Skip to content

[MOSIP-44772] vulnerabilities update#213

Open
Md-Humair-KK wants to merge 3 commits into
mosip:developfrom
Infosys:MOSIP-44772
Open

[MOSIP-44772] vulnerabilities update#213
Md-Humair-KK wants to merge 3 commits into
mosip:developfrom
Infosys:MOSIP-44772

Conversation

@Md-Humair-KK

@Md-Humair-KK Md-Humair-KK commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • Bug Fixes
    • Updated bundled dependencies to align security-related libraries (including Bouncy Castle) to a pinned version.
    • Aligned Spring Security dependency versions via a managed BOM to improve consistency.
    • Upgraded the kernel key manager component to the stable 1.3.0 release across affected plugins.
    • Updated the Velocity template engine dependency to velocity-engine-core:2.3.
    • Updated the biometrics-util dependency to 1.3.0.

Signed-off-by: Md-Humair-KK <mdhumair.kankudti@gmail.com>
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 51a2c1ba-578e-482e-b0b2-b169627c3b04

📥 Commits

Reviewing files that changed from the base of the PR and between 7c76504 and 56ee4aa.

📒 Files selected for processing (1)
  • mosip-identity-plugin/pom.xml
💤 Files with no reviewable changes (1)
  • mosip-identity-plugin/pom.xml

Walkthrough

This PR updates Maven dependency management and version pins across three plugin modules, including Bouncy Castle overrides, Spring Security BOM import, service version bumps, and a Velocity artifact replacement.

Changes

Dependency Version Updates

Layer / File(s) Summary
mock-plugin dependency updates
mock-plugin/pom.xml
Adds a dependencyManagement override pinning bcpkix-jdk18on to 1.80 and bumps kernel-keymanager-service.version from 1.3.0-beta.4 to 1.3.0.
mosip-identity-plugin dependency updates
mosip-identity-plugin/pom.xml
Imports spring-security-bom at 6.2.8, pins bcprov-jdk18on, bcutil-jdk18on, and bcpkix-jdk18on to 1.80, and updates kernel-keymanager-service.version and biometrics-util to 1.3.0.
sunbird-rc-plugin dependency updates
sunbird-rc-plugin/pom.xml
Adds a dependencyManagement override pinning bcpkix-jdk18on to 1.80, bumps kernel-keymanager-service.version to 1.3.0, and replaces velocity:1.7 with velocity-engine-core:2.3.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested reviewers: anushasunkada

Poem

Hop, hop, through poms I go,
Pinning versions row by row,
Bouncy Castle locked down tight,
Maven bits now line up right,
A rabbit nods: all neat, complete — 🐰

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main intent of the changeset: updating dependencies to address vulnerabilities.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@mosip-identity-plugin/pom.xml`:
- Around line 71-79: The Spring Boot 3.2.x BOM used by the module is
end-of-life, so this dependency pin only masks the underlying support issue.
Keep the `spring-security-bom` override if needed for the immediate CVE fix, but
add a follow-up plan to upgrade the project’s Spring Boot version (the
`spring.boot.version` property and related BOM usage in `pom.xml`) to a
currently supported release line.
- Around line 69-88: The dependencyManagement block in the pom is only pinning
bcpkix-jdk18on, which can still allow Maven to resolve mismatched Bouncy Castle
versions through transitive ranges. Update the same dependencyManagement section
to also manage bcprov-jdk18on and bcutil-jdk18on, alongside bcpkix-jdk18on, all
at version 1.80 so the Bouncy Castle set stays aligned. Use the existing
dependencyManagement entries as the place to add the sibling artifacts.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ec1936b4-e3bb-4d54-8dc1-4b1cb7feb4c4

📥 Commits

Reviewing files that changed from the base of the PR and between ddf6a56 and 2d0d0ac.

📒 Files selected for processing (3)
  • mock-plugin/pom.xml
  • mosip-identity-plugin/pom.xml
  • sunbird-rc-plugin/pom.xml

Comment thread mosip-identity-plugin/pom.xml
Comment thread mosip-identity-plugin/pom.xml
Signed-off-by: Md-Humair-KK <mdhumair.kankudti@gmail.com>
Signed-off-by: Md-Humair-KK <mdhumair.kankudti@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants