fix: security patches for docker images and maven dependencies

[chethann007]

Description

This PR addresses several security vulnerabilities discovered via Trivy container scanning in both the base Alpine OS image and the Java pom.xml dependencies across all Microservices. The vulnerabilities resolved are:

OS Vulnerabilities:

• zlib Buffer Overflow vulnerability (CVE-2026-22184)

Java Vulnerabilities:

• jackson-core Number Length Constraint DoS (GHSA-72hv-8253-57qq)
• c3p0 and mchange-commons-java Arbitrary Code Execution via JNDI (CVE-2026-27830, CVE-2026-27727)

To remediate these, the PR enforces apk upgrade and specific zlib version requirements (>=1.3.2-r0) during Docker builds, bumps jackson.version to 2.18.6, pins c3p0 and mchange-commons-java via dependencyManagement.

Fixes # (issue)

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactor / Technical Debt
• Test case addition/update

Microservice(s) Affected

• userorg-service
• lms-service
• notification-service
• lern-service (Unified/Common)
• core / shared-utils

How Has This Been Tested?

• Unit Tests: Ran mvn test for the affected module.
• Integration Tests: Verified API endpoints locally.
• Code Coverage: Generated JaCoCo report and met threshold.
• Security Scans: Re-built Docker Images and ran trivy image confirming 0 vulnerabilities across OS and Java artifacts.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

[sonarqubecloud]

Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

This PR focuses on security remediation by updating Java dependency versions in the Maven parent POM and adjusting Alpine-based runtime images to pull patched system libraries.

Changes:

• Bumped Jackson version in the parent pom.xml and added managed versions for c3p0 and mchange-commons-java.
• Added apk upgrade and installed zlib with a minimum version constraint in multiple service Dockerfiles.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
pom.xml	Updates Jackson version and adds dependencyManagement overrides for c3p0 / mchange-commons-java to address transitive security issues.
build/userorg/Dockerfile	Upgrades Alpine packages at build time and installs curl + constrained zlib.
build/notification/Dockerfile	Upgrades Alpine packages at build time and installs curl + constrained zlib.
build/lms/Dockerfile	Upgrades Alpine packages at build time and installs curl + constrained zlib.
build/lern/Dockerfile	Installs constrained zlib and runs apk upgrade in the runtime image stage.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.