Summary
High-severity CVEs flagged in transitive dependencies during the PR #116 session. Captured in PR_116_FOLLOWUP_NOTES.md; filing as a tracked issue.
Affected dependency areas
- Spring Boot 4.0.x — transitive CVEs
- Tomcat 11.0.15
- Jackson 3.0.3
- AssertJ 3.27.6
(Exact CVE IDs to be confirmed by running the dependency scan — see below.)
Action
- Run
mvn org.owasp:dependency-check-maven:check (the OWASP step exists in .github/workflows/ci.yml) to enumerate the current CVE set with IDs and CVSS scores.
- For each high-severity finding, determine whether a patched version is available and bump it (prefer aligning with the Spring Boot 4.0.x BOM where possible).
- For findings with no upgrade path, document risk acceptance or add an OWASP suppression with justification (
openespi-authserver/owasp-suppressions.xml exists as a pattern).
Acceptance criteria
Source
PR_116_FOLLOWUP_NOTES.md item 1 (post-PR #116, 2026-05-19).
Summary
High-severity CVEs flagged in transitive dependencies during the PR #116 session. Captured in
PR_116_FOLLOWUP_NOTES.md; filing as a tracked issue.Affected dependency areas
(Exact CVE IDs to be confirmed by running the dependency scan — see below.)
Action
mvn org.owasp:dependency-check-maven:check(the OWASP step exists in.github/workflows/ci.yml) to enumerate the current CVE set with IDs and CVSS scores.openespi-authserver/owasp-suppressions.xmlexists as a pattern).Acceptance criteria
dependency-checkpasses at the configuredfailBuildOnCVSSthresholdSource
PR_116_FOLLOWUP_NOTES.mditem 1 (post-PR #116, 2026-05-19).