fix: resolve CVEs

Author: meotchwilliams

.vogue.yml

@@ -3,7 +3,7 @@ defaultRules: {}
 packageRules:
 - package: "com.github.mxenabled.coppuccino:com.github.mxenabled.coppuccino.gradle.plugin"
   rules: {}
-  suppressUntil: "2026-02-09"
+  suppressUntil: "2026-02-15"
 - package: "com.github.mxenabled.vogue:com.github.mxenabled.vogue.gradle.plugin"
   rules: {}
-  suppressUntil: "2026-02-09"
+  suppressUntil: "2026-02-15"

build.gradle

@@ -34,13 +34,39 @@ allprojects {
     mavenLocal()
   }
 
-  configurations.all {
+  configurations.configureEach {
+    resolutionStrategy.eachDependency { details ->
+      //Uncontrolled Recursion [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-10734078] in org.apache.commons:commons-lang3@3.17.0
+      //    introduced by net.sourceforge.pmd:pmd-java@7.16.0 > org.apache.commons:commons-lang3@3.17.0 and 7 other path(s)
+      //  This issue was fixed in versions: 3.18.0
+      if (details.requested.group == "org.apache.commons" && details.requested.name == "commons-lang3") {
+        details.useVersion "3.18.0"
+      }
+      //Improper Validation of Certificate with Host Mismatch [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782] in org.apache.logging.log4j:log4j-core@2.24.3
+      //    introduced by com.github.spotbugs:spotbugs@4.9.8 > org.apache.logging.log4j:log4j-core@2.24.3
+      //  This issue was fixed in versions: 2.25.3
+      else if (details.requested.group == "org.apache.logging.log4j" && details.requested.name == "log4j-core") {
+        details.useVersion "2.25.3"
+      }
+      //XML External Entity (XXE) Injection [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGASSERTJ-15102413] in org.assertj:assertj-core@3.27.6
+      //    introduced by com.mx.path-core:testing@5.1.0 > org.assertj:assertj-core@3.27.6 and 1 other path(s)
+      //  This issue was fixed in versions: 3.27.7
+      else if (details.requested.group == "org.assertj" && details.requested.name == "assertj-core") {
+        details.useVersion "3.27.7"
+      }
+      //Information Exposure [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCODEC-561518] in commons-codec:commons-codec@1.11
+      //    introduced by io.honeybadger:honeybadger-java@2.1.2 > org.apache.httpcomponents:fluent-hc@4.5.14 > org.apache.httpcomponents:httpclient@4.5.14 > commons-codec:commons-codec@1.11
+      //  This issue was fixed in versions: 1.14
+      else if (details.requested.group == "commons-codec" && details.requested.name == "commons-codec") {
+        details.useVersion "1.14"
+      }
+    }
     resolutionStrategy.cacheChangingModulesFor 0, 'seconds'
   }
 
   ext {
-    pathSDKVersion = "[5.0,6.0)"
-    springVersion = "3.5.8"
+    pathSDKVersion = "[6.0,7.0)"
+    springVersion = "[3.5,4.0)"
   }
 }
 

mdx-gateway-generator/gradle.lockfile

@@ -25,22 +25,21 @@ com.google.guava:guava:32.0.1-jre=runtimeClasspath,testRuntimeClasspath
 com.google.guava:guava:32.1.3-jre=compileClasspath,testCompileClasspath
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.j2objc:j2objc-annotations:2.8=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:common:5.1.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:context:5.1.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:gateway-generator:5.1.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:gateway:5.1.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:messaging:5.1.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:platform:5.1.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:utilities:5.1.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:common:6.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:context:6.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:gateway-generator:6.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:gateway:6.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:messaging:6.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:platform:6.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:utilities:6.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.squareup:javapoet:1.13.0=runtimeClasspath,testRuntimeClasspath
 com.sun.istack:istack-commons-runtime:4.1.2=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.sun.xml.bind:jaxb-core:4.0.6=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.sun.xml.bind:jaxb-impl:4.0.6=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 commons-beanutils:commons-beanutils:1.11.0=runtimeClasspath,testRuntimeClasspath
-commons-codec:commons-codec:1.11=runtimeClasspath,testRuntimeClasspath
+commons-codec:commons-codec:1.14=runtimeClasspath,testRuntimeClasspath
 commons-collections:commons-collections:3.2.2=runtimeClasspath,testRuntimeClasspath
 commons-io:commons-io:2.20.0=spotbugs
-commons-lang:commons-lang:2.6=runtimeClasspath,testRuntimeClasspath
 commons-logging:commons-logging:1.3.5=runtimeClasspath,testRuntimeClasspath
 io.github.cdimascio:dotenv-java:2.3.2=runtimeClasspath,testRuntimeClasspath
 io.leangen.geantyref:geantyref:1.3.16=testRuntimeClasspath
@@ -55,14 +54,13 @@ net.bytebuddy:byte-buddy-agent:1.14.1=testCompileClasspath,testRuntimeClasspath
 net.bytebuddy:byte-buddy:1.14.1=testCompileClasspath,testRuntimeClasspath
 net.sf.saxon:Saxon-HE:12.9=spotbugs
 org.apache.bcel:bcel:6.11.0=spotbugs
-org.apache.commons:commons-lang3:3.19.0=spotbugs
-org.apache.commons:commons-lang3:3.20.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.commons:commons-lang3:3.18.0=compileClasspath,runtimeClasspath,spotbugs,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-text:1.14.0=spotbugs
 org.apache.commons:commons-text:1.15.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpclient:4.5.13=runtimeClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpcore:4.4.13=runtimeClasspath,testRuntimeClasspath
-org.apache.logging.log4j:log4j-api:2.25.2=spotbugs
-org.apache.logging.log4j:log4j-core:2.25.2=spotbugs
+org.apache.logging.log4j:log4j-api:2.25.3=spotbugs
+org.apache.logging.log4j:log4j-core:2.25.3=spotbugs
 org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
 org.checkerframework:checker-qual:3.33.0=runtimeClasspath,testRuntimeClasspath
 org.checkerframework:checker-qual:3.37.0=compileClasspath,testCompileClasspath

mdx-gateways/gradle.lockfile

@@ -32,24 +32,22 @@ com.google.guava:guava:33.4.8-jre=checkstyle
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=annotationProcessor,checkstyle,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.j2objc:j2objc-annotations:2.8=annotationProcessor,compileClasspath,testCompileClasspath
 com.google.j2objc:j2objc-annotations:3.0.0=checkstyle
-com.mx.path-core:common:5.1.0=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:context:5.1.0=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:gateway-generator:5.1.0=annotationProcessor
-com.mx.path-core:gateway:5.1.0=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:messaging:5.1.0=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:platform:5.1.0=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:utilities:5.1.0=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:common:6.0.0=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:context:6.0.0=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:gateway-generator:6.0.0=annotationProcessor
+com.mx.path-core:gateway:6.0.0=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:messaging:6.0.0=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:platform:6.0.0=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:utilities:6.0.0=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.puppycrawl.tools:checkstyle:10.25.0=checkstyle
 com.squareup:javapoet:1.13.0=annotationProcessor
 com.sun.istack:istack-commons-runtime:4.1.2=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.sun.xml.bind:jaxb-core:4.0.6=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.sun.xml.bind:jaxb-impl:4.0.6=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 commons-beanutils:commons-beanutils:1.11.0=annotationProcessor,checkstyle,runtimeClasspath,testRuntimeClasspath
-commons-codec:commons-codec:1.11=annotationProcessor,runtimeClasspath,testRuntimeClasspath
-commons-codec:commons-codec:1.15=checkstyle,pmd
+commons-codec:commons-codec:1.14=annotationProcessor,checkstyle,pmd,runtimeClasspath,testRuntimeClasspath
 commons-collections:commons-collections:3.2.2=annotationProcessor,checkstyle,runtimeClasspath,testRuntimeClasspath
 commons-io:commons-io:2.20.0=spotbugs
-commons-lang:commons-lang:2.6=annotationProcessor,runtimeClasspath,testRuntimeClasspath
 commons-logging:commons-logging:1.3.5=annotationProcessor,runtimeClasspath,testRuntimeClasspath
 info.picocli:picocli:4.7.7=checkstyle
 io.github.cdimascio:dotenv-java:2.3.2=annotationProcessor,runtimeClasspath,testRuntimeClasspath
@@ -72,10 +70,7 @@ net.sourceforge.pmd:pmd-java:7.16.0=pmd
 org.antlr:antlr4-runtime:4.13.2=checkstyle
 org.antlr:antlr4-runtime:4.9.3=pmd
 org.apache.bcel:bcel:6.11.0=spotbugs
-org.apache.commons:commons-lang3:3.18.0=pmd
-org.apache.commons:commons-lang3:3.19.0=spotbugs
-org.apache.commons:commons-lang3:3.20.0=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.commons:commons-lang3:3.8.1=checkstyle
+org.apache.commons:commons-lang3:3.18.0=annotationProcessor,checkstyle,compileClasspath,pmd,runtimeClasspath,spotbugs,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-text:1.14.0=spotbugs
 org.apache.commons:commons-text:1.15.0=annotationProcessor,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-text:1.3=checkstyle
@@ -85,8 +80,8 @@ org.apache.httpcomponents.core5:httpcore5:5.1.3=checkstyle,pmd
 org.apache.httpcomponents:httpclient:4.5.13=annotationProcessor,checkstyle,runtimeClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpcore:4.4.13=annotationProcessor,runtimeClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpcore:4.4.14=checkstyle
-org.apache.logging.log4j:log4j-api:2.25.2=spotbugs
-org.apache.logging.log4j:log4j-core:2.25.2=spotbugs
+org.apache.logging.log4j:log4j-api:2.25.3=spotbugs
+org.apache.logging.log4j:log4j-core:2.25.3=spotbugs
 org.apache.maven.doxia:doxia-core:1.12.0=checkstyle
 org.apache.maven.doxia:doxia-logging-api:1.12.0=checkstyle
 org.apache.maven.doxia:doxia-module-xdoc:1.12.0=checkstyle

mdx-models/gradle.lockfile

@@ -28,23 +28,21 @@ com.google.guava:guava:33.4.8-jre=checkstyle
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=checkstyle,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.j2objc:j2objc-annotations:2.8=compileClasspath,testCompileClasspath
 com.google.j2objc:j2objc-annotations:3.0.0=checkstyle
-com.mx.path-core:common:5.1.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:context:5.1.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:gateway:5.1.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:messaging:5.1.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:platform:5.1.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:testing:5.1.0=testCompileClasspath,testRuntimeClasspath
-com.mx.path-core:utilities:5.1.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:common:6.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:context:6.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:gateway:6.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:messaging:6.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:platform:6.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:testing:6.0.0=testCompileClasspath,testRuntimeClasspath
+com.mx.path-core:utilities:6.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.puppycrawl.tools:checkstyle:10.25.0=checkstyle
 com.sun.istack:istack-commons-runtime:4.1.2=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.sun.xml.bind:jaxb-core:4.0.6=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.sun.xml.bind:jaxb-impl:4.0.6=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 commons-beanutils:commons-beanutils:1.11.0=checkstyle,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-commons-codec:commons-codec:1.11=runtimeClasspath,testRuntimeClasspath
-commons-codec:commons-codec:1.15=checkstyle,pmd
+commons-codec:commons-codec:1.14=checkstyle,pmd,runtimeClasspath,testRuntimeClasspath
 commons-collections:commons-collections:3.2.2=checkstyle,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 commons-io:commons-io:2.20.0=spotbugs
-commons-lang:commons-lang:2.6=runtimeClasspath,testRuntimeClasspath
 commons-logging:commons-logging:1.3.5=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 info.picocli:picocli:4.7.7=checkstyle
 io.github.cdimascio:dotenv-java:2.3.2=runtimeClasspath,testRuntimeClasspath
@@ -58,7 +56,7 @@ jakarta.xml.soap:jakarta.xml.soap-api:3.0.2=compileClasspath,runtimeClasspath,te
 jaxen:jaxen:2.0.0=spotbugs
 net.bytebuddy:byte-buddy-agent:1.14.1=testCompileClasspath,testRuntimeClasspath
 net.bytebuddy:byte-buddy:1.14.1=testCompileClasspath
-net.bytebuddy:byte-buddy:1.17.7=testRuntimeClasspath
+net.bytebuddy:byte-buddy:1.18.3=testRuntimeClasspath
 net.sf.saxon:Saxon-HE:12.5=checkstyle,pmd
 net.sf.saxon:Saxon-HE:12.9=spotbugs
 net.sourceforge.pmd:pmd-ant:7.16.0=pmd
@@ -67,10 +65,7 @@ net.sourceforge.pmd:pmd-java:7.16.0=pmd
 org.antlr:antlr4-runtime:4.13.2=checkstyle
 org.antlr:antlr4-runtime:4.9.3=pmd
 org.apache.bcel:bcel:6.11.0=spotbugs
-org.apache.commons:commons-lang3:3.18.0=pmd
-org.apache.commons:commons-lang3:3.19.0=spotbugs
-org.apache.commons:commons-lang3:3.20.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.commons:commons-lang3:3.8.1=checkstyle
+org.apache.commons:commons-lang3:3.18.0=checkstyle,compileClasspath,pmd,runtimeClasspath,spotbugs,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-text:1.14.0=spotbugs
 org.apache.commons:commons-text:1.15.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-text:1.3=checkstyle
@@ -80,15 +75,15 @@ org.apache.httpcomponents.core5:httpcore5:5.1.3=checkstyle,pmd
 org.apache.httpcomponents:httpclient:4.5.13=checkstyle,runtimeClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpcore:4.4.13=runtimeClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpcore:4.4.14=checkstyle
-org.apache.logging.log4j:log4j-api:2.25.2=spotbugs
-org.apache.logging.log4j:log4j-core:2.25.2=spotbugs
+org.apache.logging.log4j:log4j-api:2.25.3=spotbugs
+org.apache.logging.log4j:log4j-core:2.25.3=spotbugs
 org.apache.maven.doxia:doxia-core:1.12.0=checkstyle
 org.apache.maven.doxia:doxia-logging-api:1.12.0=checkstyle
 org.apache.maven.doxia:doxia-module-xdoc:1.12.0=checkstyle
 org.apache.maven.doxia:doxia-sink-api:1.12.0=checkstyle
 org.apache.xbean:xbean-reflect:3.7=checkstyle
 org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
-org.assertj:assertj-core:3.27.6=testRuntimeClasspath
+org.assertj:assertj-core:3.27.7=testRuntimeClasspath
 org.checkerframework:checker-qual:3.37.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.checkerframework:checker-qual:3.49.3=checkstyle
 org.checkerframework:checker-qual:3.49.5=pmd