[SECURITY] Dependency Upgrade Tracking - Q1 2025

[montge]

Master Tracking: Security Dependency Upgrades

This issue tracks all security-related dependency upgrades for DDF.

---

Critical Priority (P0) - Immediate

Dependency	Current	Target	CVEs	Status
Hazelcast	3.12.10	Remove/5.5.0	4	🔴 Not Started
GeoTools	24.6	28.6.1+	12+	🔴 Not Started

High Priority (P1) - Next 30 Days

Dependency	Current	Target	CVEs	Status
Commons-Collections	3.2.2	4.5.0	4	🔴 Not Started - #6936
Spring Framework	6.1.21	6.2.12	2	🔴 Not Started - #6935
Commons BeanUtils	1.9.4	1.11.0	1	🔴 Not Started
Apache Batik	1.14	1.17+	4	🔴 Not Started

Medium Priority (P2) - Next 60 Days

Dependency	Current	Target	CVEs	Status
Apache Karaf	4.4.8	4.4.9+	TBD	🔴 Not Started
Netty (transitive)	Various	4.1.114+	9	🔴 Not Started
Protobuf (transitive)	Various	3.25.8+	8	🔴 Not Started

Low Priority (P3) - Ongoing

Dependency	Current	Target	CVEs	Status
commons-lang 2.x	2.6	Migrate to 3.x	EOL	🔴 Not Started
jQuery/Bootstrap	Various	Latest	Multiple	🔴 Not Started

---

Progress Summary

• Total Vulnerabilities: ~126 unique
• Target Vulnerabilities: <25 (MEDIUM/LOW only)
• Expected Reduction: 78%+

---

Related Issues

• [SECURITY] Request: Upgrade Commons-Collections 3.2.2 to 4.4 #6936 - Commons-Collections 4.x migration
• [SECURITY] Request: Upgrade Spring Framework 6.1.x to 6.2.x (EOL) #6935 - Spring Framework 6.2.x upgrade
• [SECURITY] Request: Add recursion depth limit to KlvDecoder #6934 - KlvDecoder recursion limit
• [TEST] Increase Test Coverage to 90%+ Across All Modules #6938 - Test coverage initiative
• [SECURITY] Upgrade GeoTools 24.6 to 28.x+ (12+ Critical CVEs) #6939 - GeoTools upgrade

---

Definition of Done

• All P0 vulnerabilities resolved
• All P1 vulnerabilities resolved
• P2 vulnerabilities in progress
• No CRITICAL CVEs remaining
• CI security scanning enabled
• OWASP suppression file for false positives