chore(deps): bump Spring Boot/log4j/netty/handlebars to clear CVE-gated scan

symphony-enrico · claude · symphony-enrico · commit 62debc68e962 · 2026-05-12T11:44:30.000+02:00
Bumps in symphony-bdk-bom so dependencyCheckAggregate stays under the CVSS-5 fail gate now that OWASP 12.2.2 analysis runs to completion: - spring-boot-dependencies 3.5.11 -> 3.5.14 (pulls spring-framework 6.2.18, spring-security 6.5.10, tomcat-embed 10.1.54) - log4j-bom 2.24.2 -> 2.26.0 - netty-bom 4.1.133.Final added to override Spring Boot's 4.1.132 (still vulnerable to CVE-2026-41417) - handlebars 4.3.1 -> 4.5.1 (picks up commons-lang3 3.18.0 fix for CVE-2025-48924) Adds two narrow allow-list.xml suppressions for known false positives: kotlin-stdlib CVE-2020-29582 (fixed in 1.4.21; CPE overmatches all 1.x) and the handlebars-v4.7.7.js bundled-resource CVEs (JS engine not used by symphony-bdk-template-handlebars). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/allow-list.xml b/allow-list.xml
@@ -15,4 +15,28 @@
         <gav>com.jayway.jsonpath:json-path:2.8.0</gav>
         <cve>CVE-2023-51074</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+          False positive: CVE-2020-29582 was fixed in Kotlin 1.4.21. The NVD CPE entry matches
+          all kotlin 1.x versions; we're on 1.9.25 (transitive from Spring Boot) which is not affected.
+          ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin-stdlib(-jdk7|-jdk8|-common)?@.*$</packageUrl>
+        <cve>CVE-2020-29582</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+          handlebars.java 4.5.0 still bundles handlebars-v4.7.7.js as a resource. We use the
+          Java-native handlebars engine (symphony-bdk-template-handlebars), not the JS engine,
+          so the bundled JS file is not executed and these JS-side CVEs are not reachable.
+          ]]></notes>
+        <packageUrl regex="true">^pkg:javascript/handlebars@.*$</packageUrl>
+        <cve>CVE-2026-33916</cve>
+        <cve>CVE-2026-33937</cve>
+        <cve>CVE-2026-33938</cve>
+        <cve>CVE-2026-33939</cve>
+        <cve>CVE-2026-33940</cve>
+        <cve>CVE-2026-33941</cve>
+        <vulnerabilityName>GHSA-7rx3-28cr-v5wh</vulnerabilityName>
+        <vulnerabilityName>GHSA-442j-39wm-28r2</vulnerabilityName>
+    </suppress>
 </suppressions>
diff --git a/symphony-bdk-bom/build.gradle b/symphony-bdk-bom/build.gradle
@@ -16,13 +16,15 @@ repositories {
 
 dependencies {
     // import Spring Boot's BOM
-    api platform('org.springframework.boot:spring-boot-dependencies:3.5.11')
+    api platform('org.springframework.boot:spring-boot-dependencies:3.5.14')
     // import Jackson's BOM
     api platform('com.fasterxml.jackson:jackson-bom:2.18.2')
     // import Jersey's BOM
     api platform('org.glassfish.jersey:jersey-bom:3.1.9')
     // import Log4j's BOM
-    api platform('org.apache.logging.log4j:log4j-bom:2.24.2')
+    api platform('org.apache.logging.log4j:log4j-bom:2.26.0')
+    // override Netty (Spring Boot 3.5.14 ships 4.1.132 which is still vulnerable to CVE-2026-41417)
+    api platform('io.netty:netty-bom:4.1.133.Final')
 
     // define all our dependencies versions
     constraints {
@@ -69,7 +71,7 @@ dependencies {
         api 'org.projectreactor:reactor-spring:1.0.1.RELEASE'
 
         api 'org.freemarker:freemarker:2.3.33'
-        api 'com.github.jknack:handlebars:4.3.1'
+        api 'com.github.jknack:handlebars:4.5.1'
         api 'org.reflections:reflections:0.10.2'
 
         api 'com.tngtech.archunit:archunit-junit5:1.2.1'
