From 2ce7c8a2dc8a2a37044e92b1d08b3599b1aa46d3 Mon Sep 17 00:00:00 2001
From: "Vazquez,Brais (IT EDP)" <brais.vazquez@boehringer-ingelheim.com>
Date: Wed, 1 Apr 2026 11:25:59 +0200
Subject: [PATCH 1/5] Update Spring Boot and dependency management plugin
 versions

---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index eb7674e3..ae21b38f 100644
--- a/build.gradle
+++ b/build.gradle
@@ -19,8 +19,8 @@ buildscript {
 }
 
 plugins {
-    id 'org.springframework.boot' version '2.5.12'
-    id 'io.spring.dependency-management' version '1.0.10.RELEASE'
+    id 'org.springframework.boot' version '2.7.18'
+    id 'io.spring.dependency-management' version '1.1.4'
     id 'java'
     id 'maven-publish'
     id 'jacoco'

From 40215333a434aef6a3c57fd65a8b0e0995e76719 Mon Sep 17 00:00:00 2001
From: "Vazquez,Brais (IT EDP)" <brais.vazquez@boehringer-ingelheim.com>
Date: Wed, 1 Apr 2026 14:41:07 +0200
Subject: [PATCH 2/5] Refactor projectKeyExists and buildProjectKey method
 calls to use isNotNull() without type argument

---
 .../provision/controller/ProjectApiControllerTest.java | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/test/java/org/opendevstack/provision/controller/ProjectApiControllerTest.java b/src/test/java/org/opendevstack/provision/controller/ProjectApiControllerTest.java
index 47183c30..2c7ac2f8 100644
--- a/src/test/java/org/opendevstack/provision/controller/ProjectApiControllerTest.java
+++ b/src/test/java/org/opendevstack/provision/controller/ProjectApiControllerTest.java
@@ -530,7 +530,7 @@ public void addProjectInLegacyFormatErrorsOut() throws Exception {
 
   @Test
   public void validateProjectWithProjectExists() throws Exception {
-    when(jiraAdapter.projectKeyExists(isNotNull(String.class))).thenReturn(true);
+    when(jiraAdapter.projectKeyExists(isNotNull())).thenReturn(true);
 
     mockMvc
         .perform(
@@ -543,7 +543,7 @@ public void validateProjectWithProjectExists() throws Exception {
 
   @Test
   public void validateProjectWithProjectNotExists() throws Exception {
-    when(jiraAdapter.projectKeyExists(isNotNull(String.class))).thenReturn(false);
+    when(jiraAdapter.projectKeyExists(isNotNull())).thenReturn(false);
 
     mockMvc
         .perform(
@@ -556,7 +556,7 @@ public void validateProjectWithProjectNotExists() throws Exception {
 
   @Test
   public void validateKeyWithKeyExists() throws Exception {
-    when(jiraAdapter.projectKeyExists(isNotNull(String.class))).thenReturn(true);
+    when(jiraAdapter.projectKeyExists(isNotNull())).thenReturn(true);
     mockMvc
         .perform(
             get("/api/v2/project/key/validate")
@@ -568,7 +568,7 @@ public void validateKeyWithKeyExists() throws Exception {
 
   @Test
   public void validateKeyWithKeyNotExists() throws Exception {
-    when(jiraAdapter.projectKeyExists(isNotNull(String.class))).thenReturn(false);
+    when(jiraAdapter.projectKeyExists(isNotNull())).thenReturn(false);
 
     mockMvc
         .perform(
@@ -581,7 +581,7 @@ public void validateKeyWithKeyNotExists() throws Exception {
 
   @Test
   public void generateKey() throws Exception {
-    when(jiraAdapter.buildProjectKey(isNotNull(String.class))).thenReturn("PROJ");
+    when(jiraAdapter.buildProjectKey(isNotNull())).thenReturn("PROJ");
 
     mockMvc
         .perform(

From adb1da2fd4d16f8a67281aef8f079689a4b5e153 Mon Sep 17 00:00:00 2001
From: "Vazquez,Brais (IT EDP)" <brais.vazquez@boehringer-ingelheim.com>
Date: Thu, 2 Apr 2026 09:33:51 +0200
Subject: [PATCH 3/5] Enable circular bean references for
 WebSecurityConfigurerAdapter in application.properties

---
 src/main/resources/application.properties | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 7f89c584..38d5c807 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -10,6 +10,10 @@ logging.level.org.opendevstack=DEBUG
 # NOTE: this path is for local environemrnt. Do not forget to set in production to a different path
 logging.file.path=./build/logs
 
+# Spring Boot 2.6+ disallows circular bean references by default.
+# Required for WebSecurityConfigurerAdapter-based security configuration.
+spring.main.allow-circular-references=true
+
 #server port
 server.port=8080
 server.error.include-stacktrace=never

From f7371859990f8f1b7d7830a209c54aeced7ce3fa Mon Sep 17 00:00:00 2001
From: "Vazquez,Brais (IT EDP)" <brais.vazquez@boehringer-ingelheim.com>
Date: Thu, 2 Apr 2026 10:43:12 +0200
Subject: [PATCH 4/5] Override managed Tomcat version to address CVE-2025-31650

---
 build.gradle | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/build.gradle b/build.gradle
index ae21b38f..4a2908a0 100644
--- a/build.gradle
+++ b/build.gradle
@@ -33,6 +33,10 @@ group = 'prov'
 version = '0.0.1-SNAPSHOT'
 sourceCompatibility = 1.11
 
+// Override managed Tomcat version to address CVE-2025-31650 (fixed in 9.0.104)
+// Spring Boot 2.7.x uses Tomcat 9.x; 10.x/11.x require Spring Boot 3.x
+ext['tomcat.version'] = '9.0.104'
+
 repositories {
     if (!no_nexus) {
         println("INFO: using nexus repositories, because property no_nexus=$no_nexus and nexus_url=${nexus_url}")

From e2e6bf674027509a3b1f71729fa449dde4eeb2e9 Mon Sep 17 00:00:00 2001
From: "Vazquez,Brais (IT EDP)" <brais.vazquez@boehringer-ingelheim.com>
Date: Thu, 2 Apr 2026 10:50:23 +0200
Subject: [PATCH 5/5] changelog

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index af46883f..90391172 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,8 @@
 ## Unreleased
 
 ### Fixed
+- Fix Vuls (CVE-2023-44487 & CVE-2025-31650), update springboot and tomcat ([#763](https://github.com/opendevstack/ods-provisioning-app/pull/763))
+
 
 ## [4.4.0] - 2026-02-25
 ### Fixed