Update jjwt version and bump Spring version (#870)

* jjwt dependency update

* ci: upgrade org.owasp.dependencycheck to 12.2.2

Fixes CI failure caused by CVE-2026-6785/6786 whose NVD reference URLs
exceed the VARCHAR(1000) column limit in the plugin's H2 database schema.

* fix: enforce agent-before-pod codegen order to preserve SystemApi health methods

* Update build.gradle

* ci: set failOnError=false on dependencyCheck to tolerate OWASP 12.2.2 JAR analysis bugs

* ci: force commons-lang3/commons-io/slf4j/guava in buildSrc to fix OWASP classloader conflicts

* chore(deps): bump Spring Boot/log4j/netty/handlebars to clear CVE-gated scan

Bumps in symphony-bdk-bom so dependencyCheckAggregate stays under the
CVSS-5 fail gate now that OWASP 12.2.2 analysis runs to completion:

- spring-boot-dependencies 3.5.11 -> 3.5.14 (pulls spring-framework
  6.2.18, spring-security 6.5.10, tomcat-embed 10.1.54)
- log4j-bom 2.24.2 -> 2.26.0
- netty-bom 4.1.133.Final added to override Spring Boot's 4.1.132
  (still vulnerable to CVE-2026-41417)
- handlebars 4.3.1 -> 4.5.1 (picks up commons-lang3 3.18.0 fix for
  CVE-2025-48924)

Adds two narrow allow-list.xml suppressions for known false positives:
kotlin-stdlib CVE-2020-29582 (fixed in 1.4.21; CPE overmatches all
1.x) and the handlebars-v4.7.7.js bundled-resource CVEs (JS engine
not used by symphony-bdk-template-handlebars).

* ci: remove failOnError=false now that OWASP analyzer crash is fixed

The buildSrc classloader fix (f337ba6) made the analyzer run to
completion, so the tolerance flag added in 95c8f79 is no longer
needed. Reverting to the default (true) so a future analyzer
regression fails loudly instead of silently passing with an
incomplete report.

Author: symphony-enrico

allow-list.xml

@@ -15,4 +15,28 @@
         <gav>com.jayway.jsonpath:json-path:2.8.0</gav>
         <cve>CVE-2023-51074</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+          False positive: CVE-2020-29582 was fixed in Kotlin 1.4.21. The NVD CPE entry matches
+          all kotlin 1.x versions; we're on 1.9.25 (transitive from Spring Boot) which is not affected.
+          ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin-stdlib(-jdk7|-jdk8|-common)?@.*$</packageUrl>
+        <cve>CVE-2020-29582</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+          handlebars.java 4.5.0 still bundles handlebars-v4.7.7.js as a resource. We use the
+          Java-native handlebars engine (symphony-bdk-template-handlebars), not the JS engine,
+          so the bundled JS file is not executed and these JS-side CVEs are not reachable.
+          ]]></notes>
+        <packageUrl regex="true">^pkg:javascript/handlebars@.*$</packageUrl>
+        <cve>CVE-2026-33916</cve>
+        <cve>CVE-2026-33937</cve>
+        <cve>CVE-2026-33938</cve>
+        <cve>CVE-2026-33939</cve>
+        <cve>CVE-2026-33940</cve>
+        <cve>CVE-2026-33941</cve>
+        <vulnerabilityName>GHSA-7rx3-28cr-v5wh</vulnerabilityName>
+        <vulnerabilityName>GHSA-442j-39wm-28r2</vulnerabilityName>
+    </suppress>
 </suppressions>

build.gradle

@@ -1,6 +1,6 @@
 plugins {
     id "io.github.gradle-nexus.publish-plugin" version "1.3.0"
-    id "org.owasp.dependencycheck" version "12.1.3"
+    id "org.owasp.dependencycheck" version "12.2.2"
 }
 
 ext.projectVersion = '3.3.0-SNAPSHOT'

