From 437c51dda7acfeb35cb7307b7dd069a72ce24136 Mon Sep 17 00:00:00 2001
From: "vaszakharchenko@gmail.com" <vaszakharchenko@gmail.com>
Date: Tue, 19 May 2026 22:45:32 +0300
Subject: [PATCH 1/2] bump sample-side tomcat + commons-lang3 to clear Snyk
 CVEs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Snyk's scan of the sample reactor (sample-core, forge-connect,
forge-container) surfaced 8 transitive CVEs that the library-side
tomcat bump in #9 did not touch — the sample has its own
spring-boot-starter-parent and is built independently.

- Override <tomcat.version>10.1.55</tomcat.version> in the sample's
  parent pom; closes the same CVE batch on sample-core that #9 already
  resolved for the bridge modules (HTTP/2 header validation, DIGEST
  authenticator wildcard match, WebDAV LOCK/PROPFIND unbounded read,
  LockOutRealm case sensitivity, WebSocket header exposure, AJP
  non-constant time, security-constraint mapping).
- Pin org.apache.commons:commons-lang3 to 3.18.0 in the parent's
  <dependencyManagement>. liquibase-core 4.31.1 (pulled by the Connect
  JPA starter) drags in 3.17.0, which carries CVE-2025-48924
  (Uncontrolled Recursion in ClassUtils.getClass). 3.18.0 is the patch.

Verified `mvn dependency:tree` on each sample module resolves
tomcat-embed-core:10.1.55 and commons-lang3:3.18.0 (the latter only
where liquibase is on the path — forge-container excludes JPA and so
has no commons-lang3 transitive at all).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../pom.xml                                      | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/examples/atlassian-connect-forge-spring-boot-sample/pom.xml b/examples/atlassian-connect-forge-spring-boot-sample/pom.xml
index 3f78418..c50f185 100644
--- a/examples/atlassian-connect-forge-spring-boot-sample/pom.xml
+++ b/examples/atlassian-connect-forge-spring-boot-sample/pom.xml
@@ -29,6 +29,10 @@
         <java.version>21</java.version>
         <atlassian-connect-spring-boot.version>6.0.2</atlassian-connect-spring-boot.version>
         <atlassian-runtime-bridge.version>1.0-SNAPSHOT</atlassian-runtime-bridge.version>
+        <!-- Override Spring Boot 3.5.14 default (10.1.54) to clear the Tomcat
+             CVE batch Snyk reports against sample-core (HTTP/2 headers, Digest
+             auth, WebDAV LOCK/PROPFIND, etc.); fixed in 10.1.55. -->
+        <tomcat.version>10.1.55</tomcat.version>
         <!-- frontend toolchain — frontend-maven-plugin downloads Node + npm into target/,
              so contributors do not need a system-wide install and CI is reproducible.
              Node 24.x is the current LTS (Krypton); npm 11.12.1 is what it bundles. -->
@@ -36,4 +40,16 @@
         <node.version>v24.15.0</node.version>
         <npm.version>11.12.1</npm.version>
     </properties>
+
+    <dependencyManagement>
+        <dependencies>
+            <!-- Force-bump the commons-lang3 transitive (liquibase-core 4.31.1 pulls 3.17.0,
+                 which has CVE-2025-48924 — Uncontrolled Recursion in ClassUtils.getClass). -->
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-lang3</artifactId>
+                <version>3.18.0</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
 </project>

From 23d168a6f202dae7f2c1ee5d27aef9f10f5e99ce Mon Sep 17 00:00:00 2001
From: "vaszakharchenko@gmail.com" <vaszakharchenko@gmail.com>
Date: Tue, 19 May 2026 22:47:42 +0300
Subject: [PATCH 2/2] bump commons-lang3 to 3.20.0 in sample
 dependencyManagement

---
 examples/atlassian-connect-forge-spring-boot-sample/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/atlassian-connect-forge-spring-boot-sample/pom.xml b/examples/atlassian-connect-forge-spring-boot-sample/pom.xml
index c50f185..e73da35 100644
--- a/examples/atlassian-connect-forge-spring-boot-sample/pom.xml
+++ b/examples/atlassian-connect-forge-spring-boot-sample/pom.xml
@@ -48,7 +48,7 @@
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-lang3</artifactId>
-                <version>3.18.0</version>
+                <version>3.20.0</version>
             </dependency>
         </dependencies>
     </dependencyManagement>