Update Dropwizard to V5

.github/trivy/license-policy.rego

@@ -122,6 +122,7 @@ default glassfishAllowedInFossa := [
   "org.glassfish.jersey.media:jersey-media-multipart",
   "org.glassfish.jersey.test-framework.providers:jersey-test-framework-provider-inmemory",
   "org.glassfish.jersey.test-framework:jersey-test-framework-core",
+  "org.glassfish.jersey.ext:jersey-micrometer"
 ]
 
 # we allowed glassfishAllowedInFossa in Fossa

sda-commons-client-jersey/build.gradle

@@ -13,18 +13,12 @@ dependencies {
     exclude group: 'jakarta.activation', module: 'jakarta.activation-api'
   }
   api 'io.opentelemetry:opentelemetry-api'
-  api 'io.opentelemetry.instrumentation:opentelemetry-instrumentation-api-semconv', {
-    exclude group: "io.opentelemetry", module: "opentelemetry-semconv"
-    exclude group: "io.opentelemetry.semconv", module: "opentelemetry-semconv"
-    exclude group: "io.opentelemetry.instrumentation", module: "opentelemetry-instrumentation-api"
-    exclude group: "io.opentelemetry", module: "opentelemetry-api-incubator"
-  }
+  api 'io.opentelemetry.instrumentation:opentelemetry-instrumentation-api-incubator'
   api 'io.opentelemetry.semconv:opentelemetry-semconv'
 
   implementation 'io.opentelemetry.javaagent.instrumentation:opentelemetry-javaagent-apache-httpclient-5.0'
   implementation 'io.opentelemetry.instrumentation:opentelemetry-apache-httpclient-5.2'
 
-
   testImplementation project(':sda-commons-server-testing')
   testImplementation project(':sda-commons-shared-wiremock-testing')
   testImplementation project(':sda-commons-server-trace')

sda-commons-client-jersey/src/main/java/org/sdase/commons/client/jersey/oidc/cache/AfterCreateExpiry.java

@@ -1,9 +1,9 @@
 package org.sdase.commons.client.jersey.oidc.cache;
 
 import com.github.benmanes.caffeine.cache.Expiry;
+import jakarta.validation.constraints.Min;
+import jakarta.validation.constraints.NotNull;
 import java.time.Duration;
-import org.checkerframework.checker.index.qual.NonNegative;
-import org.checkerframework.checker.nullness.qual.NonNull;
 import org.sdase.commons.client.jersey.oidc.rest.model.TokenResource;
 
 public class AfterCreateExpiry implements Expiry<String, TokenResource> {
@@ -16,7 +16,7 @@ public class AfterCreateExpiry implements Expiry<String, TokenResource> {
    */
   @Override
   public long expireAfterCreate(
-      @NonNull String key, @NonNull TokenResource value, long currentTime) {
+      @NotNull String key, @NotNull TokenResource value, long currentTime) {
     long expirationTime = Duration.ofSeconds(value.getAccessTokenExpiresInSeconds()).toNanos();
 
     long buffer = Duration.ofSeconds(BUFFER_SECONDS).toNanos();
@@ -30,10 +30,10 @@ public long expireAfterCreate(
    */
   @Override
   public long expireAfterUpdate(
-      @NonNull String key,
-      @NonNull TokenResource value,
+      @NotNull String key,
+      @NotNull TokenResource value,
       long currentTime,
-      @NonNegative long currentDuration) {
+      @Min(0) long currentDuration) {
     return currentDuration;
   }
 
@@ -44,10 +44,10 @@ public long expireAfterUpdate(
    */
   @Override
   public long expireAfterRead(
-      @NonNull String key,
-      @NonNull TokenResource value,
+      @NotNull String key,
+      @NotNull TokenResource value,
       long currentTime,
-      @NonNegative long currentDuration) {
+      @Min(0) long currentDuration) {
     return currentDuration;
   }
 }

sda-commons-dependencies/build.gradle

@@ -9,13 +9,12 @@ javaPlatform {
 ext {
   antlr4Version = '4.13.2'
   apacheHttpClient5Version = '5.5.1'
-  // Check on upgrade, if org.apache.commons:commons-lang3 enforcement below (L48 + L73) is still needed!
-  dropwizardVersion = '4.0.15'
-  prometheusVersion = '0.16.0'
+  dropwizardVersion = '5.0.0'
+  prometheusVersion = '1.4.3'
   micrometerVersion = '1.16.1'
   swaggerCoreV3Version = '2.2.41'
-  weldVersion = '5.1.2.Final'
-  jacksonVersion = '2.19.2'
+  weldVersion = '6.0.3.Final'
+  jacksonVersion = '2.20.0'
   jsonUnitVersion = '5.1.0'
   scalaVersion = '2.13.18' // align transitive dependency from various modules, keep up to date
   kafkaVersion = '3.9.1'
@@ -25,13 +24,14 @@ ext {
   kotlinxCoroutinesVersion = '1.10.2'
   resilience4jVersion = '2.2.0'
   openTelemetryVersion = '1.41.0'
-  openTelemetryAlpha2Version = '2.21.0-alpha'
+  openTelemetryAlpha2Version = '2.22.0-alpha'
   // should be aligned with transitive dependency of Spring Data MongoDB
   mongoDbDriverVersion = '5.6.2'
   tuprologVersion = '0.20.9' // don't upgrade separately! use version from database-rider
   bouncyCastleVersion = '1.83'
   victoolsVersion = '4.38.0'
   flywayVersion = '11.20.0'
+  wiremockVersion = '3.13.1'
 }
 
 dependencies {
@@ -40,9 +40,7 @@ dependencies {
   // override version from dropwizard-bom
   api enforcedPlatform("org.jetbrains.kotlin:kotlin-bom:$kotlinVersion")
   api enforcedPlatform("org.jetbrains.kotlinx:kotlinx-coroutines-bom:$kotlinxCoroutinesVersion")
-  api enforcedPlatform("org.eclipse.jetty:jetty-bom:11.0.26"), {
-    because("dropwizard and dropwizard-metrics use different versions")
-  }
+  api enforcedPlatform("org.eclipse.jetty.ee10:jetty-ee10-bom:12.1.1")
   api enforcedPlatform("io.dropwizard:dropwizard-bom:$dropwizardVersion")
   api enforcedPlatform("io.dropwizard:dropwizard-dependencies:$dropwizardVersion"), {
     exclude group: 'jakarta.xml.bind', module: 'jakarta.xml.bind-api'
@@ -62,7 +60,7 @@ dependencies {
   api enforcedPlatform("io.netty:netty-bom:4.2.9.Final"), {
     because "various CVEs in earlier versions"
   }
-  api enforcedPlatform("io.prometheus:simpleclient_bom:${prometheusVersion}")
+  api enforcedPlatform("io.prometheus:prometheus-metrics-bom:${prometheusVersion}")
 
   // asyncapi generation
   api enforcedPlatform("com.github.victools:jsonschema-generator-bom:${victoolsVersion}")
@@ -73,9 +71,6 @@ dependencies {
     api "org.apache.httpcomponents.client5:httpclient5-fluent:${apacheHttpClient5Version}"
     api "io.github.classgraph:classgraph:4.8.184"
 
-    api "org.jboss.logging:jboss-logging:3.6.1.Final", {
-      because "conflict between org.hibernate.validator:hibernate-validator and org.jboss.weld.se:weld-se-core"
-    }
     api "org.yaml:snakeyaml:2.3", {
       because "conflict between com.github.database-rider:rider-core and com.fasterxml.jackson.dataformat:jackson-dataformat-yaml"
       because "vulnerability CVE-2022-1471 in 1.33 and below"
@@ -87,10 +82,10 @@ dependencies {
 
     api 'jakarta.annotation:jakarta.annotation-api:2.1.1'
 
-    // sda-commons-shared-wiremock-testing
-    api "org.wiremock:wiremock:3.13.2"
+    api "org.wiremock:wiremock-jetty12:${wiremockVersion}"
+
     api "net.minidev:json-smart:2.6.0", {
-      because 'conflict between json-path 2.7.0 (2.4.7) and wirmock-jre8 (2.4.7 via json-path and 2.4.8 directly)'
+      because 'conflict between json-path 2.7.0 (2.4.7) and wiremock-jre8 (2.4.7 via json-path and 2.4.8 directly)'
     }
 
     // sda-commons-shared-asyncapi
@@ -120,9 +115,7 @@ dependencies {
     api "it.unibo.tuprolog:parser-theory-jvm:$tuprologVersion"
 
