Update dependencies / solving CVEs

[madduci]

Hello

with this PR i try to address some CVEs that involve especially the jpaserver-starter, which in turn depends on the hapi-fhir bom as parent.

I've mostly updated to the very latest patch version available (e.g. SpringBoot), in some cases i've bumped the minor version (e.g. Jackson, OTel).

OpenTelemetry comes with a small breaking change, the opentelemetry-instrumentation-annotations dependency has a different version number, documentation here: https://opentelemetry.io/docs/zero-code/java/agent/annotations/

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.44%. Comparing base (497b9f2) to head (dfd73e5).
Report is 73 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #5970      +/-   ##
============================================
+ Coverage     83.39%   83.44%   +0.05%     
- Complexity    26927    27106     +179     
============================================
  Files          1681     1692      +11     
  Lines        103965   104633     +668     
  Branches      13189    13254      +65     
============================================
+ Hits          86702    87315     +613     
- Misses        11613    11649      +36     
- Partials       5650     5669      +19     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[madduci]

@jkiddo could please you review it? I've added some updates so the JPA Server can itself profit from these changes, since some CVEs are becoming relevant, especially the Spring Security one

[jkiddo]

@madduci from starter perspective it seems fine. This is however the core repo so the review needs to be carried out by Smile people.

[madduci]

perfect, many thanks, i'll wait for a review here!

[jamesagnew]

Thanks for the contribution!

[madduci]

you are welcome!

Interestingly, the validation of formatting in GitHub Actions has failed with

Please run `mvn spotless:apply` or `mvn clean install -DskipTests` to fix the formatting issues. 

, but on my local machine the mvn spotless:apply doesn't produce any change in the repository

[jamesagnew]

That spotless issue is a false negative, there is a permission issue stopping it from working on external contributions. Will merge now, thanks again!

[jasorello]

Hi! I see this ended up bumping the spring version to 6.1.8. It looks like there's a nested version variable in hapi-fhir-storage-cr at <spring-security-core.version>. Based on the other upgrades, should this version specification been bumped at the same time?

[madduci]

Hi Yes, you are right. I've totally missed it, but I've bumped it in the hapi-fhir-jpaserver-starter, where it's being actively used

[jasorello]

Hm, can you clarify how you were able to bump it in the starter pom.xml without updating the nested dependencies? I guess this is a general maven question but I wasn't aware of the capability.

[madduci]

you can define a <dependencyManagement> block in the pom.xml and overwrite the dependency you need