${mockito.version}
-
-
- org.mockito
- mockito-inline
- ${mockito-inline.version}
-
-
- com.nimbusds
- nimbus-jose-jwt
- ${nimbus.jwt.version}
-
-
- org.commonjava.mimeparse
- mimeparse
- ${mimeparse.version}
-
-
- commons-lang
- commons-lang
-
-
-
-
- org.eclipse.jetty
- jetty-http
- ${jetty.version}
-
-
- org.eclipse.jetty
- jetty-server
- ${jetty.version}
-
-
- org.eclipse.jetty
- jetty-servlets
- ${jetty.version}
-
-
- org.eclipse.jetty
- jetty-util
- ${jetty.version}
-
-
- org.eclipse.jetty
- jetty-util-ajax
- ${jetty.version}
-
-
- org.eclipse.jetty
- jetty-security
- ${jetty.version}
-
-
- org.eclipse.jetty
- jetty-webapp
- ${jetty.version}
-
-
- org.eclipse.jetty
- jetty-servlet
- ${jetty.version}
-
-
- org.eclipse.jetty
- jetty-continuation
- ${jetty.version}
-
-
-
- org.yaml
- snakeyaml
- ${snakeyaml.version}
+ pom
+ import
From 72018351eab442c5fbc5966574ae250a02bae56e Mon Sep 17 00:00:00 2001
From: FINOS Administrator <37706051+finos-admin@users.noreply.github.com>
Date: Fri, 3 Jul 2026 17:15:44 +0000
Subject: [PATCH 2/3] [maven-release-plugin] prepare release
legend-shared-0.36.0-RC1
---
legend-shared-bom/pom.xml | 4 ++--
legend-shared-opentracing-base/pom.xml | 2 +-
legend-shared-opentracing-jersey/pom.xml | 2 +-
legend-shared-opentracing-servlet-filter/pom.xml | 2 +-
legend-shared-opentracing-test/pom.xml | 2 +-
legend-shared-pac4j-gitlab/pom.xml | 2 +-
legend-shared-pac4j-kerberos/pom.xml | 2 +-
legend-shared-pac4j-ping/pom.xml | 2 +-
legend-shared-pac4j/pom.xml | 2 +-
legend-shared-server/pom.xml | 2 +-
legend-shared-test-reports/pom.xml | 2 +-
pom.xml | 4 ++--
12 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/legend-shared-bom/pom.xml b/legend-shared-bom/pom.xml
index 8e371cab..9b5259ea 100644
--- a/legend-shared-bom/pom.xml
+++ b/legend-shared-bom/pom.xml
@@ -33,13 +33,13 @@
Bill of Materials for Legend Shared modules and their shared third-party dependency stack
org.finos.legend.shared
legend-shared-bom
- 0.35.4-SNAPSHOT
+ 0.36.0-RC1
pom
https://legend.finos.org
scm:git:https://github.com/finos/legend-shared
- HEAD
+ legend-shared-0.36.0-RC1
diff --git a/legend-shared-opentracing-base/pom.xml b/legend-shared-opentracing-base/pom.xml
index 927e2c0b..a0e841b8 100644
--- a/legend-shared-opentracing-base/pom.xml
+++ b/legend-shared-opentracing-base/pom.xml
@@ -21,7 +21,7 @@
org.finos.legend.shared
legend-shared
- 0.35.4-SNAPSHOT
+ 0.36.0-RC1
legend-shared-opentracing-base
diff --git a/legend-shared-opentracing-jersey/pom.xml b/legend-shared-opentracing-jersey/pom.xml
index e8f99c36..074f6dec 100644
--- a/legend-shared-opentracing-jersey/pom.xml
+++ b/legend-shared-opentracing-jersey/pom.xml
@@ -21,7 +21,7 @@
legend-shared
org.finos.legend.shared
- 0.35.4-SNAPSHOT
+ 0.36.0-RC1
legend-shared-opentracing-jersey
diff --git a/legend-shared-opentracing-servlet-filter/pom.xml b/legend-shared-opentracing-servlet-filter/pom.xml
index 14c95e1a..24c9623d 100644
--- a/legend-shared-opentracing-servlet-filter/pom.xml
+++ b/legend-shared-opentracing-servlet-filter/pom.xml
@@ -21,7 +21,7 @@
org.finos.legend.shared
legend-shared
- 0.35.4-SNAPSHOT
+ 0.36.0-RC1
legend-shared-opentracing-servlet-filter
diff --git a/legend-shared-opentracing-test/pom.xml b/legend-shared-opentracing-test/pom.xml
index 9da2b1f0..3732fc12 100644
--- a/legend-shared-opentracing-test/pom.xml
+++ b/legend-shared-opentracing-test/pom.xml
@@ -22,7 +22,7 @@
org.finos.legend.shared
legend-shared
- 0.35.4-SNAPSHOT