     // sda-commons-server-mongo-testing, sda-commons-server-spring-data-mongo
-    // Keep that version for now, since 4.2.0 introduces a bug.
-    // Newer Versions contain breaking change. Update, when dropwizard v5 gets released
-    api 'org.springframework.data:spring-data-mongodb:4.1.12'
+    api 'org.springframework.data:spring-data-mongodb:5.0.1'
     api "de.flapdoodle.embed:de.flapdoodle.embed.mongo:4.11.1"
     api "io.opentelemetry.instrumentation:opentelemetry-mongo-3.1:${openTelemetryAlpha2Version}"
     // check if commons-compress management is still needed after flapdoodle upgrade
@@ -143,14 +136,9 @@ dependencies {
     api "io.swagger.parser.v3:swagger-parser-v3:2.1.36"
 
     api "io.micrometer:micrometer-core:$micrometerVersion"
-    api "io.micrometer:micrometer-registry-prometheus-simpleclient:$micrometerVersion", {
-      because '''\
-          Dropwizard 4 is not compatible to Java client 1.x version.
-          This module is deprecated, so when we upgrade to Dropwizard 5 we should
-          migrate to io.micrometer:micrometer-registry-prometheus:1.13.0.
-          See https://github.com/micrometer-metrics/micrometer/wiki/1.13-Migration-Guide#prometheus-java-client-0x-to-1x-upgrade
-          '''
-    }
+    api "io.micrometer:micrometer-registry-prometheus:$micrometerVersion"
+
+    api "org.glassfish.jersey.ext:jersey-micrometer:3.1.11"
 
     // sda-commons-server-s3
     api "org.reactivestreams:reactive-streams:1.0.4"
@@ -184,7 +172,7 @@ dependencies {
     api "org.junit-pioneer:junit-pioneer:2.3.0"
 
     // sda-commons-server-weld-testing
-    api 'org.jboss.weld:weld-junit5:4.0.5.Final'
+    api 'org.jboss.weld:weld-junit5:5.0.2.Final'
 
     // sda-commons-shared-*
     api 'commons-io:commons-io:2.21.0'
@@ -193,8 +181,8 @@ dependencies {
     api "io.opentelemetry.javaagent.instrumentation:opentelemetry-javaagent-apache-httpclient-5.0:${openTelemetryAlpha2Version}"
     api "io.opentelemetry.instrumentation:opentelemetry-apache-httpclient-5.2:${openTelemetryAlpha2Version}"
     api "io.opentelemetry.semconv:opentelemetry-semconv:1.37.0"
-    api "io.opentelemetry.instrumentation:opentelemetry-instrumentation-api:2.21.0"
-    api "io.opentelemetry.instrumentation:opentelemetry-instrumentation-api-semconv:1.33.6-alpha"
+    api "io.opentelemetry.instrumentation:opentelemetry-instrumentation-api:2.22.0"
+    api "io.opentelemetry.instrumentation:opentelemetry-instrumentation-api-incubator:${openTelemetryAlpha2Version}"
 
     // Kafka
     api "org.apache.kafka:kafka_2.13:$kafkaVersion"
@@ -222,12 +210,8 @@ dependencies {
 
     api "jakarta.xml.bind:jakarta.xml.bind-api:4.0.4"
 
-    //spring-data-mongodb can't be updated without breaking changes.
-    //Instead we can add the spring-core dependency to fix spring related CVEs.
-    api 'org.springframework:spring-core:6.2.12'
-
     //Fixes CVE-2025-11226, future updates of Dropwizard have to be checked if this is still necessary
-    api 'ch.qos.logback:logback-core:1.5.21'
+    api 'ch.qos.logback:logback-core:1.5.24'
 
     //Fixes CVE-2024-29371, Kafka 3.9.1 still uses 0.9.4; can be removed at a future update of Kafka
     api 'org.bitbucket.b_c:jose4j:0.9.6'

sda-commons-dependency-check/src/test/java/org/sdase/commons/dependency/check/DuplicateClassesTest.java

@@ -20,7 +20,11 @@ class DuplicateClassesTest {
           // There only seems to be one very old release of aopalliance that HK2 and Spring
           // repackaged into their own artifacts. Assumption is that the included versions are
           // identical and the duplication is not an issue.
-          Pattern.compile("org/aopalliance.*"));
+          Pattern.compile("org/aopalliance.*"),
+          // There is jna and jna-jpms; The second is a version of the lib with extra platform
+          // related dependencies. Flapdoodle includes both libs. The duplicate classes should be
+          // identical.
+          Pattern.compile("com/sun/jna.*"));
 
   private static final Logger LOG = LoggerFactory.getLogger(DuplicateClassesTest.class);
 

sda-commons-server-cors/src/main/java/org/sdase/commons/server/cors/CorsBundle.java

@@ -6,18 +6,13 @@
 import io.dropwizard.core.ConfiguredBundle;
 import io.dropwizard.core.setup.Bootstrap;
 import io.dropwizard.core.setup.Environment;
-import jakarta.servlet.DispatcherType;
-import jakarta.servlet.FilterRegistration;
 import jakarta.ws.rs.HttpMethod;
 import jakarta.ws.rs.core.HttpHeaders;
-import java.util.Collections;
-import java.util.EnumSet;
-import java.util.LinkedHashSet;
-import java.util.Objects;
-import java.util.Set;
+import java.util.*;
+import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
-import org.eclipse.jetty.servlets.CrossOriginFilter;
+import org.eclipse.jetty.server.handler.CrossOriginHandler;
 import org.sdase.commons.shared.tracing.ConsumerTracing;
 import org.sdase.commons.shared.tracing.TraceTokenContext;
 
