From 98affba070f9564c43fd98d276ee33f30198d921 Mon Sep 17 00:00:00 2001
From: Bill Oley <bill.oley@gmail.com>
Date: Tue, 10 Feb 2026 15:19:00 -0500
Subject: [PATCH 1/2] Address multiple known security vulnerabilities

---
 .../util/v1/SegmentUtilsJsonTest.java         |  2 +-
 pom.xml                                       | 12 +++----
 ...eadSafeClassPathXmlApplicationContext.java | 32 +++++++++++++++++++
 web-services/pom.xml                          |  2 +-
 4 files changed, 40 insertions(+), 8 deletions(-)

diff --git a/core/annotation/src/test/java/datawave/annotation/util/v1/SegmentUtilsJsonTest.java b/core/annotation/src/test/java/datawave/annotation/util/v1/SegmentUtilsJsonTest.java
index 733297ecae4..f7df6d05712 100644
--- a/core/annotation/src/test/java/datawave/annotation/util/v1/SegmentUtilsJsonTest.java
+++ b/core/annotation/src/test/java/datawave/annotation/util/v1/SegmentUtilsJsonTest.java
@@ -124,7 +124,7 @@ public void testFromMalformedJsonOne() {
                 "Expected an exception from malformed json");
         //@formatter:on
         System.out.println(e.getMessage());
-        assertTrue(e.getMessage().contains("Expect an array"));
+        assertTrue(e.getMessage().contains("Expected an array"));
 
     }
 
diff --git a/pom.xml b/pom.xml
index 3a5e6425b0f..1c229431ee0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -59,7 +59,7 @@
         <version.caffeine>3.1.0</version.caffeine>
         <version.commons-beanutils>1.9.4</version.commons-beanutils>
         <version.commons-cli>1.4</version.commons-cli>
-        <version.commons-codec>1.12</version.commons-codec>
+        <version.commons-codec>1.17.1</version.commons-codec>
         <version.commons-collections>3.2.2</version.commons-collections>
         <version.commons-collections4>4.3</version.commons-collections4>
         <version.commons-configuration>1.10</version.commons-configuration>
@@ -100,7 +100,7 @@
         <version.httpcomponents-httpcore>4.4.8</version.httpcomponents-httpcore>
         <version.in-memory-accumulo>4.0.4</version.in-memory-accumulo>
         <version.infinispan>9.4.21.Final</version.infinispan>
-        <version.jackson>2.13.5</version.jackson>
+        <version.jackson>2.17.2</version.jackson>
         <version.jackson-mapper-asl>1.9.13</version.jackson-mapper-asl>
         <version.jakarta>2.3.3</version.jakarta>
         <version.javassist>3.24.0-GA</version.javassist>
@@ -128,18 +128,18 @@
         <version.minlog>1.2</version.minlog>
         <version.mockito>2.23.0</version.mockito>
         <version.mysql-connector>9.3.0</version.mysql-connector>
-        <version.netty>4.1.42.Final</version.netty>
+        <version.netty>4.1.115.Final</version.netty>
         <version.objenesis>2.1</version.objenesis>
         <version.picketbox>5.0.3.Final</version.picketbox>
         <version.powermock>2.0.9</version.powermock>
         <version.proto-google-common-protos>2.61.0</version.proto-google-common-protos>
-        <version.protobuf>3.16.3</version.protobuf>
-        <version.protobuf-java-util>3.16.3</version.protobuf-java-util>
+        <version.protobuf>3.25.5</version.protobuf>
+        <version.protobuf-java-util>3.25.5</version.protobuf-java-util>
         <version.protostuff>1.6.2</version.protostuff>
         <version.saxon-he>12.4</version.saxon-he>
         <version.slf4j>2.0.17</version.slf4j>
         <version.spotify-dns>3.1.5</version.spotify-dns>
-        <version.spring>5.2.2.RELEASE</version.spring>
+        <version.spring>5.3.39</version.spring>
         <version.springframework>${version.spring}</version.springframework>
         <version.stream>2.9.6</version.stream>
         <version.thrift>0.17.0</version.thrift>
diff --git a/web-services/common/src/main/java/datawave/configuration/spring/ThreadSafeClassPathXmlApplicationContext.java b/web-services/common/src/main/java/datawave/configuration/spring/ThreadSafeClassPathXmlApplicationContext.java
index ac9291d0844..bdc4e474bce 100644
--- a/web-services/common/src/main/java/datawave/configuration/spring/ThreadSafeClassPathXmlApplicationContext.java
+++ b/web-services/common/src/main/java/datawave/configuration/spring/ThreadSafeClassPathXmlApplicationContext.java
@@ -24,6 +24,7 @@
 import org.springframework.core.env.ConfigurableEnvironment;
 import org.springframework.core.io.ProtocolResolver;
 import org.springframework.core.io.Resource;
+import org.springframework.core.metrics.ApplicationStartup;
 
 /**
  * A delegating wrapper around {@link ConfigurableApplicationContext}. This implements all methods of {@link ConfigurableApplicationContext}, delegating each
@@ -76,6 +77,16 @@ public ConfigurableEnvironment getEnvironment() {
         return lockAndRead(configurableApplicationContext::getEnvironment);
     }
 
