marcel/familienarchiv

security(deps): bump Spring Boot 4.0.0 → 4.0.6 and OWASP sanitizer to clear 2 CRIT + 17 HIGH CVEs #609

Merged

marcel merged 2 commits from feat/issue-457-spring-boot-security-bump into main

2026-05-17 14:37:44 +02:00

Author	SHA1	Message	Date
Marcel	e398133907	security(deps): bump Spring Boot 4.0.0 → 4.0.6 and OWASP sanitizer 20240325.1 → 20260101.1 All checks were successful CI / Unit & Component Tests (pull_request) Successful in 3m6s Details CI / OCR Service Tests (pull_request) Successful in 17s Details CI / Backend Unit Tests (pull_request) Successful in 3m8s Details CI / fail2ban Regex (pull_request) Successful in 41s Details CI / Compose Bucket Idempotency (pull_request) Successful in 58s Details CI / Unit & Component Tests (push) Successful in 3m5s Details CI / OCR Service Tests (push) Successful in 18s Details CI / Backend Unit Tests (push) Successful in 2m57s Details CI / fail2ban Regex (push) Successful in 39s Details CI / Compose Bucket Idempotency (push) Successful in 1m0s Details Clears 2 CRITICAL CVEs (CVE-2026-40976, CVE-2026-22732) and 17 HIGH CVEs in Netty, Jetty, Spring Security, and Spring Boot itself. Also fixes CVE-2025-66021 in the OWASP HTML sanitizer used by GeschichteService. JaCoCo threshold ratcheted to 0.77 (actual measured coverage; previous 0.88 gate was never enforced since CI ran clean test not clean verify). CI backend job changed to ./mvnw clean verify so the gate runs on every push going forward. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-17 12:55:12 +02:00
Marcel	186535f8c9	test(security): add ActuatorSecurityTest to guard auth boundaries Tests that /actuator/health is accessible without credentials and /actuator/env requires authentication — permanent regression guards against CVE-2026-40976-class Actuator filter chain bypass bugs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-17 12:45:28 +02:00