Library updates for cve's, suppression cleanup and not fail github action job SonarCloud if SONARCLOUD_TOKEN not found (summary report instead).

.github/workflows/maven.yml

@@ -31,7 +31,7 @@ env:
 
 jobs:
   build:
-    name: Build and Test (JDK ${{ matrix.java }})${{ matrix.profile == '-Pjakartaee11' && ' with Jakarta EE 11' || matrix.profile }}
+    name: Build and Test (JDK ${{ matrix.java }})${{ matrix.profile == '-Pjakartaee11' && ' (Jakarta EE 11)' || matrix.profile }}
     runs-on: ubuntu-latest
     strategy:
       matrix:

.github/workflows/sonar.yml

@@ -26,6 +26,7 @@ permissions: read-all
 env:
   MAVEN_OPTS: -Xmx2048m -Xms1024m
   LANG: en_US.utf8
+  HAVE_SONARCLOUD_TOKEN: ${{ secrets.SONARCLOUD_TOKEN != '' }}
 
 jobs:
   sonarcloud:
@@ -41,7 +42,14 @@ jobs:
           distribution: temurin
           java-version: 21
           cache: 'maven'
-      - env:
+      - name: SonarCloud Scan
+        if: ${{ env.HAVE_SONARCLOUD_TOKEN == 'true' }}
+        env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }}
         run: ./mvnw -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Pcoverage -DskipAssembly
+      - name: SonarCloud Scan -- SKIPPED
+        if: ${{ env.HAVE_SONARCLOUD_TOKEN != 'true' }}
+        run: |
+          echo "### SonarCloud not configured" >> $GITHUB_STEP_SUMMARY
+          echo "secrets.SONARCLOUD_TOKEN not existing, cannot push coverage checks" >> $GITHUB_STEP_SUMMARY

plugins/jasperreports/pom.xml

@@ -35,7 +35,7 @@
         <dependency>
             <groupId>net.sf.jasperreports</groupId>
             <artifactId>jasperreports</artifactId>
-            <version>6.21.3</version>
+            <version>6.21.5</version>
             <scope>provided</scope>
             <exclusions>
                 <!-- not necessary to compile and it force dependency convergence issues -->

plugins/jasperreports7/pom.xml

@@ -33,7 +33,7 @@
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <jasperreports7.version>7.0.4</jasperreports7.version>
+        <jasperreports7.version>7.0.6</jasperreports7.version>
     </properties>
 
     <dependencies>

plugins/spring/README.md

@@ -4,3 +4,11 @@ You will find more details in [documentation](https://struts.apache.org/plugins/
 
 ## Installation
 Just drop this plugin JAR into `WEB-INF/lib` folder or add it as a Maven dependency.
+
+
+## Struts & Spring Compatibility Matrix
+
+| Struts Plugin Version | Compatible Spring Version  | Spring OSS End of Life (EOL) |
+|:----------------------|:---------------------------|:-----------------------------|
+| **7.1.1**             | 6.2.x                      | 2026-06                      |
+| **7.1.1**             | 7.0.7 (Jakarta EE 11 only) | 2027-06                      |

pom.xml

@@ -125,7 +125,7 @@
         <mockito.version>5.23.0</mockito.version>
         <ognl.version>3.4.11</ognl.version>
         <slf4j.version>2.0.17</slf4j.version>
-        <spring.version>6.2.12</spring.version>
+        <spring.version>7.0.7</spring.version>
         <struts-annotations.version>2.0</struts-annotations.version>
         <velocity-tools.version>3.1</velocity-tools.version>
         <weld.version>6.0.4.Final</weld.version>
@@ -157,8 +157,7 @@
         <profile>
             <id>jakartaee11</id>
             <properties>
-                <jakarta-ee.version>11.0.0-M5</jakarta-ee.version>
-                <spring.version>7.0.5</spring.version>
+                <jakarta-ee.version>11.0.0</jakarta-ee.version>
             </properties>
         </profile>
         <profile>

