Various pom.xml bumps

dependency-check-suppressions.xml

@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+
+    <suppress>
+        <notes><![CDATA[
+            CPE collision. CVE-2026-33504 is a SQL injection in the Ory Hydra server
+            (the Go service, fixed in Hydra v26.2.0). The Java client SDK
+            sh.ory.hydra:hydra-client is a generated HTTP client with no SQL code,
+            so it cannot be affected.
+
+            Tracking the dep itself for eventual removal — integrate_with_hydra
+            defaults to false and TESOBE does not deploy with Hydra enabled.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/sh\.ory\.hydra/hydra-client@.*$</packageUrl>
+        <cve>CVE-2026-33504</cve>
+    </suppress>
+
+    <suppress>
+        <notes><![CDATA[
+            CPE collision. CVE-2023-37475 is a DoS in Hamba Avro
+            (github.com/hamba/avro/v2, a Go library, fixed in 2.13.0).
+            dep-check matches our Apache Avro Java 1.8.2 and avro4s 1.8.2
+            on the shared cpe:2.3:a:avro_project:avro CPE, but the Java
+            library has none of the affected Unmarshal() code path — that
+            function name exists only in the Go API.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.avro/.*@1\.8\.2$</packageUrl>
+        <cve>CVE-2023-37475</cve>
+    </suppress>
+
+    <suppress>
+        <notes><![CDATA[
+            Same CPE collision as the org.apache.avro suppression above —
+            avro4s artifacts (avro4s-core, avro4s-macros, etc.) all get
+            flagged on the same cpe:2.3:a:avro_project:avro CPE.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.sksamuel\.avro4s/.*@1\.8\.2$</packageUrl>
+        <cve>CVE-2023-37475</cve>
+    </suppress>
+
+    <suppress>
+        <notes><![CDATA[
+            False positive — over-broad CPE match. NVD CVE-2024-35255 affects
+            Microsoft Authentication Library for Java < 1.15.1; we are on
+            1.24.1. dep-check matches `cpe:2.3:a:microsoft:authentication_library`
+            across all platforms (Java, .NET, Node, Python, Go, C++) which
+            each have their own fix version, and the generic CPE does not
+            honor the language qualifier. NVD's per-platform CPE properly
+            scopes the Java fix at 1.15.1.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
+        <cve>CVE-2024-35255</cve>
+    </suppress>
+
+    <suppress>
+        <notes><![CDATA[
+            dep-check is scanning the embedded pom inside avro-1.8.2.jar and
+            reporting the guava@11.0.2 declared there. The actual runtime
+            guava on the classpath is 32.0.0-jre (managed by parent pom
+            dependencyManagement), and all three CVEs are fixed well before:
+              - CVE-2018-10237 fixed in guava 25.0
+              - CVE-2020-8908 fixed in guava 32.0.0
+              - CVE-2023-2976 fixed in guava 32.0.0
+            Maven mediation already resolves the real classpath correctly.
+            The filePath scope ensures this only suppresses the embedded-pom
+            false positive, not a real direct guava 11.0.2 dep if one ever
+            shows up.
+        ]]></notes>
+        <filePath regex="true">.*avro-1\.8\.2\.jar.META-INF.maven.com\.google\.guava.guava.pom\.xml$</filePath>
+        <cve>CVE-2018-10237</cve>
+        <cve>CVE-2020-8908</cve>
+        <cve>CVE-2023-2976</cve>
+    </suppress>
+
+</suppressions>

