Dependencies out of support
Spring 5
Spring framework 5 open source support ends 2024-08-31: https://spring.io/projects/spring-framework#support
Example vulnerability without open source fix: https://spring.io/security/cve-2024-38816
GitHub pom.xml search for Spring 5.3: https://github.com/search?q=org%3Afolio-org+spring+%22%3E5.3%22+language%3A%22Maven+POM%22+NOT+is%3Aarchived&type=code
https://folio-org.atlassian.net/browse/SECURITY-180
RMB RAML Module Builder
https://github.com/folio-org/raml-module-builder
RMB has been deprecated, this is mentioned in onOfficially Supported Technologies.
FOLIO’s core-platform team continuously updates all RMB dependencies, including Vert.x and Netty; the only exception is domain-models-maven-plugin.
domain-models-maven-plugin
https://github.com/folio-org/raml-module-builder/blob/master/domain-models-maven-plugin/pom.xml
This plugin runs at compile time only and runs on static data from source code repository only. It generates API documentation and Java code skeleton for APIs. This makes it very unlikely to cause any threat.
org.raml.jaxrs:jaxrs-code-generator has been unsupported since 2019: https://github.com/mulesoft-labs/raml-for-jax-rs/tree/master/raml-to-jaxrs/jaxrs-code-generator
jaxrs-code-generator requires com.google.guava:guava with outdated version 19.0 that has vulnerabilities that don’t affect the code generation.