Skip to content

Blackduck scan fixes#523

Open
yashmeet29 wants to merge 37 commits into
developfrom
SDMEXT-blackduckScanFix-feature
Open

Blackduck scan fixes#523
yashmeet29 wants to merge 37 commits into
developfrom
SDMEXT-blackduckScanFix-feature

Conversation

@yashmeet29

@yashmeet29 yashmeet29 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Describe your changes

  • Upgrade Spring Boot from 3.3.1 / 3.2.6 → 3.5.16 across all sample app modules (single-tenant demoapp and multi-tenant cloud-cap-samples-java, both central-space and personal-space)

  • Bump Jackson (jackson-databind, jackson-core) from 2.18.6 → 2.22.0 in the root sdm/pom.xml and multi-tenant srv POMs

  • Pin Netty BOM to 4.2.15.Final via dependencyManagement in all four sample app parent POMs to remediate Netty CVEs flagged by BlackDuck

  • Pin Bouncy Castle (bcprov-jdk18on, bcpkix-jdk18on) to 1.84 in all four sample app parent POMs to remediate Bouncy Castle CVEs flagged by BlackDuck

  • Force H2 database to 2.4.240 explicitly in the two single-tenant demoapp srv/pom.xml files

  • Force safe transitive versions in the multi-tenant cloud-cap-samples-java/srv/pom.xml via a new dependencyManagement block covering: Kotlin stdlib (2.4.0), OpenTelemetry API/context (1.63.0), Spring Security modules (6.5.11), Logback (1.5.35), Nimbus JOSE+JWT (10.9.1), and Spring Boot core (3.5.15)

Type of change

  • Blackduck Scan fix (non-breaking change which fixes an issue)

Checklist before requesting a review

  • I follow Java Development Guidelines for SAP
  • I have tested the functionality on my cloud environment.
  • I have provided sufficient automated/ unit tests for the code.
  • I have increased or maintained the test coverage.
  • I have ran integration tests on my cloud environment.
  • I have validated blackduck portal for any vulnerability after my commit.

Upload Screenshots/lists of the scenarios tested

  • I have Uploaded Screenshots or added lists of the scenarios tested in description

Single tenant IT
Screenshot 2026-07-07 at 1 31 21 PM

Multi tenant IT
Screenshot 2026-07-08 at 3 54 27 PM

Remove kotlin-stdlib, kotlin-stdlib-jdk8, kotlin-stdlib-jdk7 from
dependencyManagement and exclude them directly on com.sap.cds:sdm
which is the transitive source via OkHttp.
…ules

Remove kotlin-stdlib, kotlin-stdlib-jdk8, kotlin-stdlib-jdk7 from
dependencyManagement in personal-space and single-tenant modules and
exclude them directly on com.sap.cds:sdm which is the transitive
source via OkHttp.
…ct dependencies

Remove dependencyManagement blocks for transitive security fixes across all 4
app modules. Add exclusions directly on the dependency that pulls each library:
- cds-starter-spring-boot: exclude tomcat-embed-core/websocket/el
- cds-adapter-odata-v4: exclude opentelemetry-api/context
- cds-feature-mt: exclude jackson-databind
- cds-starter-cloudfoundry: exclude nimbus-jose-jwt, spring-security-oauth2-*
- spring-boot-starter-security: exclude spring-security-web/config, logback-classic/core
- spring-security-test: exclude spring-security-core/crypto
- spring-boot-devtools: exclude spring-boot, spring-boot-autoconfigure
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants