Dependencies out of support

Spring 5

Spring framework 5 open source support ends 2024-08-31: https://spring.io/projects/spring-framework#support

Example vulnerability without open source fix: https://spring.io/security/cve-2024-38816

GitHub pom.xml search for Spring 5.3: https://github.com/search?q=org%3Afolio-org+spring+%22%3E5.3%22+language%3A%22Maven+POM%22+NOT+is%3Aarchived&type=code

https://folio-org.atlassian.net/browse/SECURITY-180

RMB RAML Module Builder

https://github.com/folio-org/raml-module-builder

RMB has been deprecated, this is mentioned in onOfficially Supported Technologies.

FOLIO’s core-platform team continuously updates all RMB dependencies, including Vert.x and Netty; the only exception is domain-models-maven-plugin.

domain-models-maven-plugin

https://github.com/folio-org/raml-module-builder/blob/master/domain-models-maven-plugin/pom.xml

This plugin runs at compile time only and runs on static data from source code repository only. It generates API documentation and Java code skeleton for APIs. This makes it very unlikely to cause any threat.

org.raml.jaxrs:jaxrs-code-generator has been unsupported since 2019: https://github.com/mulesoft-labs/raml-for-jax-rs/tree/master/raml-to-jaxrs/jaxrs-code-generator

jaxrs-code-generator requires com.google.guava:guava with outdated version 19.0 that has vulnerabilities that don’t affect the code generation.