obp-api/pom.xml

@@ -99,11 +99,13 @@
       <scope>runtime</scope>
     </dependency>
     <!-- https://mvnrepository.com/artifact/com.mysql/mysql-connector-j -->
-    <!-- Updated from mysql:mysql-connector-java (deprecated) to com.mysql:mysql-connector-j -->
+    <!-- Updated from mysql:mysql-connector-java (deprecated) to com.mysql:mysql-connector-j.
+         9.x requires MySQL server 8.0+ (no 5.x support); only used for the standard
+         JDBC interface so the major bump is API-safe. -->
     <dependency>
       <groupId>com.mysql</groupId>
       <artifactId>mysql-connector-j</artifactId>
-      <version>8.1.0</version>
+      <version>9.7.0</version>
     </dependency>
     <!-- Pin protobuf-java to override the 3.21.9 pulled in transitively by mysql-connector-j.
          Fixes CVE-2024-7254 and CVE-2026-0994. -->
@@ -126,12 +128,14 @@
       <artifactId>commons-beanutils</artifactId>
       <version>1.10.1</version>
     </dependency>
-    <!-- Pin msal4j to override the 1.13.0 pulled in transitively by mssql-jdbc.
-         Fixes CVE-2024-35255. -->
+    <!-- Pin msal4j to override the older version pulled in transitively by
+         mssql-jdbc → azure-identity. Fixes CVE-2024-35255 (elevation of
+         privilege, fixed upstream in 1.15.1). Not used directly in source —
+         only the transitive Azure auth path matters. -->
     <dependency>
       <groupId>com.microsoft.azure</groupId>
       <artifactId>msal4j</artifactId>
-      <version>1.16.2</version>
+      <version>1.24.1</version>
     </dependency>
     <!-- Pin log4j-api / log4j-core to override the 2.19.0 pulled in transitively
          by elasticsearch:8.14.0. Fixes CVE-2025-68161, CVE-2026-34477, CVE-2026-34479,
@@ -183,21 +187,24 @@
     <dependency>
       <groupId>org.elasticsearch</groupId>
       <artifactId>elasticsearch</artifactId>
-      <version>8.14.0</version>
+      <version>8.19.15</version>
     </dependency>
-    <!-- https://mvnrepository.com/artifact/com.sksamuel.elastic4s/elastic4s-client-esjava -->
+    <!-- elastic4s moved to community fork (nl.gn0s1s) by Philippus after the
+         original com.sksamuel line stopped publishing past 8.11.5. Package
+         names stayed `com.sksamuel.elastic4s.*` so source imports are
+         unchanged. -->
     <dependency>
-      <groupId>com.sksamuel.elastic4s</groupId>
+      <groupId>nl.gn0s1s</groupId>
       <artifactId>elastic4s-client-esjava_${scala.version}</artifactId>
-      <version>8.5.2</version>
+      <version>8.19.1</version>
     </dependency>
-    <!-- Pin elasticsearch-rest-client to match the elasticsearch core version (8.14.0).
-         elastic4s 8.5.2 brings 8.5.3 transitively, which carries 17 CVEs.
-         The rest-client is a thin Apache-HTTP wrapper; elastic4s uses it as a black box. -->
+    <!-- Pin elasticsearch-rest-client to the version elastic4s 8.19.1 expects.
+         The rest-client is a thin Apache-HTTP wrapper; elastic4s uses it as a
+         black box. -->
     <dependency>
       <groupId>org.elasticsearch.client</groupId>
       <artifactId>elasticsearch-rest-client</artifactId>
-      <version>8.14.0</version>
+      <version>8.19.12</version>
     </dependency>
     <!-- for LiftConsole -->
     <dependency>
@@ -384,27 +391,27 @@
     <dependency>
       <groupId>io.grpc</groupId>
       <artifactId>grpc-netty-shaded</artifactId>
-      <version>1.48.1</version>
+      <version>1.68.3</version>
     </dependency>
     <dependency>
       <groupId>io.grpc</groupId>
       <artifactId>grpc-protobuf</artifactId>
-      <version>1.48.1</version>
+      <version>1.68.3</version>
     </dependency>
     <dependency>
       <groupId>io.grpc</groupId>
       <artifactId>grpc-stub</artifactId>
-      <version>1.48.1</version>
+      <version>1.68.3</version>
     </dependency>
     <dependency>
       <groupId>io.grpc</groupId>
       <artifactId>grpc-services</artifactId>
-      <version>1.48.1</version>
+      <version>1.68.3</version>
     </dependency>
     <dependency>
       <groupId>org.asynchttpclient</groupId>
       <artifactId>async-http-client</artifactId>
-      <version>2.10.4</version>
+      <version>2.15.0</version>
         <exclusions>
             <exclusion>
                 <artifactId>javax.activation</artifactId>
@@ -446,7 +453,7 @@
     <dependency>
       <groupId>com.microsoft.sqlserver</groupId>
       <artifactId>mssql-jdbc</artifactId>
-      <version>12.6.4.jre${java.version}</version>
+      <version>13.4.0.jre${java.version}</version>
     </dependency>
     <!-- scalikejdbc for call stored procedure end-->
 
@@ -500,7 +507,7 @@
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
-      <version>2.12.7.1</version>
+      <!-- version managed by jackson-bom in parent pom -->
     </dependency>
       <!-- https://mvnrepository.com/artifact/tools.jackson.dataformat/jackson-dataformat-yaml -->
     <dependency>

obp-api/src/main/resources/props/sample.props.template

@@ -215,6 +215,8 @@ jwt.use.ssl=false
 write_metrics=false
 ## Enable writing connector metrics (which methods are called)to RDBMS
 write_connector_metrics=false
+## Enable writing connector traces (full outbound/inbound message payloads per call) to RDBMS table `connector_trace`. Verbose — keep off in prod unless debugging.
+write_connector_trace=false
 
 ## ElasticSearch
 #allow_elasticsearch=true

obp-api/src/main/scala/bootstrap/liftweb/Boot.scala

@@ -89,6 +89,7 @@ import code.group.Group
 import code.organisation.Organisation
 import code.routingscheme.{RoutingScheme, BankSupportedRoutingScheme}
 import code.payeelookup.PayeeLookup
+import code.bulkpayment.{BulkPayment, BulkBatchReference}
 import code.kycchecks.MappedKycCheck
 import code.kycdocuments.MappedKycDocument
 import code.kycmedias.MappedKycMedia
@@ -1221,6 +1222,8 @@ object ToSchemify {
     RoutingScheme,
     BankSupportedRoutingScheme,
     PayeeLookup,
+    BulkPayment,
+    BulkBatchReference,
     AccountAccessRequest,
     code.chat.ChatRoom,
     code.chat.Participant,

obp-api/src/main/scala/code/api/util/ErrorMessages.scala

@@ -497,6 +497,17 @@ object ErrorMessages {
   val MobileWalletInvalidMsisdn = "OBP-30534: Invalid msisdn — does not match the address_pattern of the country-qualified MSISDN routing scheme."
   val MobileWalletPaymentError = "OBP-30535: Could not create MOBILE_WALLET transaction request."
 
+  // BULK transaction-request (OBP-30536 .. OBP-30544)
+  val BulkBatchReferenceAlreadyUsed = "OBP-30536: batch_reference has already been used for this source account. Use a unique batch_reference per submission."
+  val BulkPaymentsArrayEmpty = "OBP-30537: payments array must contain at least one item."
+  val BulkPaymentsArrayTooLarge = "OBP-30538: payments array exceeds the configured maximum. See `bulk_payments.max_items_per_batch`."
+  val BulkDuplicateEndToEndId = "OBP-30539: Duplicate end_to_end_id within the batch. Each item's end_to_end_id must be unique within a single batch submission."
+  val BulkPaymentCurrencyMismatch = "OBP-30540: One or more payments use a currency that does not match the source account's currency. Cross-currency bulk payments are not supported in v7.0.0."
+  val BulkPaymentRoutingSchemeNotRegistered = "OBP-30541: A payment references a routing_scheme that is not in the Routing-Scheme registry."
+  val BulkPaymentRoutingSchemeWrongCategory = "OBP-30542: A payment's routing_scheme is not an ACCOUNT-category scheme — only ACCOUNT schemes are valid for BULK destinations."
+  val BulkPaymentAddressMismatch = "OBP-30543: A payment's address does not match the address_pattern of its routing_scheme."
+  val BulkPaymentTransactionRequestError = "OBP-30544: Could not create BULK transaction request."
+
   val FeaturedApiCollectionNotFound = "OBP-30400: FeaturedApiCollection not found. Please specify a valid value for API_COLLECTION_ID."
   val CreateFeaturedApiCollectionError = "OBP-30401: Could not create FeaturedApiCollection."
   val UpdateFeaturedApiCollectionError = "OBP-30402: Could not update FeaturedApiCollection."

obp-api/src/main/scala/code/api/util/http4s/ErrorResponseConverter.scala

@@ -11,6 +11,7 @@ import net.liftweb.json.JsonDSL._
 import org.http4s._
 import org.http4s.headers.`Content-Type`
 import org.typelevel.ci.CIString
+import org.slf4j.LoggerFactory
 
 /**
  * Converts OBP errors to http4s Response[IO].
@@ -28,7 +29,8 @@ import org.typelevel.ci.CIString
 object ErrorResponseConverter {
   import net.liftweb.json.Formats
   import code.api.util.CustomJsonFormats
-
+
+  private val logger = LoggerFactory.getLogger(getClass)
   implicit val formats: Formats = CustomJsonFormats.formats
   private val jsonContentType: `Content-Type` = `Content-Type`(MediaType.application.json)
 
@@ -112,6 +114,7 @@ object ErrorResponseConverter {
    * Returns 500 Internal Server Error.
    */
   def unknownErrorToResponse(e: Throwable, callContext: CallContext): IO[Response[IO]] = {
+    logger.error(s"unknownErrorToResponse says: 500 returned (correlationId=${callContext.correlationId})", e)
     val errorJson = OBPErrorResponse(500, s"$UnknownError: ${e.getMessage}")
     IO.pure(
       Response[IO](org.http4s.Status.InternalServerError)