Skip to content

Commit 4a9ad2f

Browse files
Merge 26.3 to 26.4
2 parents 64b9fa7 + ee328e6 commit 4a9ad2f

File tree

3 files changed

+39
-4
lines changed

3 files changed

+39
-4
lines changed

build.gradle

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,7 @@ allprojects {
5959
JavaCompile compile ->
6060
compile.options.incremental = true // Gradle 3.4
6161
compile.options.encoding = 'UTF-8'
62+
compile.options.compilerArgs << '-parameters' // Preserve method parameter names for Spring AI reflection
6263
}
6364
}
6465

@@ -375,6 +376,14 @@ allprojects {
375376
// Force consistency for dependencies from pipeline and query
376377
force "org.dom4j:dom4j:${dom4jVersion}"
377378

379+
// Force spring-ai components to bring in spring-* versions that match the rest of spring
380+
force "org.springframework:spring-context-support:${springVersion}"
381+
force "org.springframework:spring-messaging:${springVersion}"
382+
force "org.springframework:spring-webflux:${springVersion}"
383+
384+
// spring-ai dependency. Force to mitigate a CVE.
385+
force "io.modelcontextprotocol.sdk:mcp:${modelContextProtocolVersion}"
386+
378387
// Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies
379388
force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
380389

@@ -390,6 +399,9 @@ allprojects {
390399
// Force latest hadoop-hdfs-client for CVE-2021-37404, CVE-2022-25168, CVE-2022-26612, CVE-2021-25642, CVE-2021-33036, CVE-2023-26031
391400
force "org.apache.hadoop:hadoop-hdfs-client:${hadoopHdfsClientVersion}"
392401

402+
// Spring AI 2.0 brings in Jackson3. Force it to match embedded and mitigate CVEs.
403+
force "tools.jackson.core:jackson-core:${jackson3Version}"
404+
393405
dependencySubstitution {
394406
// Because the client api artifact name is not the same as the directory structure, we use
395407
// Gradle's dependency substitution so the dependency will appear correctly in the pom files that

dependencyCheckSuppression.xml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -283,4 +283,24 @@
283283
<packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-tools@.*$</packageUrl>
284284
<cve>CVE-2026-23907</cve>
285285
</suppress>
286+
287+
<!--
288+
False-positives
289+
https://github.com/dependency-check/DependencyCheck/issues/8391
290+
https://github.com/dependency-check/DependencyCheck/issues/8392
291+
-->
292+
<suppress>
293+
<notes><![CDATA[
294+
file name: mcp-spring-webmvc-2.0.0-M3.jar
295+
]]></notes>
296+
<packageUrl regex="true">^pkg:maven/org\.springframework\.ai/mcp-spring-webmvc@.*$</packageUrl>
297+
<cpe>cpe:/a:vmware:server</cpe>
298+
</suppress>
299+
<suppress>
300+
<notes><![CDATA[
301+
file name: mcp-spring-webmvc-2.0.0-M3.jar
302+
]]></notes>
303+
<packageUrl regex="true">^pkg:maven/org\.springframework\.ai/mcp-spring-webmvc@.*$</packageUrl>
304+
<cpe>cpe:/a:vmware:vmware_server</cpe>
305+
</suppress>
286306
</suppressions>

gradle.properties

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ windowsProteomicsBinariesVersion=1.0
5959
# The current version numbers for the gradle plugins.
6060
artifactoryPluginVersion=5.2.5
6161
gradleNodePluginVersion=7.1.0
62-
gradlePluginsVersion=7.3.1
62+
gradlePluginsVersion=8.0.0
6363
owaspDependencyCheckPluginVersion=12.2.0
6464

6565
# Versions of node and npm to use during the build. If set, these versions
@@ -261,6 +261,9 @@ luceneVersion=10.4.0
261261
# Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API
262262
microsoftGraphVersion=6.59.0
263263

264+
# Spring-AI dependency that's showing a CVE
265+
modelContextProtocolVersion=1.1.1
266+
264267
mssqlJdbcVersion=13.2.1.jre11
265268

266269
# Netty - transitive dependency via azure-core-http-netty; force for CVE-2025-67735
@@ -305,10 +308,10 @@ slf4jLog4jApiVersion=2.0.17
305308
snappyJavaVersion=1.1.10.8
306309

307310
# Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version
308-
springBootVersion=4.0.3
311+
springBootVersion=4.0.4
309312
# This usually matches the Spring Framework version dictated by springBootVersion
310-
springVersion=7.0.5
311-
springAiVersion=2.0.0-M2
313+
springVersion=7.0.6
314+
springAiVersion=2.0.0-M4
312315

313316
sqliteJdbcVersion=3.51.2.0
314317

0 commit comments

Comments
 (0)