Fix gcp scanner vulnerabilities

Author: Uladzislau-Dubavitski-epam

Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM gradle:8.10.0-jdk21-alpine AS build
+FROM --platform=$BUILDPLATFORM gradle:8.10.2-jdk21-alpine AS build
 ARG RELEASE_MODE
 ARG APP_VERSION
 WORKDIR /usr/app
@@ -9,7 +9,7 @@ RUN if [ "${RELEASE_MODE}" = true ]; then \
         -Dorg.gradle.project.version=${APP_VERSION}; \
     else gradle build --no-build-cache --exclude-task test -Dorg.gradle.project.version=${APP_VERSION}; fi
 
-FROM amazoncorretto:21.0.9
+FROM amazoncorretto:21.0.10-alpine3.21
 LABEL version=${APP_VERSION} description="EPAM ReportPortal. Auth Service" maintainer="Andrei Varabyeu <andrei_varabyeu@epam.com>, Hleb Kanonik <hleb_kanonik@epam.com>"
 ARG APP_VERSION=${APP_VERSION}
 ENV APP_DIR=/usr/app

build.gradle

@@ -20,14 +20,22 @@ repositories {
 }
 
 ext['spring-boot.version'] = '3.4.12'
+ext['spring-framework.version'] = '6.2.17' // CVE-2026-22735, CVE-2026-22737
+ext['spring-security.version'] = '6.5.9'    // CVE-2026-22732 (OSS; 6.4.x fix commercial-only)
 ext['hibernate-validator.version'] = '8.0.2.Final'
 
 
 dependencies {
 
-    implementation 'org.apache.tomcat.embed:tomcat-embed-core:11.0.14'
-    implementation 'org.apache.tomcat.embed:tomcat-embed-el:11.0.14'
-    implementation 'org.apache.tomcat.embed:tomcat-embed-websocket:11.0.14'
+    implementation 'io.netty:netty-codec-http2:4.1.132.Final'
+    implementation 'io.netty:netty-codec-http:4.1.132.Final'
+    implementation 'org.apache.tomcat.embed:tomcat-embed-core:11.0.21'
+    implementation 'com.fasterxml.jackson.core:jackson-core:2.21.2'
+    implementation 'ch.qos.logback:logback-core:1.5.32'
+
+    implementation 'org.apache.tomcat.embed:tomcat-embed-core:11.0.20'
+    implementation 'org.apache.tomcat.embed:tomcat-embed-el:11.0.20'
+    implementation 'org.apache.tomcat.embed:tomcat-embed-websocket:11.0.20'
 
     // Spring Boot Starters
     api 'org.springframework.boot:spring-boot-starter-data-jpa'
@@ -75,13 +83,14 @@ dependencies {
     api 'org.springframework.security:spring-security-oauth2-client'
     implementation 'org.springframework.security:spring-security-oauth2-authorization-server:1.5.3'
     implementation 'org.springframework.security:spring-security-oauth2-jose'
+    implementation 'com.nimbusds:nimbus-jose-jwt:10.0.2' // CVE-2025-53864 (scanner fixed-version: 10.0.2+)
     implementation 'org.springframework.security:spring-security-oauth2-core'
     implementation 'org.springframework.security:spring-security-jwt:1.1.1.RELEASE'
     implementation 'org.springframework.security:spring-security-ldap'
-    implementation 'org.springframework.security:spring-security-saml2-service-provider:6.4.2'
+    implementation 'org.springframework.security:spring-security-saml2-service-provider:6.5.9'
     implementation 'org.opensaml:opensaml-saml-api:4.0.1'
     implementation 'org.opensaml:opensaml-saml-impl:4.0.1'
-    runtimeOnly 'com.nimbusds:oauth2-oidc-sdk:10.15.1'
+    implementation 'com.nimbusds:oauth2-oidc-sdk:10.15.1'
 
     //Others dependencies
     implementation 'org.jasypt:jasypt:1.9.3'
@@ -168,6 +177,11 @@ configurations {
         // Exclude obsolete and vulnerable jdk15on versions globally
         exclude group: 'org.bouncycastle', module: 'bcprov-jdk15on'
         exclude group: 'org.bouncycastle', module: 'bcpkix-jdk15on'
+
+        resolutionStrategy {
+            force 'com.nimbusds:nimbus-jose-jwt:10.0.2'
+            force 'com.nimbusds:oauth2-oidc-sdk:10.15.1'
+        }
     }
 }