Updated depedencies to align with Spring Boot 3.4.2

Author: SimonTaylor

README.md

@@ -121,7 +121,7 @@ $ docker compose -f docker-compose.yml -f docker-compose.service.yml up -d
 The cURL commands above can again be used to test the API.
 
 Grafana
-=======
+-------
 
 Spring Boot 3.4.0 extended the Docker Compose support to support 
 [Grafana LGTM](https://grafana.com/blog/2024/03/13/an-opentelemetry-backend-in-a-docker-image-introducing-grafana/otel-lgtm/).

config/owasp/suppress.xml

@@ -3,23 +3,9 @@
     <!-- Suppressing all reported CVEs as project is for demo purposes only -->
     <suppress>
         <notes><![CDATA[
-   file name: jackson-databind-2.15.3.jar
+   file name: protobuf-java-3.23.4.jar
    ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-        <cve>CVE-2023-35116</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-   file name: logback-core-1.5.12.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2024-12798</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-   file name: logback-core-1.5.12.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2024-12801</vulnerabilityName>
+        <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf-java@.*$</packageUrl>
+        <vulnerabilityName>CVE-2024-7254</vulnerabilityName>
     </suppress>
 </suppressions>

pom.xml

@@ -6,7 +6,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>3.4.1</version>
+		<version>3.4.2</version>
 		<relativePath /> <!-- lookup parent from repository -->
 	</parent>
 
@@ -32,37 +32,39 @@
 		<!-- Dependency versions -->
 		<commons-collections.version>4.4</commons-collections.version>
 		<findbugs-jsr305.version>3.0.2</findbugs-jsr305.version>
-		<opentelemtry-instrumentation.version>2.10.0</opentelemtry-instrumentation.version>
-		<spt-development-audit-spring-boot.version>3.4.1</spt-development-audit-spring-boot.version>
-		<spt-development-cid-jms-spring-boot.version>3.4.1</spt-development-cid-jms-spring-boot.version>
-		<spt-development-cid-web-spring-boot.version>3.4.1</spt-development-cid-web-spring-boot.version>
-		<spt-development-logging-spring-boot.version>3.4.1</spt-development-logging-spring-boot.version>
+		<!-- Remove dependencyManagement entry for opentelemtry-semconv when upgrading opentelemtry-instrumentation -->
+		<opentelemtry-instrumentation.version>2.12.0</opentelemtry-instrumentation.version>
+		<opentelemtry-semconv.version>1.29.0-alpha</opentelemtry-semconv.version>
+		<spt-development-audit-spring-boot.version>3.4.2</spt-development-audit-spring-boot.version>
+		<spt-development-cid-jms-spring-boot.version>3.4.2</spt-development-cid-jms-spring-boot.version>
+		<spt-development-cid-web-spring-boot.version>3.4.2</spt-development-cid-web-spring-boot.version>
+		<spt-development-logging-spring-boot.version>3.4.2</spt-development-logging-spring-boot.version>
 
 		<!-- Test dependency versions -->
 		<archunit.version>1.3.0</archunit.version>
 		<awaitility.version>4.2.2</awaitility.version>
 		<cucumber.version>7.20.1</cucumber.version>
 		<junit-platform.version>1.11.4</junit-platform.version>
-		<spt-development-test.version>3.1.14</spt-development-test.version>
+		<spt-development-test.version>3.1.15</spt-development-test.version>
 		<testcontainers.version>1.20.4</testcontainers.version>
 
 		<!-- Plugin versions -->
 		<checkstyle-maven-plugin.version>3.6.0</checkstyle-maven-plugin.version>
-		<dependency-check-maven.version>11.1.1</dependency-check-maven.version>
+		<dependency-check-maven.version>12.0.1</dependency-check-maven.version>
 		<jacoco-maven-plugin.version>0.8.12</jacoco-maven-plugin.version>
 		<license-maven-plugin.version>2.5.0</license-maven-plugin.version>
 		<maven-jxr-plugin.version>3.6.0</maven-jxr-plugin.version>
 		<maven-pmd-plugin.version>3.26.0</maven-pmd-plugin.version>
 		<maven-scm-plugin.version>2.1.0</maven-scm-plugin.version>
-		<pitest-maven.version>1.17.3</pitest-maven.version>
+		<pitest-maven.version>1.17.4</pitest-maven.version>
 		<spotbugs-plugin.version>4.8.6.6</spotbugs-plugin.version>
 
 		<!-- Plugin dependencies -->
-		<checkstyle.version>10.21.0</checkstyle.version>
+		<checkstyle.version>10.21.2</checkstyle.version>
 		<findbugs-slf4j-bug-pattern.version>1.5.0</findbugs-slf4j-bug-pattern.version>
 		<findbugs-sec-bug-pattern.version>1.13.0</findbugs-sec-bug-pattern.version>
 		<pitest-junit5-plugin.version>1.2.1</pitest-junit5-plugin.version>
-		<pmd.version>7.8.0</pmd.version>
+		<pmd.version>7.9.0</pmd.version>
 	</properties>
 
 	<dependencyManagement>
@@ -94,7 +96,11 @@
 			</dependency>
 
 			<!-- Dependencies added to avoid dependency convergence errors -->
-			<!-- None -->
+			<dependency>
+				<groupId>io.opentelemetry.semconv</groupId>
+				<artifactId>opentelemetry-semconv</artifactId>
+				<version>${opentelemtry-semconv.version}</version>
+			</dependency>
 		</dependencies>
 	</dependencyManagement>