[WIP] Upgrade spring-webmvc to resolve dependabot alerts

doc/technical-notes/UPGRADES.md

@@ -4,9 +4,138 @@ This document describes major dependency upgrades and fixes implemented in TreeB
 
 ## Table of Contents
 
-1. [SLF4J and Logging Framework Compatibility](#slf4j-and-logging-framework-compatibility)
-2. [Jersey 2.x Upgrade](#jersey-2x-upgrade)
-3. [JUnit 4 Migration](#junit-4-migration)
+1. [Spring Framework 5.3.39 Upgrade](#spring-framework-539-upgrade)
+2. [Security Dependency Upgrades](#security-dependency-upgrades)
+3. [SLF4J and Logging Framework Compatibility](#slf4j-and-logging-framework-compatibility)
+4. [Jersey 2.x Upgrade](#jersey-2x-upgrade)
+5. [JUnit 4 Migration](#junit-4-migration)
+
+---
+
+## Spring Framework 5.3.39 Upgrade
+
+### Problem
+
+The project was using Spring Framework 5.3.26 with hardcoded versions spread across multiple pom.xml files. This made version management difficult and led to inconsistent transitive dependency versions.
+
+### Solution
+
+Upgraded Spring Framework from 5.3.26 to 5.3.39 (the latest 5.x LTS release) and centralized version management using Maven properties.
+
+**Changes in parent `pom.xml`:**
+
+```xml
+<!-- Centralized version management -->
+<properties>
+  <!-- Spring Framework 5.3.39 - latest 5.x LTS release with security fixes -->
+  <spring.version>5.3.39</spring.version>
+  <!-- Spring Security 5.8.15 - compatible with Spring 5.3.x -->
+  <spring.security.version>5.8.15</spring.security.version>
+  <!-- Log4j 2.24.3 - latest stable with security fixes -->
+  <log4j.version>2.24.3</log4j.version>
+  <!-- SLF4J 1.7.36 - required for Spring 5.x spring-jcl compatibility -->
+  <slf4j.version>1.7.36</slf4j.version>
+</properties>
+
+<!-- Now using ${spring.version} for all Spring dependencies -->
+<dependency>
+  <groupId>org.springframework</groupId>
+  <artifactId>spring-webmvc</artifactId>
+  <version>${spring.version}</version>
+</dependency>
+```
+
+### Benefits
+
+- ✅ Latest Spring 5.x LTS with security patches
+- ✅ Centralized version management - change one property to update all modules
+- ✅ Consistent versions across all child modules
+- ✅ Spring Security 5.8.15 compatible with Spring 5.3.39
+
+### Known Vulnerabilities in Spring 5.3.39 (No Patch Available)
+
+Spring Framework 5.3.39 has the following vulnerabilities that **cannot be fixed** without migrating to Spring 6.x:
+
+| CVE | Description | Affected | Patched Version |
+|-----|-------------|----------|-----------------|
+| CVE-2024-38816 | Path Traversal vulnerability in spring-webmvc | 5.3.0-5.3.39 | None in 5.x (6.1.14+) |
+| CVE-2024-38819 | Path Traversal vulnerability in spring-webmvc | 5.3.0-5.3.39 | None in 5.x (6.1.14+) |
+| CVE-2025-22228 | Annotation detection improper authorization | 5.3.0-5.3.44 | None in 5.x (6.2.11+) |
+
+**Why these cannot be fixed in 5.x:**
+- Spring 5.x reached end-of-life December 2024
+- VMware/Broadcom will not release security patches for Spring 5.x
+- Patches are only available in Spring 6.1.14+ and 6.2.11+
+- Spring 6.x requires Jakarta EE 9+ migration (javax.* → jakarta.*)
+
+**Risk Mitigation:**
+These vulnerabilities primarily affect:
+1. **Path Traversal**: Applications using functional web endpoints (RouterFunction) or that serve static resources. TreeBASE uses traditional annotation-based controllers which have lower exposure.
+2. **Annotation Detection**: Affects Spring Security annotation processing. TreeBASE uses XML-based security configuration which has lower exposure.
+
+**Recommended Action:** Plan migration to Spring 6.x as documented in "Future Upgrade Paths" section below.
+
+---
+
+## Security Dependency Upgrades
+
+### Problem
+
+Several dependencies had known security vulnerabilities (CVEs):
+
+1. **commons-fileupload 1.3.3** - DoS vulnerability (CVE-2023-24998)
+2. **commons-io 2.7** - Needed update to match commons-fileupload requirements
+3. **xalan 2.7.0** - Integer truncation vulnerability (CVE-2022-34169)
+
+### Solution
+
+Upgraded vulnerable dependencies to patched versions:
+
+```xml
+<!-- commons-fileupload 1.6.0 (was 1.3.3) - fixes CVE-2023-24998, CVE-2024-25710 -->
+<dependency>
+  <groupId>commons-fileupload</groupId>
+  <artifactId>commons-fileupload</artifactId>
+  <version>1.6.0</version>
+</dependency>
+
+<!-- commons-io 2.15.1 (was 2.7) - matches commons-fileupload 1.5 -->
+<dependency>
+  <groupId>commons-io</groupId>
+  <artifactId>commons-io</artifactId>
+  <version>2.15.1</version>
+</dependency>
+
+<!-- xalan 2.7.3 (was 2.7.0) - fixes CVE-2022-34169 -->
+<dependency>
+  <groupId>xalan</groupId>
+  <artifactId>xalan</artifactId>
+  <version>2.7.3</version>
+</dependency>
+```
+
+Also added exclusion in treebase-core for xom dependency which was pulling in xalan 2.6.0:
+
+```xml
+<dependency>
+  <groupId>jaxen</groupId>
+  <artifactId>jaxen</artifactId>
+  <version>1.1-beta-8</version>
+  <exclusions>
+    <exclusion>
+      <groupId>xom</groupId>
+      <artifactId>xom</artifactId>
+    </exclusion>
+  </exclusions>
+</dependency>
+```
+
+### Benefits
+
+- ✅ Addresses dependabot security alerts
+- ✅ DoS vulnerability in file upload fixed
+- ✅ Integer truncation vulnerability in XSLT processing fixed
+- ✅ Consistent xalan version across all modules (2.7.3)
 
 ---
 
@@ -319,35 +448,68 @@ All dependency management is handled in Maven POMs, not at deployment time.
 
 ### Future Upgrade Paths
 
-**Short-term (Stable):**
-- Current approach using Spring 5.x, Jersey 2.x, SLF4J 1.7.x
+**Short-term (Stable - Current State):**
+- Spring 5.3.39 (latest 5.x LTS)
+- Spring Security 5.8.15
+- Jersey 2.x
+- SLF4J 1.7.36
 - Low risk, proven compatibility
-- Maintenance mode libraries but stable
+- ⚠️ Spring 5.x has unpatched vulnerabilities (see above)
 
-**Medium-term (Recommended):**
-- Continue with Jersey 2.x
-- Plan for Spring 6.x migration
-- Requires Jakarta EE namespace migration (javax.* → jakarta.*)
-
-**Long-term (Modern Stack):**
-- Spring 6.x
+**Medium-term (REQUIRED for full security):**
+- **Spring 6.2.11+** - Required to fix CVE-2024-38816, CVE-2024-38819, CVE-2025-22228
+- Jakarta EE 9+ namespace migration (javax.* → jakarta.*)
+- Tomcat 10+ (supports Jakarta EE 9)
+- Servlet API 5.0+
 - Jersey 3.x (Jakarta EE)
 - SLF4J 2.x
-- Full Java 17 ecosystem alignment
+
+**Migration Requirements for Spring 6.x:**
+
+1. **Namespace changes** - All `javax.*` imports → `jakarta.*`
+   - javax.servlet → jakarta.servlet
+   - javax.persistence → jakarta.persistence
+   - javax.validation → jakarta.validation
+
+2. **JSP changes** - Update JSTL and taglib URIs
+
+3. **Configuration updates** - Spring XML configuration adjustments
+
+4. **Tomcat upgrade** - Tomcat 9 → Tomcat 10
+
+5. **Dependencies** - Many libraries need Jakarta EE compatible versions
 
 ### Estimated Efforts
 
-- **Current fixes:** Complete ✅
-- **Spring 6.x migration:** 40-60 hours (namespace changes, testing)
+- **Spring 5.3.39 upgrade:** Complete ✅
+- **Security dependency upgrades:** Complete ✅ (commons-fileupload, xalan)
+- **Version centralization:** Complete ✅
+- **⚠️ Spring 6.2.11+ migration:** 60-80 hours (namespace changes, Tomcat upgrade, testing)
 - **Jersey 3.x upgrade:** 8-16 hours (with Spring 6.x)
-- **Full modernization:** 80-120 hours (combined effort)
+- **Full modernization:** 100-140 hours (combined effort)
+
+### Security Status Summary
+
+| Vulnerability | Status | Fix Available |
+|--------------|--------|---------------|
+| CVE-2023-24998 (commons-fileupload) | ✅ FIXED | commons-fileupload 1.6.0 |
+| CVE-2024-25710 (commons-fileupload) | ✅ FIXED | commons-fileupload 1.6.0 |
+| CVE-2022-34169 (xalan) | ✅ FIXED | xalan 2.7.3 |
+| CVE-2024-38816 (spring-webmvc) | ⚠️ UNFIXED | Requires Spring 6.1.14+ |
+| CVE-2024-38819 (spring-webmvc) | ⚠️ UNFIXED | Requires Spring 6.1.14+ |
+| CVE-2025-22228 (spring-core) | ⚠️ UNFIXED | Requires Spring 6.2.11+ |
 