buildSrc/build.gradle

@@ -11,3 +11,21 @@ dependencies {
     implementation 'de.undercouch:gradle-download-task:5.0.2'
     implementation 'com.github.ben-manes:gradle-versions-plugin:0.42.0'
 }
+
+configurations.all {
+    resolutionStrategy {
+        // owasp-dependencycheck 12.2.2 requires newer versions of several libraries than openapi-generator 6.6.0
+        // provides. Because buildSrc's classpath is the parent classloader for all plugin classloaders, OWASP
+        // inherits buildSrc's older versions via parent-first delegation and fails with NoSuchMethodError.
+        // Force all conflicting libraries to the versions OWASP 12.2.2 requires.
+        force 'com.fasterxml.jackson.core:jackson-databind:2.18.2'
+        force 'com.fasterxml.jackson.core:jackson-core:2.18.2'
+        force 'com.fasterxml.jackson.core:jackson-annotations:2.18.2'
+        force 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.14.0'
+        force 'org.yaml:snakeyaml:1.33'
+        force 'org.apache.commons:commons-lang3:3.20.0'
+        force 'commons-io:commons-io:2.22.0'
+        force 'org.slf4j:slf4j-api:2.0.17'
+        force 'com.google.guava:guava:33.6.0-jre'
+    }
+}

symphony-bdk-bom/build.gradle

@@ -16,13 +16,15 @@ repositories {
 
 dependencies {
     // import Spring Boot's BOM
-    api platform('org.springframework.boot:spring-boot-dependencies:3.5.11')
+    api platform('org.springframework.boot:spring-boot-dependencies:3.5.14')
     // import Jackson's BOM
     api platform('com.fasterxml.jackson:jackson-bom:2.18.2')
     // import Jersey's BOM
     api platform('org.glassfish.jersey:jersey-bom:3.1.9')
     // import Log4j's BOM
-    api platform('org.apache.logging.log4j:log4j-bom:2.24.2')
+    api platform('org.apache.logging.log4j:log4j-bom:2.26.0')
+    // override Netty (Spring Boot 3.5.14 ships 4.1.132 which is still vulnerable to CVE-2026-41417)
+    api platform('io.netty:netty-bom:4.1.133.Final')
 
     // define all our dependencies versions
     constraints {
@@ -55,7 +57,9 @@ dependencies {
         api 'org.apache.commons:commons-text:1.14.0'
         api 'commons-logging:commons-logging:1.3.5'
         api 'com.brsanthu:migbase64:2.2'
-        api 'io.jsonwebtoken:jjwt:0.9.1'
+        api 'io.jsonwebtoken:jjwt-api:0.13.0'
+        api 'io.jsonwebtoken:jjwt-impl:0.13.0'
+        api 'io.jsonwebtoken:jjwt-jackson:0.13.0'
         api 'org.bouncycastle:bcpkix-jdk18on:1.79'
         api 'com.google.code.findbugs:jsr305:3.0.2'
 
@@ -67,7 +71,7 @@ dependencies {
         api 'org.projectreactor:reactor-spring:1.0.1.RELEASE'
 
         api 'org.freemarker:freemarker:2.3.33'
-        api 'com.github.jknack:handlebars:4.3.1'
+        api 'com.github.jknack:handlebars:4.5.1'
         api 'org.reflections:reflections:0.10.2'
 
         api 'com.tngtech.archunit:archunit-junit5:1.2.1'

symphony-bdk-core/build.gradle

@@ -47,7 +47,9 @@ dependencies {
     implementation 'org.apache.commons:commons-lang3'
     implementation 'org.apache.commons:commons-text'
     implementation 'com.brsanthu:migbase64'
-    implementation 'io.jsonwebtoken:jjwt'
+    implementation 'io.jsonwebtoken:jjwt-api'
+    runtimeOnly 'io.jsonwebtoken:jjwt-impl'
+    runtimeOnly 'io.jsonwebtoken:jjwt-jackson'
     implementation 'org.bouncycastle:bcpkix-jdk18on'
     api 'com.fasterxml.jackson.core:jackson-databind'
     implementation 'io.github.resilience4j:resilience4j-retry'
@@ -130,3 +132,5 @@ apisToGenerate.each { api, path ->
 
 // Duplicated AuthRequest class, we need the one from auth API, so task order matters here
 tasks.generateAuth.dependsOn tasks.generateLogin
+// Duplicated SystemApi class, we need the one from agent API (contains v3Health/v3ExtendedHealth), so task order matters here
+tasks.generatePod.dependsOn tasks.generateAgent

symphony-bdk-core/src/main/java/com/symphony/bdk/core/auth/jwt/JwtHelper.java

@@ -9,7 +9,6 @@
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
-import io.jsonwebtoken.SignatureAlgorithm;
 import org.apiguardian.api.API;
 import org.bouncycastle.asn1.pkcs.RSAPrivateKey;
 import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters;
@@ -23,7 +22,6 @@
 import java.io.StringReader;
 import java.nio.charset.StandardCharsets;
 import java.security.GeneralSecurityException;
-import java.security.Key;
 import java.security.KeyFactory;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
@@ -65,7 +63,7 @@ public class JwtHelper {
 
 
   /**
-   * Creates a JWT with the provided user name and expiration date, signed with the provided private key.
+   * Creates a JWT with the provided username and expiration date, signed with the provided private key.
    *
    * @param user       the username to authenticate; will be verified by the pod
    * @param expiration of the authentication request in milliseconds; cannot be longer than the value defined on the
@@ -75,16 +73,16 @@ public class JwtHelper {
    *                   the public key stored for the user
    * @return a signed JWT for a specific user (or subject)
    */
-  public static String createSignedJwt(String user, long expiration, Key privateKey) {
+  public static String createSignedJwt(String user, long expiration, PrivateKey privateKey) {
     return Jwts.builder()
-        .setSubject(user)
-        .setExpiration(new Date(System.currentTimeMillis() + expiration))
-        .signWith(SignatureAlgorithm.RS512, privateKey)
+        .subject(user)
+        .expiration(new Date(System.currentTimeMillis() + expiration))
+        .signWith(privateKey, Jwts.SIG.RS512)
         .compact();
   }
 
   /**
-   * Creates a RSA Private Key from a PEM String. It supports PKCS#1 and PKCS#8 string formats.
+   * Creates an RSA Private Key from a PEM String. It supports PKCS#1 and PKCS#8 string formats.
    *
    * @param pemPrivateKey RSA Private Key content
    * @return a {@link PrivateKey} instance
@@ -110,18 +108,21 @@ else if (pemPrivateKey.contains(PEM_RSA_PRIVATE_START)) {
   /**
    * Validates a jwt against a certificate.
    *
-   * @param jwt
+   * @param jwt string of the jwt to be validated
    * @param certificate string of the X.509 certificate content in pem format.
-   * @return the content of jwt clain "user" if jwt is successfully validated.
+   * @return the content of jwt claim "user" if jwt is successfully validated.
    * @throws AuthInitializationException if certificate or jwt are invalid.
    */
   public static UserClaim validateJwt(String jwt, String certificate) throws AuthInitializationException {
     final Certificate x509Certificate = parseX509Certificate(certificate);
 
     try {
-      final Claims body = Jwts.parser().setSigningKey(x509Certificate.getPublicKey())
-        .parseClaimsJws(jwt).getBody();
-      return mapper.convertValue(body.get("user"), UserClaim.class);
+      final Claims claims = Jwts.parser()
+          .verifyWith(x509Certificate.getPublicKey())
+          .build()
+          .parseSignedClaims(jwt)
+          .getPayload();
+      return mapper.convertValue(claims.get("user"), UserClaim.class);
     } catch (JwtException e) {
       throw new AuthInitializationException("Unable to validate JWT", e);
     }

symphony-bdk-http/symphony-bdk-http-jersey2/build.gradle

@@ -16,7 +16,9 @@ dependencies {
 
     implementation 'org.slf4j:slf4j-api'
     implementation 'org.apiguardian:apiguardian-api'
-    implementation 'io.jsonwebtoken:jjwt'
+    implementation 'io.jsonwebtoken:jjwt-api'
+    runtimeOnly 'io.jsonwebtoken:jjwt-impl'
+    runtimeOnly 'io.jsonwebtoken:jjwt-jackson'
     implementation 'org.bouncycastle:bcpkix-jdk18on'
     implementation 'commons-io:commons-io'
     implementation 'org.apache.commons:commons-lang3'
@@ -42,4 +44,3 @@ dependencies {
     testImplementation 'org.mockito:mockito-junit-jupiter'
     testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
 }
-