From d9d3bcc3f504f084e0b494104e5addd97888b51d Mon Sep 17 00:00:00 2001
From: waynedunican <wayne.dunican@est.tech>
Date: Mon, 16 Feb 2026 08:49:10 +0000
Subject: [PATCH] Security uplifts

This commit removes all CVEs found in clamp code

- Uplift Netty to 4.2.8.Final
- Uplift logback to 1.5.25
- Uplift assertj-core to 3.27.7
- Uplift transitive dependencies lz4, protobuf-java, bouncycastle

Issue-ID: POLICY-5394
Change-Id: Ic1df3a5de43da6cdbfc7a925ca93ca5ab953c5b5
Signed-off-by: waynedunican <wayne.dunican@est.tech>
---
 clamp-parent/dependencies/pom.xml | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/clamp-parent/dependencies/pom.xml b/clamp-parent/dependencies/pom.xml
index 15f28f60c..afea52205 100644
--- a/clamp-parent/dependencies/pom.xml
+++ b/clamp-parent/dependencies/pom.xml
@@ -53,7 +53,7 @@
         <version.jersey>3.1.10</version.jersey>
         <version.jupiter>6.0.0</version.jupiter>
         <version.kafka>4.1.0</version.kafka>
-        <version.logback>1.5.18</version.logback>
+        <version.logback>1.5.25</version.logback>
         <version.lombok>1.18.42</version.lombok>
         <version.maven-checkstyle-plugin>3.3.1</version.maven-checkstyle-plugin>
         <version.maven-remote-resources-plugin>3.1.0</version.maven-remote-resources-plugin>
@@ -158,7 +158,7 @@
             <dependency>
                 <groupId>io.netty</groupId>
                 <artifactId>netty-bom</artifactId>
-                <version>4.2.7.Final</version>
+                <version>4.2.8.Final</version>
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
@@ -267,6 +267,31 @@
                 <artifactId>kafka-clients</artifactId>
                 <version>${version.kafka}</version>
             </dependency>
+            <dependency>
+                <groupId>org.lz4</groupId>
+                <artifactId>lz4-java</artifactId>
+                <version>1.8.1</version>
+            </dependency>
+            <dependency>
+                <groupId>com.google.protobuf</groupId>
+                <artifactId>protobuf-java</artifactId>
+                <version>4.28.2</version>
+            </dependency>
+            <dependency>
+                <groupId>org.bitbucket.b_c</groupId>
+                <artifactId>jose4j</artifactId>
+                <version>0.9.6</version>
+            </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcprov-jdk18on</artifactId>
+                <version>1.79</version>
+            </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcpkix-jdk18on</artifactId>
+                <version>1.79</version>
+            </dependency>
             <dependency>
                 <groupId>org.apache.tomcat.embed</groupId>
                 <artifactId>tomcat-embed-core</artifactId>
@@ -508,7 +533,7 @@
             <dependency>
                 <groupId>org.assertj</groupId>
                 <artifactId>assertj-core</artifactId>
-                <version>3.25.3</version>
+                <version>3.27.7</version>
                 <scope>test</scope>
             </dependency>
             <dependency>
-- 
2.16.6