From 49fac00a1e92e647ad78ed0cb45d8be22b01b297 Mon Sep 17 00:00:00 2001
From: Fiete Ostkamp <Fiete.Ostkamp@telekom.de>
Date: Sun, 6 Jul 2025 21:32:56 +0200
Subject: [PATCH] Update vulnerable dependencies

- make sure h2 is test scoped everywhere
- update org.json (2016 + 2022 -> 20250517)
- commons-fileupload (1.4 -> 1.5)
- update kafka-clients (3.3.1 -> 3.3.2)
- consistently use the same logback version everywhere

Issue-ID: SO-4199
Change-Id: I255806239a377822945fcf67bb3d01c04de97ae6
Signed-off-by: Fiete Ostkamp <Fiete.Ostkamp@telekom.de>
---
 asdc-controller/pom.xml                        |  2 +-
 bpmn/MSOCoreBPMN/pom.xml                       |  3 +--
 bpmn/mso-infrastructure-bpmn/pom.xml           |  1 +
 common/pom.xml                                 | 11 +++++++++++
 mso-api-handlers/mso-api-handler-infra/pom.xml |  1 +
 pom.xml                                        | 13 ++++++++++++-
 6 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/asdc-controller/pom.xml b/asdc-controller/pom.xml
index 905b0299ca..262f5781d1 100644
--- a/asdc-controller/pom.xml
+++ b/asdc-controller/pom.xml
@@ -16,7 +16,7 @@
     <sdc.tosca.version>1.6.5</sdc.tosca.version>
     <jtosca.version>1.5.1</jtosca.version>
     <sdc-dist-client.version>2.0.0</sdc-dist-client.version>
-    <kafka-clients.version>3.3.1</kafka-clients.version>
+    <kafka-clients.version>3.3.2</kafka-clients.version>
   </properties>
   <build>
     <finalName>${project.artifactId}-${project.version}</finalName>
diff --git a/bpmn/MSOCoreBPMN/pom.xml b/bpmn/MSOCoreBPMN/pom.xml
index fd26204b77..0963c3d486 100644
--- a/bpmn/MSOCoreBPMN/pom.xml
+++ b/bpmn/MSOCoreBPMN/pom.xml
@@ -49,7 +49,7 @@
     <dependency>
       <groupId>commons-fileupload</groupId>
       <artifactId>commons-fileupload</artifactId>
-      <version>1.4</version>
+      <version>1.5</version>
     </dependency>
     <dependency>
       <groupId>org.camunda.bpm</groupId>
@@ -76,7 +76,6 @@
     <dependency>
       <groupId>org.json</groupId>
       <artifactId>json</artifactId>
-      <version>20160212</version>
     </dependency>
     <dependency>
       <groupId>org.xmlunit</groupId>
diff --git a/bpmn/mso-infrastructure-bpmn/pom.xml b/bpmn/mso-infrastructure-bpmn/pom.xml
index df9317014b..7086b68d56 100644
--- a/bpmn/mso-infrastructure-bpmn/pom.xml
+++ b/bpmn/mso-infrastructure-bpmn/pom.xml
@@ -262,6 +262,7 @@
     <dependency>
       <groupId>com.h2database</groupId>
       <artifactId>h2</artifactId>
+      <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.springframework.cloud</groupId>
diff --git a/common/pom.xml b/common/pom.xml
index fe7b173e21..7c842cbe52 100644
--- a/common/pom.xml
+++ b/common/pom.xml
@@ -15,6 +15,7 @@
     <grpc.netty.version>4.1.30.Final</grpc.netty.version>
     <ccsdk.version>1.1.5</ccsdk.version>
     <tomcat-catalina-version>9.0.105</tomcat-catalina-version>
+    <logback.version>1.2.13</logback.version>
   </properties>
   <dependencies>
     <dependency>
@@ -273,6 +274,16 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
+      <dependency>
+        <groupId>ch.qos.logback</groupId>
+        <artifactId>logback-core</artifactId>
+        <version>${logback.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>ch.qos.logback</groupId>
+        <artifactId>logback-classic</artifactId>
+        <version>${logback.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
   <build>
diff --git a/mso-api-handlers/mso-api-handler-infra/pom.xml b/mso-api-handlers/mso-api-handler-infra/pom.xml
index 560035bbad..e33cc3981e 100644
--- a/mso-api-handlers/mso-api-handler-infra/pom.xml
+++ b/mso-api-handlers/mso-api-handler-infra/pom.xml
@@ -42,6 +42,7 @@
     <dependency>
       <groupId>com.h2database</groupId>
       <artifactId>h2</artifactId>
+      <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
diff --git a/pom.xml b/pom.xml
index 4cf4f513b5..8579dfc3a6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -78,6 +78,7 @@
     <onap-logging-version>1.6.9</onap-logging-version>
     <jackson.version>2.14.3</jackson.version>
     <grpc.version>1.25.0</grpc.version>
+    <logback.version>1.2.7</logback.version>
   </properties>
   <distributionManagement>
     <repository>
@@ -912,6 +913,16 @@
         <artifactId>logging-filter-spring</artifactId>
         <version>${onap-logging-version}</version>
       </dependency>
+      <dependency>
+        <groupId>ch.qos.logback</groupId>
+        <artifactId>logback-core</artifactId>
+        <version>${logback.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>ch.qos.logback</groupId>
+        <artifactId>logback-classic</artifactId>
+        <version>${logback.version}</version>
+      </dependency>
       <dependency>
         <groupId>org.apache.httpcomponents</groupId>
         <artifactId>httpcore</artifactId>
@@ -986,7 +997,7 @@
       <dependency>
         <groupId>org.json</groupId>
         <artifactId>json</artifactId>
-        <version>20220924</version>
+        <version>20250517</version>
       </dependency>
       <dependency>
         <groupId>org.onap.aai.schema-service</groupId>
-- 
2.16.6