From 54f90a51609b72e955c5c8de09990d0d3941e595 Mon Sep 17 00:00:00 2001
From: Fiete Ostkamp <Fiete.Ostkamp@telekom.de>
Date: Mon, 14 Jul 2025 09:37:04 +0200
Subject: [PATCH] Update vulnerable dependencies

- consistently use the same logback version everywhere (1.2.10 -> 1.2.11)
- consistently uuse the same kafka-clients version everywhere (3.3.1 -> 3.3.2)
- declare ehcache dependency in aai-client pom instead of common since it
  is only used there

Issue-ID: SO-4199
Change-Id: Id8b5c6c061e6f0921e45fb6763fe2384f0315fe4
Signed-off-by: Fiete Ostkamp <Fiete.Ostkamp@telekom.de>
---
 asdc-controller/pom.xml                    |  1 -
 bpmn/pom.xml                               |  3 +--
 bpmn/so-bpmn-infrastructure-common/pom.xml |  1 -
 common/pom.xml                             | 13 +++++++------
 graph-inventory/aai-client/pom.xml         |  4 ++++
 pom.xml                                    |  1 +
 6 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/asdc-controller/pom.xml b/asdc-controller/pom.xml
index a2f4a7494c..febccbe578 100644
--- a/asdc-controller/pom.xml
+++ b/asdc-controller/pom.xml
@@ -16,7 +16,6 @@
     <sdc.tosca.version>1.6.5</sdc.tosca.version>
     <jtosca.version>1.5.1</jtosca.version>
     <sdc-dist-client.version>2.0.0</sdc-dist-client.version>
-    <kafka-clients.version>3.3.2</kafka-clients.version>
   </properties>
   <build>
     <finalName>${project.artifactId}-${project.version}</finalName>
diff --git a/bpmn/pom.xml b/bpmn/pom.xml
index c0a3192189..6d2ac6e5d6 100644
--- a/bpmn/pom.xml
+++ b/bpmn/pom.xml
@@ -19,9 +19,8 @@
     <xmlunit.version>2.4.0</xmlunit.version>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <sdnc.northbound.version>3.0.2</sdnc.northbound.version>
     <!-- SDNC northbound API latest version -->
-    <logback-core.version>1.2.10</logback-core.version>
+    <sdnc.northbound.version>3.0.2</sdnc.northbound.version>
   </properties>
   <modules>
     <module>MSOCoreBPMN</module>
diff --git a/bpmn/so-bpmn-infrastructure-common/pom.xml b/bpmn/so-bpmn-infrastructure-common/pom.xml
index 94412a290b..cfdb67b61f 100644
--- a/bpmn/so-bpmn-infrastructure-common/pom.xml
+++ b/bpmn/so-bpmn-infrastructure-common/pom.xml
@@ -220,7 +220,6 @@
     <dependency>
       <groupId>ch.qos.logback</groupId>
       <artifactId>logback-core</artifactId>
-      <version>${logback-core.version}</version>
     </dependency>
     <dependency>
       <groupId>org.slf4j</groupId>
diff --git a/common/pom.xml b/common/pom.xml
index 9b8b06339c..894bb15f47 100644
--- a/common/pom.xml
+++ b/common/pom.xml
@@ -37,6 +37,7 @@
     <dependency>
       <groupId>com.jayway.jsonpath</groupId>
       <artifactId>json-path</artifactId>
+      <version>2.5.0</version>
     </dependency>
     <dependency>
       <groupId>org.hibernate</groupId>
@@ -145,6 +146,10 @@
           <groupId>io.springfox</groupId>
           <artifactId>springfox-boot-starter</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>org.apache.kafka</groupId>
+          <artifactId>kafka-clients</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <!-- protobuf dependencies -->
@@ -238,11 +243,7 @@
     <dependency>
       <groupId>javax.cache</groupId>
       <artifactId>cache-api</artifactId>
-      <version>1.0.0</version>
-    </dependency>
-    <dependency>
-      <groupId>org.ehcache</groupId>
-      <artifactId>ehcache</artifactId>
+      <version>1.1.0</version>
     </dependency>
     <dependency>
       <groupId>org.springframework.cloud</groupId>
@@ -252,7 +253,7 @@
     <dependency>
       <groupId>org.apache.kafka</groupId>
       <artifactId>kafka-clients</artifactId>
-      <version>3.3.1</version>
+      <version>${kafka-clients.version}</version>
     </dependency>
     <dependency>
       <groupId>uk.org.webcompere</groupId>
diff --git a/graph-inventory/aai-client/pom.xml b/graph-inventory/aai-client/pom.xml
index 193a33b6b1..b1e7a21642 100644
--- a/graph-inventory/aai-client/pom.xml
+++ b/graph-inventory/aai-client/pom.xml
@@ -139,6 +139,10 @@
       <scope>compile</scope>
       <optional>true</optional>
     </dependency>
+    <dependency>
+      <groupId>org.ehcache</groupId>
+      <artifactId>ehcache</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.apache.cxf</groupId>
       <artifactId>cxf-rt-rs-client</artifactId>
diff --git a/pom.xml b/pom.xml
index a62a4b6340..baac65402d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -79,6 +79,7 @@
     <jackson.version>2.14.3</jackson.version>
     <grpc.version>1.25.0</grpc.version>
     <logback.version>1.2.11</logback.version>
+    <kafka-clients.version>3.3.2</kafka-clients.version>
   </properties>
   <distributionManagement>
     <repository>
-- 
2.16.6