Skip to content

fix: resolve snyk vulnerabilities#358

Merged
stevecl5 merged 1 commit intomasterfrom
scl/update-dependencies
Mar 4, 2026
Merged

fix: resolve snyk vulnerabilities#358
stevecl5 merged 1 commit intomasterfrom
scl/update-dependencies

Conversation

@stevecl5
Copy link
Contributor

@stevecl5 stevecl5 commented Mar 3, 2026
edited
Loading

Summary of Changes

Dependency Updates & Vulnerability Fixes

Updated plugins and core dependencies, including:

  • Coppuccino 5.x -> 6.2.1
  • Vogue 2.x -> 3.0.2
  • Spring Boot 3.5.8 -> 3.5.11
  • Jackson (jackson-dataformat-xml, jackson-datatype-jsr310) 2.14.0-rc1 -> 2.21.1

These updates resolved the following Snyk vulnerabilities:

✗ Stack-based Buffer Overflow [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-10500754]
✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924]
✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538]
✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-3091135]
✗ Improper Validation of Certificate with Host Mismatch [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782]
✗ Cross-site Scripting (XSS) (new) [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPMD-15365925]
✗ Information Exposure [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCODEC-561518]
✗ Uncontrolled Recursion [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-10734078]
✗ XML External Entity (XXE) Injection [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGASSERTJ-15102413]
✗ External Initialization of Trusted Variables or Data Stores [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-15062482]
✗ Improper Authorization (new) [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-15307825]
✗ Incorrect Authorization (new) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-15307822]
✗ Improper Certificate Validation (new) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-15307781]

Gradle Project Improvements

This PR closely mirrors the gradle refactor recently applied to path-core, bringing path-mdx-model into alignment with modern ecosystem standards.

Root Project (build.gradle)

  • Centralized Testing Inheritance: Moved testImplementation "com.mx.path-core:testing" into the root subprojects block so all modules natively inherit the standardized test framework.
  • Centralized Publishing & Signing: Decoupled publication definitions from metadata decoration. Universally applies POM metadata and dynamic signing to all published artifacts via the root subprojects block.
  • Variable Standardization: Renamed pathSDKVersion to pathCoreVersion in the root ext block for better naming consistency across the ecosystem.
  • Modernized Task Configuration: Replaced legacy afterEvaluate blocks for spotlessApply and subdependencies with lazy task configuration.
  • Global Toolchains: Replaced sourceCompatibility and targetCompatibility by enforcing Java 17 globally using the modern java { toolchain { ... } } API.
  • Simplified Artifacts: Replaced manual package tasks and custom artifacts logic with the native java { withSourcesJar(); withJavadocJar() } DSL.

Sub-Projects (mdx-gateways, mdx-models, mdx-web, realtime)

  • Version Stripping (Spring Boot): Removed the hardcoded version for commons-codec in mdx-web, allowing the Spring Boot BOM to natively manage the dependency version.
  • Version Stripping (Path Core): Removed hardcoded versions for shared test libraries (e.g., slf4j-simple, opentracing-mock), inheriting them directly from the path-core BOM constraints.
  • Testing Boilerplate Removal: Removed redundant declarations of path-core:testing and mockito-inline across all sub-projects, as these are now provided by the root inheritance and the modernized path-core:testing API export.
  • Spring Framework Export (mdx-web): Elevated the Spring Boot BOM and spring-boot-starter-web dependencies from implementation to api. Because mdx-web provides the foundational web layer, this ensures downstream Connectors transitively inherit the exact Spring framework and version constraints simply by importing this module.

Platform BOM (platform)

  • Simplified BOM: Stripped out redundant pom { ... } metadata blocks and manual signing tasks. The project now strictly acts as a java-platform to cleanly expose the path-mdx-model constraints to external consumers.
  • BOM Pollution Prevention: Removed the Spring Boot BOM (spring-boot-starter-parent) from the path-mdx-model platform. This protects pure Java libraries from being polluted by hundreds of unnecessary Spring constraints, ensuring Spring Boot is strictly an "opt-in" dependency via the mdx-web module.

Public API Additions/Changes

N/A

Downstream Consumer Impact

N/A

How Has This Been Tested?

Verified that the BOM generates correctly, dependencies resolve cleanly, and vulnerabilities are minimized by running snyk test --all-projects --exclude=build.

Snyk scan results 
path-mdx-model % snyk test --all-projects --exclude=build

Testing /Users/steven.leighton/dev/path-mdx-model...

Organization:      mx
Package manager:   gradle
Target file:       build.gradle
Project name:      path-mdx-model
Open source:       no
Project path:      /Users/steven.leighton/dev/path-mdx-model
Licenses:          enabled

✔ Tested /Users/steven.leighton/dev/path-mdx-model for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-mdx-model...

