From 6c78147991a50e0f8b355449851cd053ba757537 Mon Sep 17 00:00:00 2001 From: Susan Hert Date: Fri, 3 Apr 2026 12:59:16 -0700 Subject: [PATCH 1/2] Update gradle plugins version to eliminate VcsTag in module.xml file (#1324) --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index 233536394d..d21ad98efb 100644 --- a/gradle.properties +++ b/gradle.properties @@ -59,7 +59,7 @@ windowsProteomicsBinariesVersion=1.0 # The current version numbers for the gradle plugins. artifactoryPluginVersion=5.2.5 gradleNodePluginVersion=7.1.0 -gradlePluginsVersion=7.3.1 +gradlePluginsVersion=8.0.0 owaspDependencyCheckPluginVersion=12.2.0 # Versions of node and npm to use during the build. If set, these versions From ee328e6855aece13c3f84ec660253b0d38c8e126 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Sat, 4 Apr 2026 08:57:44 -0700 Subject: [PATCH 2/2] Update Spring AI to 2.0.0-M4 (#1316) (#1325) --- build.gradle | 12 ++++++++++++ dependencyCheckSuppression.xml | 20 ++++++++++++++++++++ gradle.properties | 9 ++++++--- 3 files changed, 38 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index 35c69b1ec0..6d09333974 100644 --- a/build.gradle +++ b/build.gradle @@ -59,6 +59,7 @@ allprojects { JavaCompile compile -> compile.options.incremental = true // Gradle 3.4 compile.options.encoding = 'UTF-8' + compile.options.compilerArgs << '-parameters' // Preserve method parameter names for Spring AI reflection } } @@ -347,6 +348,14 @@ allprojects { // Force consistency for dependencies from pipeline and query force "org.dom4j:dom4j:${dom4jVersion}" + // Force spring-ai components to bring in spring-* versions that match the rest of spring + force "org.springframework:spring-context-support:${springVersion}" + force "org.springframework:spring-messaging:${springVersion}" + force "org.springframework:spring-webflux:${springVersion}" + + // spring-ai dependency. Force to mitigate a CVE. + force "io.modelcontextprotocol.sdk:mcp:${modelContextProtocolVersion}" + // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}" @@ -362,6 +371,9 @@ allprojects { // Force latest hadoop-hdfs-client for CVE-2021-37404, CVE-2022-25168, CVE-2022-26612, CVE-2021-25642, CVE-2021-33036, CVE-2023-26031 force "org.apache.hadoop:hadoop-hdfs-client:${hadoopHdfsClientVersion}" + // Spring AI 2.0 brings in Jackson3. Force it to match embedded and mitigate CVEs. + force "tools.jackson.core:jackson-core:${jackson3Version}" + dependencySubstitution { // Because the client api artifact name is not the same as the directory structure, we use // Gradle's dependency substitution so the dependency will appear correctly in the pom files that diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml index 5b88940c56..d610e97a2b 100644 --- a/dependencyCheckSuppression.xml +++ b/dependencyCheckSuppression.xml @@ -255,4 +255,24 @@ ^pkg:maven/org\.apache\.pdfbox/pdfbox-tools@.*$ CVE-2026-23907 + + + + + ^pkg:maven/org\.springframework\.ai/mcp-spring-webmvc@.*$ + cpe:/a:vmware:server + + + + ^pkg:maven/org\.springframework\.ai/mcp-spring-webmvc@.*$ + cpe:/a:vmware:vmware_server + diff --git a/gradle.properties b/gradle.properties index d21ad98efb..53e73973e7 100644 --- a/gradle.properties +++ b/gradle.properties @@ -252,6 +252,9 @@ lombokVersion=1.18.42 luceneVersion=10.3.2 +# Spring-AI dependency that's showing a CVE +modelContextProtocolVersion=1.1.1 + mssqlJdbcVersion=13.2.1.jre11 objenesisVersion=1.0 @@ -291,10 +294,10 @@ slf4jLog4jApiVersion=2.0.17 snappyJavaVersion=1.1.10.8 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version -springBootVersion=4.0.3 +springBootVersion=4.0.4 # This usually matches the Spring Framework version dictated by springBootVersion -springVersion=7.0.5 -springAiVersion=2.0.0-M2 +springVersion=7.0.6 +springAiVersion=2.0.0-M4 sqliteJdbcVersion=3.51.1.0