Upgrade Dropwizard 1.0.5 → 4.0.14, Java 6 → 17, all Maven plugins, add OWASP CVE scanning

[devin-ai-integration]

Summary

Coordinated upgrade addressing all security and dependency issues across four parallel workstreams:

Workstream 1: Dropwizard 1.0.5 → 4.0.14

• Import both dropwizard-dependencies and dropwizard-bom BOMs at version 4.0.14
• Migrate core imports: io.dropwizard.Application → io.dropwizard.core.Application, Configuration, Bootstrap, Environment
• Migrate views: io.dropwizard.views.ViewBundle → io.dropwizard.views.common.ViewBundle
• Migrate all javax.* → jakarta.* (validation, persistence, ws.rs)
• Fix @NotEmpty import: org.hibernate.validator.constraints → jakarta.validation.constraints
• Fix DAO: namedQuery() → namedTypedQuery() for Hibernate 6.x compatibility
• Migrate test from JUnit 3 → JUnit 5 (Jupiter)
• H2 upgraded to 2.3.232 — resolves CVE-2021-42392 and CVE-2022-23221

Workstream 2: Java 6 → 17

• Replaced <source>1.6</source> / <target>1.6</target> with <release>17</release>
• Added module-info.class exclusion to shade plugin filter

Workstream 3: Maven plugin upgrades (all to latest stable)

Plugin	Old	New
maven-clean-plugin	2.6.1	3.5.0
maven-install-plugin	2.5.2	3.1.4
maven-surefire-plugin	2.19.1	3.5.5
maven-resources-plugin	2.7	3.5.0
maven-enforcer-plugin	1.4.1	3.6.2
maven-compiler-plugin	3.6.0	3.15.0
maven-source-plugin	2.4	3.4.0
maven-jar-plugin	2.6	3.5.0
maven-shade-plugin	2.4.3	3.6.2
maven-deploy-plugin	2.8.2	3.1.4
maven-site-plugin	3.4	3.21.0

Workstream 4: OWASP Dependency-Check

• Added dependency-check-maven 12.1.3 plugin
• Configured to fail the build on CVSS score ≥ 7

Key transitive dependency versions (verified via mvn dependency:tree)

• Jetty 11.0.25, Jackson 2.19.0, Hibernate 6.1.7.Final, Guava 33.4.8-jre, Logback 1.5.18, H2 2.3.232

Review & Testing Checklist for Human

• Verify mvn clean verify -Dliquibase.should.run=false -Ddependency-check.skip=true compiles and tests pass with JDK 17
• Run mvn dependency-check:check to confirm OWASP scan reports no critical CVEs (requires NVD API key for full scan; set -DnvdApiKey=...)
• Verify the fat JAR runs: java -jar target/DropwizardEmployee-4.0.14.jar server example.yml — confirm app starts on ports 8080/8081
• Check that POST /employee and GET /employee endpoints work correctly
• Review Jersey test framework servlet exclusions updated from javax.servlet → jakarta.servlet

Notes

• The project version was kept coupled to the Dropwizard version (via ${project.version}) as per the original design — now 4.0.14
• CI/build environment must use JDK 17+
• The example.yml H2 JDBC URL (jdbc:h2:./target/example) is compatible with H2 2.x without changes
• The OWASP plugin is bound to the verify phase; skip with -Ddependency-check.skip=true for faster dev builds

Link to Devin session: https://app.devin.ai/sessions/231ee998c3c24edfa396d52a5667adc1
Requested by: @WesternConcrete

---

Devin Review

Status	Commit
⚪ Not started	—

Run Devin Review

💡 Connect your GitHub account to enable automatic code reviews.

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.