Issue/480 upgrade dependencies

.github/workflows/build.yml

@@ -51,7 +51,7 @@ jobs:
           java-version: 25
           cache: 'maven'
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -60,7 +60,7 @@ jobs:
         if: ${{ matrix.language == 'java-kotlin' }}
         run: mvn package $MVN_BATCH_MODE_FAIL_AT_END $MVN_SKIP_MOST -DskipTests
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           category: "/language:${{matrix.language}}"
 
@@ -185,18 +185,18 @@ jobs:
           name: quick_build
           path: ./
       - name: Set up Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
       - name: Build Docker image
         run:  docker build -t ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}:${{ github.sha }} ${{ matrix.image.context }}
       - name: Scan Docker image with Trivy
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
         with:
           image-ref: ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}:${{ github.sha }}
           format: 'sarif'
           output: 'trivy-results-${{ matrix.image.name }}.sarif'
           trivyignores: './.trivyignore'
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         if: always()
         with:
           sarif_file: 'trivy-results-${{ matrix.image.name }}.sarif'
@@ -232,17 +232,17 @@ jobs:
           name: quick_build
           path: ./
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
       - name: Set up Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Docker metadata
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
         id: meta
         with:
           images: ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}
@@ -257,7 +257,7 @@ jobs:
           # latest only for stable releases
           # develop builds
       - name: Build and Push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         id: push
         with:
           push: true
@@ -273,7 +273,7 @@ jobs:
       - name: Generate SBOM
         run: syft ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}@${DIGEST} -o cyclonedx-json > sbom.json
       - name: Set up cosign
-        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
       - name: Attach SBOM
         run: cosign attest --yes --predicate sbom.json --type cyclonedx ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}@${DIGEST}
       - name: Sign image

.trivyignore

@@ -1,3 +1,19 @@
+#
+# Copyright 2018-2025 Heilbronn University of Applied Sciences
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
 # Ignore reason: Vulnerable code not used in DSF
 # CVE title: FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft
 CVE-2026-34361

dsf-bpe/dsf-bpe-process-api-v1-base/pom.xml

@@ -41,6 +41,12 @@
 		<dependency>
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-context</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>commons-logging</groupId>
+					<artifactId>commons-logging</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
@@ -53,6 +59,7 @@
 		<dependency>
 			<artifactId>jakarta.ws.rs-api</artifactId>
 			<groupId>jakarta.ws.rs</groupId>
+			<version>${jakarta.ws.rs.version.v1}</version>
 		</dependency>
 
 		<!-- optional dependencies provided by the DSF bpe -->

dsf-bpe/dsf-bpe-process-api-v1-impl/pom.xml

@@ -45,18 +45,22 @@
 		<dependency>
 			<groupId>org.glassfish.jersey.core</groupId>
 			<artifactId>jersey-client</artifactId>
+			<version>${jersey.version.v1}</version>
 		</dependency>
 		<dependency>
 			<groupId>org.glassfish.jersey.inject</groupId>
 			<artifactId>jersey-hk2</artifactId>
+			<version>${jersey.version.v1}</version>
 		</dependency>
 		<dependency>
 			<groupId>org.glassfish.jersey.media</groupId>
 			<artifactId>jersey-media-json-jackson</artifactId>
+			<version>${jersey.version.v1}</version>
 		</dependency>
 		<dependency>
 			<groupId>org.glassfish.jersey.connectors</groupId>
 			<artifactId>jersey-apache-connector</artifactId>
+			<version>${jersey.version.v1}</version>
 			<exclusions>
 				<exclusion>
 					<groupId>commons-logging</groupId>
@@ -125,17 +129,17 @@
 								</artifactItem>
 								<artifactItem>
 									<groupId>ca.uhn.hapi.fhir</groupId>
-									<artifactId>hapi-fhir-structures-r4</artifactId>
+									<artifactId>hapi-fhir-base</artifactId>
 									<version>${hapi.fhir.version.v1}</version>
 								</artifactItem>
 								<artifactItem>
 									<groupId>ca.uhn.hapi.fhir</groupId>
-									<artifactId>org.hl7.fhir.utilities</artifactId>
+									<artifactId>hapi-fhir-converter</artifactId>
 									<version>${hapi.fhir.version.v1}</version>
 								</artifactItem>
 								<artifactItem>
 									<groupId>ca.uhn.hapi.fhir</groupId>
-									<artifactId>org.hl7.fhir.r4</artifactId>
+									<artifactId>hapi-fhir-structures-r4</artifactId>
 									<version>${hapi.fhir.version.v1}</version>
 								</artifactItem>
 								<artifactItem>
@@ -145,84 +149,128 @@
 								</artifactItem>
 								<artifactItem>
 									<groupId>ca.uhn.hapi.fhir</groupId>
-									<artifactId>hapi-fhir-converter</artifactId>
+									<artifactId>hapi-fhir-validation-resources-r4</artifactId>
 									<version>${hapi.fhir.version.v1}</version>
 								</artifactItem>
 								<artifactItem>
 									<groupId>ca.uhn.hapi.fhir</groupId>
 									<artifactId>org.hl7.fhir.convertors</artifactId>
 									<version>${hapi.fhir.version.v1}</version>
 								</artifactItem>
+								<artifactItem>
+									<groupId>ca.uhn.hapi.fhir</groupId>
+									<artifactId>org.hl7.fhir.r4</artifactId>
+									<version>${hapi.fhir.version.v1}</version>
+								</artifactItem>
 								<artifactItem>
 									<groupId>ca.uhn.hapi.fhir</groupId>
 									<artifactId>org.hl7.fhir.r5</artifactId>
 									<version>${hapi.fhir.version.v1}</version>
 								</artifactItem>
 								<artifactItem>
-									<groupId>net.sf.saxon</groupId>
-									<artifactId>Saxon-HE</artifactId>
-									<version>9.5.1-5</version>
+									<groupId>ca.uhn.hapi.fhir</groupId>
+									<artifactId>org.hl7.fhir.utilities</artifactId>
+									<version>${hapi.fhir.version.v1}</version>
 								</artifactItem>
 								<artifactItem>
 									<groupId>ca.uhn.hapi.fhir</groupId>
 									<artifactId>org.hl7.fhir.validation</artifactId>
 									<version>${hapi.fhir.version.v1}</version>
 								</artifactItem>
-								<!--<artifactItem>
-									<groupId>xpp3</groupId>
-									<artifactId>xpp3</artifactId>
-									<version>1.1.4c</version>
+								<artifactItem>
+									<groupId>de.hs-heilbronn.mi</groupId>
+									<artifactId>crypto-utils</artifactId>
+									<version>${crypto-utils.version.v1}</version>
+								</artifactItem>
+								<artifactItem>
+									<groupId>jakarta.annotation</groupId>
+									<artifactId>jakarta.annotation-api</artifactId>
+									<version>${jakarta.annotation.api.version.v1}</version>
+								</artifactItem>
+								<artifactItem>
+									<groupId>jakarta.ws.rs</groupId>
+									<artifactId>jakarta.ws.rs-api</artifactId>
+									<version>${jakarta.ws.rs.version.v1}</version>
 								</artifactItem>
 								<artifactItem>
-									<groupId>xpp3</groupId>
-									<artifactId>xpp3_xpath</artifactId>
-									<version>1.1.4c</version>
-								</artifactItem>-->
-								<!--<artifactItem>
 									<groupId>org.apache.commons</groupId>
 									<artifactId>commons-compress</artifactId>
-								</artifactItem>-->
+								</artifactItem>
+								<artifactItem>
+									<groupId>org.apache.httpcomponents</groupId>
+									<artifactId>httpclient</artifactId>
+								</artifactItem>
+								<artifactItem>
+									<groupId>org.apache.httpcomponents</groupId>
+									<artifactId>httpcore</artifactId>
+								</artifactItem>
 								<artifactItem>
 									<groupId>org.fhir</groupId>
 									<artifactId>ucum</artifactId>
 								</artifactItem>
 								<artifactItem>
-									<groupId>com.github.ben-manes.caffeine</groupId>
-									<artifactId>caffeine</artifactId>
-									<version>2.7.0</version>
+									<groupId>org.glassfish.hk2.external</groupId>
+									<artifactId>aopalliance-repackaged</artifactId>
+									<version>3.0.6</version>
 								</artifactItem>
 								<artifactItem>
-									<groupId>org.checkerframework</groupId>
-									<artifactId>checker-qual</artifactId>
-									<version>2.6.0</version>
+									<groupId>org.glassfish.hk2</groupId>
+									<artifactId>hk2-api</artifactId>
+									<version>3.0.6</version>
 								</artifactItem>
 								<artifactItem>
-									<groupId>com.google.errorprone</groupId>
-									<artifactId>error_prone_annotations</artifactId>
-									<version>2.3.3</version>
+									<groupId>org.glassfish.hk2</groupId>
+									<artifactId>hk2-locator</artifactId>
+									<version>3.0.6</version>
 								</artifactItem>
 								<artifactItem>
-									<groupId>com.google.code.gson</groupId>
-									<artifactId>gson</artifactId>
+									<groupId>org.glassfish.hk2</groupId>
+									<artifactId>hk2-utils</artifactId>
+									<version>3.0.6</version>
 								</artifactItem>
 								<artifactItem>
-									<groupId>de.hs-heilbronn.mi</groupId>
-									<artifactId>crypto-utils</artifactId>
-									<version>${crypto-utils.version.v1}</version>
+									<groupId>org.glassfish.hk2</groupId>
+									<artifactId>osgi-resource-locator</artifactId>
+									<version>1.0.3</version>
 								</artifactItem>
 								<artifactItem>
-									<groupId>ca.uhn.hapi.fhir</groupId>
-									<artifactId>hapi-fhir-validation-resources-r4</artifactId>
+									<groupId>org.glassfish.jersey.connectors</groupId>
+									<artifactId>jersey-apache-connector</artifactId>
+									<version>${jersey.version.v1}</version>
 								</artifactItem>
 								<artifactItem>
-									<groupId>ca.uhn.hapi.fhir</groupId>
-									<artifactId>hapi-fhir-base</artifactId>
-									<version>${hapi.fhir.version.v1}</version>
+									<groupId>org.glassfish.jersey.core</groupId>
+									<artifactId>jersey-client</artifactId>
+									<version>${jersey.version.v1}</version>
+								</artifactItem>
+								<artifactItem>
+									<groupId>org.glassfish.jersey.core</groupId>
+									<artifactId>jersey-common</artifactId>
+									<version>${jersey.version.v1}</version>
+								</artifactItem>
+								<artifactItem>
+									<groupId>org.glassfish.jersey.ext</groupId>
+									<artifactId>jersey-entity-filtering</artifactId>
+									<version>${jersey.version.v1}</version>
+								</artifactItem>
+								<artifactItem>
+									<groupId>org.glassfish.jersey.inject</groupId>
+									<artifactId>jersey-hk2</artifactId>
+									<version>${jersey.version.v1}</version>
+								</artifactItem>
+								<artifactItem>
+									<groupId>org.glassfish.jersey.media</groupId>
+									<artifactId>jersey-media-json-jackson</artifactId>
+									<version>${jersey.version.v1}</version>
 								</artifactItem>
 								<artifactItem>
 									<groupId>org.ow2.asm</groupId>
 									<artifactId>asm</artifactId>
 								</artifactItem>
+								<artifactItem>
+									<groupId>com.github.ben-manes.caffeine</groupId>
+									<artifactId>caffeine</artifactId>
+								</artifactItem>
 							</artifactItems>
 						</configuration>
 					</execution>