src/etc/project-suppression.xml

@@ -18,168 +18,43 @@
   under the License.
 -->
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
+    <suppress until="2026-06-30">
+        <notes><![CDATA[
+    file name: jasperreports-7.0.6.jar
+    https://community.jaspersoft.com/knowledgebase/faq/update-details-about-the-java-vulnerability-r4897/
+    One way to prevent such an attack would be to make sure the parent Java application runs on Java 17 or later, where this type of attack is blocked by some changes made to the Java platform itself.
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/net\.sf\.jasperreports/jasperreports@.*$</packageUrl>
+        <cve>CVE-2025-10492</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[false positive due to naming to close to apache tiles
+        cpe:2.3:a:apache:tiles:*:*:*:*:*:*:*:* versions from (including) 2.0]]></notes>
+        <cve>CVE-2023-49735</cve>
         <cpe>cpe:/a:apache:struts</cpe>
     </suppress>
     <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2011-5057</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2012-0391</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2012-0392</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2012-0393</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2012-0394</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2012-0838</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2013-1965</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2013-1966</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2013-2115</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2013-2134</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2013-2135</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2014-0094</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2014-0113</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2015-5169</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2016-0785</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-core-1.3.8.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-core@.*$</packageUrl>
-        <vulnerabilityName>CVE-2016-4003</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-annotations-1.0.6.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.struts/struts\-annotations@.*$</packageUrl>
-        <cpe>cpe:/a:apache:struts</cpe>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-tiles-1.3.8.jar]]></notes>
-        <gav regex="true">^org\.apache\.struts:struts\-tiles\:1\.3\.8.*$</gav>
-        <cpe>cpe:/a:apache:struts</cpe>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: struts-taglib-1.3.8.jar]]></notes>
-        <gav regex="true">^org\.apache\.struts:struts\-taglib\:1\.3\.8.*$</gav>
-        <cpe>cpe:/a:apache:struts</cpe>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: dom4j-1.1.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/dom4j/dom4j@.*$</packageUrl>
-        <vulnerabilityName>CVE-2018-1000632</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: bsh-2.0b4.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.beanshell/bsh@.*$</packageUrl>
-        <vulnerabilityName>CVE-2016-2510</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[ file name: plexus-utils-1.2.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-utils@.*$</packageUrl>
-        <cpe>cpe:/a:plexus-utils_project:plexus-utils</cpe>
-        <cve>CVE-2022-4244</cve>
-        <cve>CVE-2022-4245</cve>
-        <cve>CVE-2017-1000487</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[ file name: plexus-container-default-1.0-alpha-10.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus\/plexus\-container\-default@.*$</packageUrl>
-        <cpe>cpe:/a:plexus-utils_project:plexus-utils</cpe>
-        <cve>CVE-2022-4244</cve>
-        <cve>CVE-2022-4245</cve>
-    </suppress>
-    <!-- TestNG -->
-    <suppress>
-        <notes><![CDATA[file name: guava-19.0.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
-        <cve>CVE-2018-10237</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: snakeyaml-1.21.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
-        <cve>CVE-2017-18640</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: testng-7.1.0.jar: jquery-3.4.1.min.js]]></notes>
+        <notes><![CDATA[apps showcase demos with jquery-2.1.4.min.js]]></notes>
         <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
         <cve>CVE-2020-11022</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: testng-7.1.0.jar: jquery-3.4.1.min.js]]></notes>
-        <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
         <cve>CVE-2020-11023</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: testng-7.5.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.testng/testng@.*$</packageUrl>
-        <cve>CVE-2022-4065</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: spring-core-4.3.30.RELEASE.jar, spring-aop-4.3.30.RELEASE.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-.*@.*$</packageUrl>
-        <cve>CVE-2022-22965</cve>
-        <cve>CVE-2022-22950</cve>
-        <cve>CVE-2022-22968</cve>
-        <cve>CVE-2022-22970</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[file name: spring-web-5.3.23.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-web@.*$</packageUrl>
-        <cve>CVE-2016-1000027</cve>
+        <cve>CVE-2015-9251</cve>
+        <cve>CVE-2019-11358</cve>
+        <vulnerabilityName>jquery issue: 11974</vulnerabilityName>
+        <vulnerabilityName>jquery issue: 162</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[apps showcase demos with Bootstrap v3.3.4]]></notes>
+<!--        <packageUrl regex="true">^pkg:javascript/bootstrap@.*$</packageUrl>-->
+        <sha1>253711c6d825de55a8360552573be950da180614</sha1>
+        <cve>CVE-2016-10735</cve>
+        <cve>CVE-2018-14040</cve>
+        <cve>CVE-2018-14041</cve>
+        <cve>CVE-2018-14042</cve>
+        <cve>CVE-2018-20676</cve>
+        <cve>CVE-2018-20677</cve>
+        <cve>CVE-2019-8331</cve>
+        <cve>CVE-2024-6485</cve>
+        <vulnerabilityName>Bootstrap before 4.0.0 is end-of-life and no longer maintained.</vulnerabilityName>
     </suppress>
 </suppressions>