@@ -81,25 +76,40 @@ private CorsBundle(
   public void run(C configuration, Environment environment) {
     CorsConfiguration config = configProvider.apply(configuration);
 
-    FilterRegistration.Dynamic filter =
-        environment.servlets().addFilter("CORS", CrossOriginFilter.class);
+    CrossOriginHandler cors = new CrossOriginHandler();
 
-    // UrlPatterns where to apply the filter
-    filter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
+    cors.setAllowedOriginPatterns(createCorsOriginPattern(config));
+    cors.setAllowedMethods(allowedHttpMethods);
+    cors.setAllowedHeaders(allowedHeaders);
+    cors.setExposedHeaders(exposedHeaders);
+    cors.setAllowCredentials(true);
+    cors.setDeliverPreflightRequests(false);
 
-    filter.setInitParameter(
-        CrossOriginFilter.ALLOWED_ORIGINS_PARAM, String.join(",", config.getAllowedOrigins()));
-    filter.setInitParameter(
-        CrossOriginFilter.ALLOWED_METHODS_PARAM, String.join(",", allowedHttpMethods));
-    filter.setInitParameter(
-        CrossOriginFilter.ALLOWED_HEADERS_PARAM, String.join(",", allowedHeaders));
-    filter.setInitParameter(
-        CrossOriginFilter.EXPOSED_HEADERS_PARAM, String.join(",", exposedHeaders));
+    environment.getApplicationContext().insertHandler(cors);
+  }
 
-    filter.setInitParameter(CrossOriginFilter.ALLOW_CREDENTIALS_PARAM, Boolean.TRUE.toString());
+  private Set<String> createCorsOriginPattern(CorsConfiguration config) {
+    return config.getAllowedOrigins().stream()
+        .map(this::wildcardToRegex)
+        .collect(Collectors.toSet());
+  }
 
-    // affects only pre flight requests, regular options mapping is still possible
-    filter.setInitParameter(CrossOriginFilter.CHAIN_PREFLIGHT_PARAM, Boolean.FALSE.toString());
+  private String wildcardToRegex(String origin) {
+    if ("*".equals(origin)) {
+      return ".*"; // match any origin
+    }
+    // Split on '*' and quote each literal segment, then join with ".*"
+    String[] parts = origin.split("\\*", -1); // keep empty segments
+    StringBuilder sb = new StringBuilder();
+    for (int i = 0; i < parts.length; i++) {
+      sb.append(Pattern.quote(parts[i]));
+      if (i < parts.length - 1) {
+        sb.append(".*");
+      }
+    }
+    // Optional: anchor to full string so the regex matches the entire Origin header.
+    // Jetty examples typically don't add ^/$, but it's safer to control exact-matching:
+    return "^" + sb.toString() + "$";
   }
 
   @Override

sda-commons-server-cors/src/main/java/org/sdase/commons/server/cors/CorsHeader.java

@@ -0,0 +1,21 @@
+package org.sdase.commons.server.cors;
+
+public class CorsHeader {
+
+  // Request headers
+  public static final String ORIGIN_HEADER = "Origin";
+  public static final String ACCESS_CONTROL_REQUEST_METHOD_HEADER = "Access-Control-Request-Method";
+  public static final String ACCESS_CONTROL_REQUEST_HEADERS_HEADER =
+      "Access-Control-Request-Headers";
+  // Response headers
+  public static final String ACCESS_CONTROL_ALLOW_ORIGIN_HEADER = "Access-Control-Allow-Origin";
+  public static final String ACCESS_CONTROL_ALLOW_METHODS_HEADER = "Access-Control-Allow-Methods";
+  public static final String ACCESS_CONTROL_ALLOW_HEADERS_HEADER = "Access-Control-Allow-Headers";
+  public static final String ACCESS_CONTROL_MAX_AGE_HEADER = "Access-Control-Max-Age";
+  public static final String ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER =
+      "Access-Control-Allow-Credentials";
+  public static final String ACCESS_CONTROL_EXPOSE_HEADERS_HEADER = "Access-Control-Expose-Headers";
+  public static final String TIMING_ALLOW_ORIGIN_HEADER = "Timing-Allow-Origin";
+
+  private CorsHeader() {}
+}