+ 0.36.0-RC1
legend-shared-opentracing-test
diff --git a/legend-shared-pac4j-gitlab/pom.xml b/legend-shared-pac4j-gitlab/pom.xml
index 878aa86e..8ca9fe7c 100644
--- a/legend-shared-pac4j-gitlab/pom.xml
+++ b/legend-shared-pac4j-gitlab/pom.xml
@@ -22,7 +22,7 @@
org.finos.legend.shared
legend-shared
- 0.35.4-SNAPSHOT
+ 0.36.0-RC1
legend-shared-pac4j-gitlab
diff --git a/legend-shared-pac4j-kerberos/pom.xml b/legend-shared-pac4j-kerberos/pom.xml
index 403405c7..22948f64 100644
--- a/legend-shared-pac4j-kerberos/pom.xml
+++ b/legend-shared-pac4j-kerberos/pom.xml
@@ -22,7 +22,7 @@
org.finos.legend.shared
legend-shared
- 0.35.4-SNAPSHOT
+ 0.36.0-RC1
legend-shared-pac4j-kerberos
diff --git a/legend-shared-pac4j-ping/pom.xml b/legend-shared-pac4j-ping/pom.xml
index 74e92761..b43b2959 100644
--- a/legend-shared-pac4j-ping/pom.xml
+++ b/legend-shared-pac4j-ping/pom.xml
@@ -20,7 +20,7 @@
legend-shared
org.finos.legend.shared
- 0.35.4-SNAPSHOT
+ 0.36.0-RC1
legend-shared-pac4j-ping
diff --git a/legend-shared-pac4j/pom.xml b/legend-shared-pac4j/pom.xml
index 4f4369d4..21de1309 100644
--- a/legend-shared-pac4j/pom.xml
+++ b/legend-shared-pac4j/pom.xml
@@ -22,7 +22,7 @@
org.finos.legend.shared
legend-shared
- 0.35.4-SNAPSHOT
+ 0.36.0-RC1
legend-shared-pac4j
diff --git a/legend-shared-server/pom.xml b/legend-shared-server/pom.xml
index ce95a6a8..3096f8c8 100644
--- a/legend-shared-server/pom.xml
+++ b/legend-shared-server/pom.xml
@@ -21,7 +21,7 @@
org.finos.legend.shared
legend-shared
- 0.35.4-SNAPSHOT
+ 0.36.0-RC1
legend-shared-server
diff --git a/legend-shared-test-reports/pom.xml b/legend-shared-test-reports/pom.xml
index 47f3e5f8..37131973 100644
--- a/legend-shared-test-reports/pom.xml
+++ b/legend-shared-test-reports/pom.xml
@@ -21,7 +21,7 @@
org.finos.legend.shared
legend-shared
- 0.35.4-SNAPSHOT
+ 0.36.0-RC1
legend-shared-test-reports
diff --git a/pom.xml b/pom.xml
index 5cffcebc..4e79355e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
Legend Shared
org.finos.legend.shared
legend-shared
- 0.35.4-SNAPSHOT
+ 0.36.0-RC1
pom
@@ -65,7 +65,7 @@
scm:git:https://github.com/finos/legend-shared
- HEAD
+ legend-shared-0.36.0-RC1
From c76d7da1710308ed48233402424289428347b1a7 Mon Sep 17 00:00:00 2001
From: FINOS Administrator <37706051+finos-admin@users.noreply.github.com>
Date: Fri, 3 Jul 2026 17:15:46 +0000
Subject: [PATCH 3/3] [maven-release-plugin] prepare for next development
iteration
---
legend-shared-bom/pom.xml | 4 ++--
legend-shared-opentracing-base/pom.xml | 2 +-
legend-shared-opentracing-jersey/pom.xml | 2 +-
legend-shared-opentracing-servlet-filter/pom.xml | 2 +-
legend-shared-opentracing-test/pom.xml | 2 +-
legend-shared-pac4j-gitlab/pom.xml | 2 +-
legend-shared-pac4j-kerberos/pom.xml | 2 +-
legend-shared-pac4j-ping/pom.xml | 2 +-
legend-shared-pac4j/pom.xml | 2 +-
legend-shared-server/pom.xml | 2 +-
legend-shared-test-reports/pom.xml | 2 +-
pom.xml | 4 ++--
12 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/legend-shared-bom/pom.xml b/legend-shared-bom/pom.xml
index 9b5259ea..ef5163d4 100644
--- a/legend-shared-bom/pom.xml
+++ b/legend-shared-bom/pom.xml
@@ -33,13 +33,13 @@
Bill of Materials for Legend Shared modules and their shared third-party dependency stack
org.finos.legend.shared
legend-shared-bom
- 0.36.0-RC1
+ 0.36.1-SNAPSHOT
pom
https://legend.finos.org
scm:git:https://github.com/finos/legend-shared
- legend-shared-0.36.0-RC1
+ HEAD
diff --git a/legend-shared-opentracing-base/pom.xml b/legend-shared-opentracing-base/pom.xml