dsf-bpe/dsf-bpe-process-api-v1-impl/src/main/java/dev/dsf/bpe/v1/logging/PluginMdcImpl.java → dsf-bpe/dsf-bpe-process-api-v1-impl/src/main/java/dev/dsf/bpe/v1/context/PluginContextImpl.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package dev.dsf.bpe.v1.logging;
+package dev.dsf.bpe.v1.context;
 
 import java.util.Objects;
 import java.util.function.Function;
@@ -26,11 +26,11 @@
 import org.operaton.bpm.engine.delegate.DelegateExecution;
 
 import dev.dsf.bpe.api.Constants;
-import dev.dsf.bpe.api.logging.AbstractPluginMdc;
+import dev.dsf.bpe.api.context.AbstractPluginContext;
 import dev.dsf.bpe.v1.constants.CodeSystems.BpmnMessage;
 import dev.dsf.bpe.v1.variables.Variables;
 
-public class PluginMdcImpl extends AbstractPluginMdc
+public class PluginContextImpl extends AbstractPluginContext
 {
 	private final String serverBaseUrl;
 	private final Function<DelegateExecution, Variables> variablesFactory;
@@ -43,15 +43,17 @@ public class PluginMdcImpl extends AbstractPluginMdc
 	 *            not <code>null</code>
 	 * @param jar
 	 *            not <code>null</code>
+	 * @param pluginClassLoader
+	 *            not <code>null</code>
 	 * @param serverBaseUrl
 	 *            not <code>null</code>
 	 * @param variablesFactory
 	 *            not <code>null</code>
 	 */
-	public PluginMdcImpl(int apiVersion, String name, String version, String jar, String serverBaseUrl,
-			Function<DelegateExecution, Variables> variablesFactory)
+	public PluginContextImpl(int apiVersion, String name, String version, String jar, ClassLoader pluginClassLoader,
+			String serverBaseUrl, Function<DelegateExecution, Variables> variablesFactory)
 	{
-		super(apiVersion, name, version, jar);
+		super(apiVersion, name, version, jar, pluginClassLoader);
 
 		this.serverBaseUrl = Objects.requireNonNull(serverBaseUrl, "serverBaseUrl");
 		this.variablesFactory = Objects.requireNonNull(variablesFactory, "variablesFactory");