Tested 83 dependencies for known issues, found 3 issues, 4 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.9
    introduced by com.github.spotbugs:spotbugs@4.9.8 > net.sf.saxon:Saxon-HE@12.9

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       mdx-gateway-generator/build.gradle
Project name:      path-mdx-model/mdx-gateway-generator
Open source:       no
Project path:      /Users/steven.leighton/dev/path-mdx-model
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-mdx-model...

Tested 135 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       mdx-gateways/build.gradle
Project name:      path-mdx-model/mdx-gateways
Open source:       no
Project path:      /Users/steven.leighton/dev/path-mdx-model
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-mdx-model...

Tested 121 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       mdx-models/build.gradle
Project name:      path-mdx-model/mdx-models
Open source:       no
Project path:      /Users/steven.leighton/dev/path-mdx-model
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-mdx-model...

Tested 171 dependencies for known issues, found 6 issues, 10 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8

  ✗ Dual license: EPL-1.0, LGPL-2.1 [Medium Severity][https://snyk.io/vuln/snyk:lic:maven:ch.qos.logback:logback-core:(EPL-1.0_OR_LGPL-2.1)] in ch.qos.logback:logback-core@1.5.32
    introduced by org.springframework.boot:spring-boot-starter-web@3.5.11 > org.springframework.boot:spring-boot-starter@3.5.11 > org.springframework.boot:spring-boot-starter-logging@3.5.11 > ch.qos.logback:logback-classic@1.5.32 > ch.qos.logback:logback-core@1.5.32

  ✗ Dual license: EPL-1.0, LGPL-2.1 [Medium Severity][https://snyk.io/vuln/snyk:lic:maven:ch.qos.logback:logback-classic:(EPL-1.0_OR_LGPL-2.1)] in ch.qos.logback:logback-classic@1.5.32
    introduced by org.springframework.boot:spring-boot-starter-web@3.5.11 > org.springframework.boot:spring-boot-starter@3.5.11 > org.springframework.boot:spring-boot-starter-logging@3.5.11 > ch.qos.logback:logback-classic@1.5.32



Organization:      mx
Package manager:   gradle
Target file:       mdx-web/build.gradle
Project name:      path-mdx-model/mdx-web
Open source:       no
Project path:      /Users/steven.leighton/dev/path-mdx-model
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-mdx-model...

Organization:      mx
Package manager:   gradle
Target file:       platform/build.gradle
Project name:      path-mdx-model/platform
Open source:       no
Project path:      /Users/steven.leighton/dev/path-mdx-model
Licenses:          enabled

✔ Tested /Users/steven.leighton/dev/path-mdx-model for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-mdx-model...

Tested 127 dependencies for known issues, found 4 issues, 8 vulnerable paths.


License issues:

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.5
    introduced by com.puppycrawl.tools:checkstyle@10.25.0 > net.sf.saxon:Saxon-HE@12.5 and 3 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.puppycrawl.tools:checkstyle:LGPL-2.1] in com.puppycrawl.tools:checkstyle@10.25.0
    introduced by com.puppycrawl.tools:checkstyle@10.25.0

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       realtime/build.gradle
Project name:      path-mdx-model/realtime
Open source:       no
Project path:      /Users/steven.leighton/dev/path-mdx-model
Licenses:          enabled

-------------------------------------------------------

Testing /Users/steven.leighton/dev/path-mdx-model...

Organization:      mx
Package manager:   npm
Target file:       package-lock.json
Project name:      package.json
Open source:       no
Project path:      /Users/steven.leighton/dev/path-mdx-model
Licenses:          enabled

✔ Tested /Users/steven.leighton/dev/path-mdx-model for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.


Tested 8 projects, 5 contained vulnerable paths.

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works

@stevecl5 stevecl5 force-pushed the scl/update-dependencies branch from c2a6b83 to 5748944 Compare March 3, 2026 23:12
@stevecl5
fix: resolve snyk vulnerabilities
61364a3 
build: update plugins and dependencies

build: clean up gradle configuration files
@stevecl5 stevecl5 force-pushed the scl/update-dependencies branch from 5748944 to 61364a3 Compare March 3, 2026 23:54
@stevecl5 stevecl5 merged commit c899757 into master Mar 4, 2026
7 checks passed
@stevecl5 stevecl5 deleted the scl/update-dependencies branch March 4, 2026 15:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tessstoddard tessstoddard tessstoddard approved these changes

@mattnichols mattnichols Awaiting requested review from mattnichols mattnichols is a code owner

@gerfboy gerfboy Awaiting requested review from gerfboy gerfboy is a code owner

@RyanJones08 RyanJones08 Awaiting requested review from RyanJones08 RyanJones08 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stevecl5 @tessstoddard