index a0e841b8..45e1ac4a 100644
--- a/legend-shared-opentracing-base/pom.xml
+++ b/legend-shared-opentracing-base/pom.xml
@@ -21,7 +21,7 @@
org.finos.legend.shared
legend-shared
- 0.36.0-RC1
+ 0.36.1-SNAPSHOT
legend-shared-opentracing-base
diff --git a/legend-shared-opentracing-jersey/pom.xml b/legend-shared-opentracing-jersey/pom.xml
index 074f6dec..bf720fe2 100644
--- a/legend-shared-opentracing-jersey/pom.xml
+++ b/legend-shared-opentracing-jersey/pom.xml
@@ -21,7 +21,7 @@
legend-shared
org.finos.legend.shared
- 0.36.0-RC1
+ 0.36.1-SNAPSHOT
legend-shared-opentracing-jersey
diff --git a/legend-shared-opentracing-servlet-filter/pom.xml b/legend-shared-opentracing-servlet-filter/pom.xml
index 24c9623d..27ecdc38 100644
--- a/legend-shared-opentracing-servlet-filter/pom.xml
+++ b/legend-shared-opentracing-servlet-filter/pom.xml
@@ -21,7 +21,7 @@
org.finos.legend.shared
legend-shared
- 0.36.0-RC1
+ 0.36.1-SNAPSHOT
legend-shared-opentracing-servlet-filter
diff --git a/legend-shared-opentracing-test/pom.xml b/legend-shared-opentracing-test/pom.xml
index 3732fc12..46f65dd0 100644
--- a/legend-shared-opentracing-test/pom.xml
+++ b/legend-shared-opentracing-test/pom.xml
@@ -22,7 +22,7 @@
org.finos.legend.shared
legend-shared
- 0.36.0-RC1
+ 0.36.1-SNAPSHOT
legend-shared-opentracing-test
diff --git a/legend-shared-pac4j-gitlab/pom.xml b/legend-shared-pac4j-gitlab/pom.xml
index 8ca9fe7c..e5fca8f1 100644
--- a/legend-shared-pac4j-gitlab/pom.xml
+++ b/legend-shared-pac4j-gitlab/pom.xml
@@ -22,7 +22,7 @@
org.finos.legend.shared
legend-shared
- 0.36.0-RC1
+ 0.36.1-SNAPSHOT
legend-shared-pac4j-gitlab
diff --git a/legend-shared-pac4j-kerberos/pom.xml b/legend-shared-pac4j-kerberos/pom.xml
index 22948f64..e7e937d5 100644
--- a/legend-shared-pac4j-kerberos/pom.xml
+++ b/legend-shared-pac4j-kerberos/pom.xml
@@ -22,7 +22,7 @@
org.finos.legend.shared
legend-shared
- 0.36.0-RC1
+ 0.36.1-SNAPSHOT
legend-shared-pac4j-kerberos
diff --git a/legend-shared-pac4j-ping/pom.xml b/legend-shared-pac4j-ping/pom.xml
index b43b2959..26c50cf6 100644
--- a/legend-shared-pac4j-ping/pom.xml
+++ b/legend-shared-pac4j-ping/pom.xml
@@ -20,7 +20,7 @@
legend-shared
org.finos.legend.shared
- 0.36.0-RC1
+ 0.36.1-SNAPSHOT
legend-shared-pac4j-ping
diff --git a/legend-shared-pac4j/pom.xml b/legend-shared-pac4j/pom.xml
index 21de1309..46289ce8 100644
--- a/legend-shared-pac4j/pom.xml
+++ b/legend-shared-pac4j/pom.xml
@@ -22,7 +22,7 @@
org.finos.legend.shared
legend-shared
- 0.36.0-RC1
+ 0.36.1-SNAPSHOT
legend-shared-pac4j
diff --git a/legend-shared-server/pom.xml b/legend-shared-server/pom.xml
index 3096f8c8..38650a44 100644
--- a/legend-shared-server/pom.xml
+++ b/legend-shared-server/pom.xml
@@ -21,7 +21,7 @@
org.finos.legend.shared
legend-shared
- 0.36.0-RC1
+ 0.36.1-SNAPSHOT
legend-shared-server
diff --git a/legend-shared-test-reports/pom.xml b/legend-shared-test-reports/pom.xml
index 37131973..2c0f44d8 100644
--- a/legend-shared-test-reports/pom.xml
+++ b/legend-shared-test-reports/pom.xml
@@ -21,7 +21,7 @@
org.finos.legend.shared
legend-shared
- 0.36.0-RC1
+ 0.36.1-SNAPSHOT
legend-shared-test-reports
diff --git a/pom.xml b/pom.xml
index 4e79355e..77e5cf67 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
Legend Shared
org.finos.legend.shared
legend-shared
- 0.36.0-RC1
+ 0.36.1-SNAPSHOT
pom
@@ -65,7 +65,7 @@
scm:git:https://github.com/finos/legend-shared
- legend-shared-0.36.0-RC1
+ HEAD