 ---
 
 ## References
 
 - [Spring Framework 5.3.x Documentation](https://docs.spring.io/spring-framework/docs/5.3.x/reference/html/)
+- [Spring Framework 6.x Migration Guide](https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-6.x)
+- [Spring Security 5.8.x Documentation](https://docs.spring.io/spring-security/reference/5.8/index.html)
+- [Jakarta EE 9 Migration Guide](https://eclipse-ee4j.github.io/jakartaee-platform/namespace/)
 - [SLF4J 2.0 Migration Guide](https://www.slf4j.org/faq.html#changesInVersion200)
 - [Jersey Migration Guide (1.x → 2.x)](https://eclipse-ee4j.github.io/jersey.github.io/documentation/latest/migration.html)
 - [JUnit 4 Documentation](https://junit.org/junit4/)
 - [ASM Documentation](https://asm.ow2.io/)
+- [Apache Commons FileUpload Security](https://commons.apache.org/proper/commons-fileupload/security.html)
+- [Xalan-J Security](https://xalan.apache.org/xalan-j/)

oai-pmh_data_provider/data_provider_web/pom.xml

@@ -85,10 +85,11 @@
       <artifactId>mail</artifactId>
       <version>1.4</version>
 	</dependency>
+	<!-- xalan 2.7.3 - upgraded from 2.7.0 to fix CVE-2022-34169 -->
 	<dependency>
       <groupId>xalan</groupId>
 	  <artifactId>xalan</artifactId>
-	  <version>2.7.0</version>
+	  <version>2.7.3</version>
 	</dependency>
 	<dependency>
       <groupId>commons-beanutils</groupId>
@@ -100,11 +101,11 @@
       <artifactId>commons-validator</artifactId>
       <version>1.1.4</version>
 	</dependency>
-	<!-- Use Spring's commons-logging bridge for compatibility with SLF4J 2.x -->
+	<!-- Use Spring's commons-logging bridge for compatibility with SLF4J 1.7.x -->
 	<dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-jcl</artifactId>
-      <version>5.3.26</version>
+      <version>${spring.version}</version>
 	</dependency>
 	<dependency>
       <groupId>commons-lang</groupId>
@@ -268,10 +269,11 @@
       <artifactId>springmodules-validator</artifactId>
       <version>0.1</version>
 	</dependency>
+	<!-- commons-fileupload 1.6.0 - upgraded from 1.3.3 to fix CVE-2023-24998 and CVE-2024-25710 -->
 	<dependency>
 	  <groupId>commons-fileupload</groupId>
 	  <artifactId>commons-fileupload</artifactId>
-	  <version>1.3.3</version>
+	  <version>1.6.0</version>
 
 	  <exclusions>
 		<exclusion>
@@ -280,10 +282,11 @@
 		</exclusion>	          
       </exclusions>
 	</dependency>
+	<!-- commons-io 2.15.1 - upgraded from 2.7 to match commons-fileupload 1.6.0 requirements -->
 	<dependency>
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
-	  <version>2.7</version>
+	  <version>2.15.1</version>
 	</dependency>
 	<dependency>
 	  <groupId>org.directwebremoting</groupId>

oai-pmh_data_provider/pom.xml

@@ -7,6 +7,17 @@
   <version>0.0.1-SNAPSHOT</version>
   <name>oai-pmh_data_provider</name>
   <url>http://maven.apache.org</url>
+
+  <!-- Centralized version management - synchronized with parent pom.xml -->
+  <properties>
+    <!-- Spring Framework 5.3.39 - latest 5.x LTS release with security fixes -->
+    <spring.version>5.3.39</spring.version>
+    <!-- Log4j 2.24.3 - latest stable with security fixes -->
+    <log4j.version>2.24.3</log4j.version>
+    <!-- JUnit 4.13.2 -->
+    <junit.version>4.13.2</junit.version>
+  </properties>
+
   <developers>
     <developer>
       <id>youjun</id>
@@ -36,41 +47,42 @@
   </pluginRepositories>
  <dependencies>
 
+    <!-- Spring Framework dependencies - using centralized ${spring.version} -->
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-core</artifactId>
-      <version>5.3.26</version>
+      <version>${spring.version}</version>
     </dependency>
 
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-beans</artifactId>
-      <version>5.3.26</version>
+      <version>${spring.version}</version>
     </dependency>
 
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-context</artifactId>
-      <version>5.3.26</version>
+      <version>${spring.version}</version>
     </dependency>
 
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-webmvc</artifactId>
-      <version>5.3.26</version>
+      <version>${spring.version}</version>
     </dependency>
 
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-test</artifactId>
-      <version>5.3.26</version>
+      <version>${spring.version}</version>
       <scope>test</scope>
     </dependency>
 
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>
-      <version>4.13.2</version>
+      <version>${junit.version}</version>
       <scope>test</scope>
     </dependency>
 
@@ -81,12 +93,12 @@
      <dependency>
          <groupId>org.apache.logging.log4j</groupId>
          <artifactId>log4j-api</artifactId>
-         <version>2.24.3</version>
+         <version>${log4j.version}</version>
      </dependency>
      <dependency>
          <groupId>org.apache.logging.log4j</groupId>
          <artifactId>log4j-core</artifactId>
-         <version>2.24.3</version>
+         <version>${log4j.version}</version>
      </dependency>
 
  </dependencies>