Skip to content

fix: resolve snyk vulnerabilities#87

Open
stevecl5 wants to merge 1 commit intomasterfrom
scl/update-dependencies
Open

fix: resolve snyk vulnerabilities#87
stevecl5 wants to merge 1 commit intomasterfrom
scl/update-dependencies

Conversation

@stevecl5
Copy link
Contributor

@stevecl5 stevecl5 commented Mar 3, 2026
edited
Loading

Summary of Changes

Dependency Updates & Vulnerability Fixes

Updated plugins and core dependencies, including:

  • Coppuccino 5.x -> 6.2.1
  • Vogue 2.+ -> 3.0.2
  • Lettuce Core 6.2.0.RELEASE -> 6.8.2.RELEASE
  • Bouncy Castle bcpkix-jdk15on:1.70 -> bcpkix-jdk18on:1.83
  • Jackson (jackson-core, jackson-databind) 2.14.2 -> 2.21.1

These updates resolved the following Snyk vulnerabilities:

✗ Uncontrolled Recursion [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMMONSLANG-10734077]
✗ Cross-site Scripting (XSS) (new) [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPMD-15365925]
✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924]
✗ Uncontrolled Recursion [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-10734078]
✗ Improper Validation of Certificate with Host Mismatch [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782]
✗ XML External Entity (XXE) Injection [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGASSERTJ-15102413]
✗ Stack-based Buffer Overflow [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-10500754]
✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538]
✗ Information Exposure [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCODEC-561518]
✗ Allocation of Resources Without Limits or Throttling [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-11777856]
✗ Allocation of Resources Without Limits or Throttling [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-11789705]
✗ Information Exposure [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-5771339]
✗ Uncontrolled Resource Consumption ('Resource Exhaustion') [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-6084022]
✗ Allocation of Resources Without Limits or Throttling [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-6613080]
✗ Observable Discrepancy [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-8731360]

Gradle Project Improvements

This PR aligns the path-facilities configuration with the modern architectural standards recently established in path-core and path-mdx-model.

Root Project (build.gradle)

  • Centralized Testing Inheritance: Moved testImplementation "com.mx.path-core:testing" into the root subprojects block so all facility modules natively inherit the standardized test framework.
  • Centralized Publishing & Signing: Decoupled publication definitions from metadata decoration. Universally applies POM metadata and dynamic signing to all published artifacts via the root subprojects block. (Also fixed a legacy copy-paste bug where the POM URL incorrectly pointed to path-core).
  • Variable Standardization: Renamed pathSDKVersion to pathCoreVersion and bumped the range to [6.0,7.0) to align with the core ecosystem.
  • Modernized Task Configuration: Replaced legacy afterEvaluate blocks for spotlessApply and subdependencies with lazy task configuration.
  • Global Toolchains: Replaced sourceCompatibility and targetCompatibility by enforcing Java 17 globally using the modern java { toolchain { ... } } API.
  • Simplified Artifacts: Replaced manual package tasks (sourcesJar, packageJavadoc) with the native java { withSourcesJar(); withJavadocJar() } DSL.

Sub-Projects (store-redis, store-vault, message-broker-nats, etc.)

  • Version Stripping: Removed hardcoded versions for commons-codec and slf4j libraries, allowing them to strictly inherit the centralized coordinates from the path-core BOM constraints.
  • Testing Boilerplate Removal: Removed redundant declarations of mockito-inline, spock-core, and slf4j-simple across all sub-projects. These are now provided seamlessly by root inheritance and the modernized path-core:testing API.
  • Ext Block Scoping: Updated the local ext variable block in fault-tolerant-executor-resilience4j to explicitly use project.ext.resilience4jVersion for safer scope resolution.
  • Cleaned Configuration: Removed redundant excludePreReleaseVersions = true lines from local coppuccino blocks, as this is now handled centrally.

Platform BOM (platform)

  • Simplified BOM: Stripped out redundant pom { ... } metadata blocks and manual signing tasks. The project now strictly acts as a java-platform to cleanly expose the path-facilities constraints to external consumers.

Public API Additions/Changes

N/A

Downstream Consumer Impact

N/A

How Has This Been Tested?

Verified that the BOM generates correctly, dependencies resolve cleanly, and vulnerabilities are minimized by running snyk test --all-projects --exclude=build.

Snyk scan results 
path-facilities % snyk test --all-projects --exclude=build         

Testing /Users/steven.leighton/dev/path-facilities...

Organization:      mx
Package manager:   gradle
Target file:       build.gradle
Project name:      path-facilities
Open source:       no
Project path:      /Users/steven.leighton/dev/path-facilities
Licenses:          enabled

✔ Tested /Users/steven.leighton/dev/path-facilities for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-facilities...

Tested 100 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       encryption-service-jasypt/build.gradle
Project name:      path-facilities/encryption-service-jasypt
Open source:       no
Project path:      /Users/steven.leighton/dev/path-facilities
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-facilities...

Tested 99 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       encryption-service-vault/build.gradle
Project name:      path-facilities/encryption-service-vault
Open source:       no
Project path:      /Users/steven.leighton/dev/path-facilities
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-facilities...

Tested 114 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       exception-reporter-honeybadger/build.gradle
Project name:      path-facilities/exception-reporter-honeybadger
Open source:       no
Project path:      /Users/steven.leighton/dev/path-facilities
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-facilities...

Tested 106 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       fault-tolerant-executor-resilience4j/build.gradle
Project name:      path-facilities/fault-tolerant-executor-resilience4j
Open source:       no
Project path:      /Users/steven.leighton/dev/path-facilities
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-facilities...

Tested 121 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       message-broker-nats/build.gradle
Project name:      path-facilities/message-broker-nats
Open source:       no
Project path:      /Users/steven.leighton/dev/path-facilities
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-facilities...

Organization:      mx
Package manager:   gradle
Target file:       platform/build.gradle
Project name:      path-facilities/platform
Open source:       no
Project path:      /Users/steven.leighton/dev/path-facilities
Licenses:          enabled

✔ Tested /Users/steven.leighton/dev/path-facilities for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-facilities...

Tested 110 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       store-redis/build.gradle
Project name:      path-facilities/store-redis
Open source:       no
Project path:      /Users/steven.leighton/dev/path-facilities
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-facilities...

Tested 99 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       store-vault/build.gradle
Project name:      path-facilities/store-vault
Open source:       no
Project path:      /Users/steven.leighton/dev/path-facilities
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-facilities...

Organization:      mx
Package manager:   npm
Target file:       package-lock.json
Project name:      package.json
Open source:       no
Project path:      /Users/steven.leighton/dev/path-facilities
Licenses:          enabled

✔ Tested /Users/steven.leighton/dev/path-facilities for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.


Tested 10 projects, 7 contained vulnerable paths.

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works

@stevecl5
fix: resolve snyk vulnerabilities
4a79260 
build: update plugins and dependencies

build: clean up gradle configuration files
@stevecl5 stevecl5 force-pushed the scl/update-dependencies branch from fbbd70c to 4a79260 Compare March 4, 2026 00:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stevecl5