+    @Override
+    public void setApplicationStartup(ApplicationStartup applicationStartup) {
+        lockAndWrite(() -> configurableApplicationContext.setApplicationStartup(applicationStartup));
+    }
+
+    @Override
+    public ApplicationStartup getApplicationStartup() {
+        return lockAndRead(configurableApplicationContext::getApplicationStartup);
+    }
+
     @Override
     public void setEnvironment(ConfigurableEnvironment environment) {
         lockAndWrite(() -> configurableApplicationContext.setEnvironment(environment));
@@ -116,6 +127,11 @@ public void addApplicationListener(ApplicationListener<?> listener) {
         lockAndWrite(() -> configurableApplicationContext.addApplicationListener(listener));
     }
 
+    @Override
+    public void setClassLoader(ClassLoader classLoader) {
+        lockAndWrite(() -> configurableApplicationContext.setClassLoader(classLoader));
+    }
+
     @Override
     public void addProtocolResolver(ProtocolResolver protocolResolver) {
         lockAndWrite(() -> configurableApplicationContext.addProtocolResolver(protocolResolver));
@@ -231,6 +247,16 @@ public String[] getBeanDefinitionNames() {
         return lockAndRead(configurableApplicationContext::getBeanDefinitionNames);
     }
 
+    @Override
+    public <T> ObjectProvider<T> getBeanProvider(Class<T> requiredType, boolean allowEagerInit) {
+        return lockAndRead(() -> configurableApplicationContext.getBeanProvider(requiredType, allowEagerInit));
+    }
+
+    @Override
+    public <T> ObjectProvider<T> getBeanProvider(ResolvableType requiredType, boolean allowEagerInit) {
+        return lockAndRead(() -> configurableApplicationContext.getBeanProvider(requiredType, allowEagerInit));
+    }
+
     @Override
     public String[] getBeanNamesForType(ResolvableType resolvableType) {
         return lockAndRead(() -> configurableApplicationContext.getBeanNamesForType(resolvableType));
@@ -276,6 +302,12 @@ public <A extends Annotation> A findAnnotationOnBean(String beanName, Class<A> a
         return lockAndRead(() -> configurableApplicationContext.findAnnotationOnBean(beanName, annotationType));
     }
 
+    @Override
+    public <A extends Annotation> A findAnnotationOnBean(String beanName, Class<A> annotationType, boolean allowFactoryBeanInit)
+                    throws NoSuchBeanDefinitionException {
+        return lockAndRead(() -> configurableApplicationContext.findAnnotationOnBean(beanName, annotationType, allowFactoryBeanInit));
+    }
+
     @Override
     public BeanFactory getParentBeanFactory() {
         return lockAndRead(configurableApplicationContext::getParentBeanFactory);
diff --git a/web-services/pom.xml b/web-services/pom.xml
index d6427d089ff..9da61de54ce 100644
--- a/web-services/pom.xml
+++ b/web-services/pom.xml
@@ -49,7 +49,7 @@
         <version.geronimo-stax>1.0.1</version.geronimo-stax>
         <version.jms>1.1</version.jms>
         <version.mrunit>1.0.0</version.mrunit>
-        <version.protobuf>3.16.3</version.protobuf>
+        <version.protobuf>3.25.5</version.protobuf>
     </properties>
     <dependencyManagement>
         <dependencies>

From c1beb79270b19c5786b5d9f0124f59c8a83ff0d3 Mon Sep 17 00:00:00 2001
From: Bill Oley <bill.oley@gmail.com>
Date: Tue, 10 Feb 2026 16:29:20 -0500
Subject: [PATCH 2/2] Version spring-security-core separately from spring

---
 core/utils/common-utils/pom.xml | 1 -
 docs/pom.xml                    | 2 +-
 pom.xml                         | 1 +
 3 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/utils/common-utils/pom.xml b/core/utils/common-utils/pom.xml
index 5026d41cf94..d296e996f00 100644
--- a/core/utils/common-utils/pom.xml
+++ b/core/utils/common-utils/pom.xml
@@ -10,7 +10,6 @@
     <name>${project.artifactId}</name>
     <properties>
         <spotbugs.excludes.file>${project.basedir}/src/main/spotbugs/excludes.xml</spotbugs.excludes.file>
-        <version.spring-security-core>5.7.2</version.spring-security-core>
     </properties>
     <dependencyManagement>
         <dependencies>
diff --git a/docs/pom.xml b/docs/pom.xml
index fbbc1afc37a..45d9262002f 100644
--- a/docs/pom.xml
+++ b/docs/pom.xml
@@ -162,7 +162,7 @@
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-core</artifactId>
-            <version>${version.springframework}</version>
+            <version>${version.spring-security-core}</version>
         </dependency>
         <dependency>
             <groupId>org.wildfly</groupId>
diff --git a/pom.xml b/pom.xml
index 1c229431ee0..d81e979c712 100644
--- a/pom.xml
+++ b/pom.xml
@@ -140,6 +140,7 @@
         <version.slf4j>2.0.17</version.slf4j>
         <version.spotify-dns>3.1.5</version.spotify-dns>
         <version.spring>5.3.39</version.spring>
+        <version.spring-security-core>5.8.16</version.spring-security-core>
         <version.springframework>${version.spring}</version.springframework>
         <version.stream>2.9.6</version.stream>
         <version.thrift>0.17.0</version.thrift>