[risk=low][no ticket] Let Spring handle its own dependencies (and partially upgrade)

api/build.gradle

@@ -20,25 +20,21 @@ buildscript {
     // External properties on the default project. Values declared in ext blocks
     // outside of the buildscript block aren't usable here.
     ext {
+        // Note: Spring versions are handled by plugins.
+        // See the plugins and dependencyManagement blocks below.
+
         GAE_VERSION = '2.0.31'
         GOOGLE_AUTH_LIBRARY_VERSION = '1.30.1'
         GSON_VERSION = '2.11.0'
         HIBERNATE_VERSION = '6.5.2.Final'
         JACKSON_VERSION = '2.18.2'
         LIQUIBASE_VERSION = '4.29.2'
-        // 1.5.7+ results in a runtime error:
-        // Logging system failed to initialize using configuration from 'null'
-        //  java.lang.NoSuchMethodError: 'java.lang.Object ch.qos.logback.classic.LoggerContext.getConfigurationLock()'
-        LOGBACK_VERSION = '1.5.6'
         MAPSTRUCT_VERSION = '1.6.2'
         OKHTTP_VERSION = '4.12.0'
         OPENTELEMETRY_SDK_VERSION = '1.43.0'
         OPENTELEMETRY_JAVA_VERSION = '2.8.0'
         OPENTELEMETRY_GOOGLE_VERSION = '0.31.0'
         SPRINGFOX_VERSION = '3.0.0'
-        SPRING_BOOT_VERSION = '3.3.2'
-        SPRING_FRAMEWORK_VERSION = '6.1.13'
-        SPRING_SECURITY_VERSION = '6.3.3'
         SWAGGER_VERSION = '2.2.25'
     }
 
@@ -53,7 +49,10 @@ plugins {
     id 'java'
     id 'war'
 
-    id 'io.spring.dependency-management' version '1.0.11.RELEASE'
+    id 'io.spring.dependency-management' version '1.1.7'
+    // keep in sync with the dependencyManagement block below
+    id 'org.springframework.boot' version '3.3.7'
+
     id 'com.diffplug.spotless' version '6.23.3'
     id 'com.google.cloud.tools.appengine-appenginewebxml' version '2.8.0'
     id 'com.google.cloud.tools.jib' version '3.4.2'
@@ -68,10 +67,20 @@ plugins {
     // the newer release version and have AoU-specific modifications re-applied.
     id 'org.hidetake.swagger.generator' version '2.19.2'
     id 'org.owasp.dependencycheck' version '8.4.2'
-    id 'org.springframework.boot' version '3.2.4'
     id 'jacoco'
 }
 
+// relates to the Spring plugin io.spring.dependency-management
+// which has BOM-like properties
+dependencyManagement {
+    dependencies {
+        dependency group: 'org.springframework', name: 'spring-core', version: '6.1.16'
+        // keep in sync with the plugin block above
+        dependency group: 'org.springframework.boot', name: 'spring-boot', version: '3.3.7'
+        dependency group: 'org.springframework.security', name: 'spring-security', version: '6.3.6'
+    }
+}
+
 if (System.getenv("ADD_XLINT_DEPRECATION")) {
   allprojects {
     gradle.projectsEvaluated {
@@ -396,8 +405,36 @@ dependencies {
     // package io.swagger.configuration does not exist
     __swaggerCodegenV3__ "io.swagger.codegen.v3:swagger-codegen-cli:3.0.56"
 
-    implementation "ch.qos.logback:logback-classic:$project.ext.LOGBACK_VERSION"
-    implementation "ch.qos.logback:logback-core:$project.ext.LOGBACK_VERSION"
+
+    // Spring versions are set by the dependency management plugin.
+    // See the plugins and dependencyManagement blocks above.
+
+    implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
+    implementation 'org.springframework.boot:spring-boot-starter-jdbc'
+    implementation 'org.springframework.boot:spring-boot-starter-tomcat'
+    implementation 'org.springframework.boot:spring-boot-starter-validation'
+    implementation 'org.springframework.boot:spring-boot-starter-web'
+    implementation 'org.springframework.retry:spring-retry'
+    implementation 'org.springframework.security:spring-security-core'
+    implementation 'org.springframework.security:spring-security-crypto'
+    implementation 'org.springframework.security:spring-security-web'
+    implementation 'org.springframework:spring-aop'
+    implementation 'org.springframework:spring-aspects'
+    implementation 'org.springframework:spring-beans'
+    implementation 'org.springframework:spring-context'
+    implementation 'org.springframework:spring-core'
+    implementation 'org.springframework:spring-expression'
+    implementation 'org.springframework:spring-jcl'
+    implementation 'org.springframework:spring-jdbc'
+    implementation 'org.springframework:spring-orm'
+    implementation 'org.springframework:spring-test'
+    implementation 'org.springframework:spring-tx'
+    implementation 'org.springframework:spring-web'
+    implementation 'org.springframework:spring-webmvc'
+
+
+
+
     implementation "com.fasterxml.jackson.core:jackson-annotations:$project.ext.JACKSON_VERSION"
     implementation "com.fasterxml.jackson.core:jackson-core:$project.ext.JACKSON_VERSION"
     implementation "com.fasterxml.jackson.core:jackson-databind:$project.ext.JACKSON_VERSION"
@@ -435,7 +472,6 @@ dependencies {
     // 5.4+ results in a runtime error:
     // java.lang.NoSuchMethodError: 'void org.apache.hc.core5.http.impl.io.DefaultHttpRequestWriterFactory.<init>(org.apache.hc.core5.http.config.Http1Config)'
     implementation "org.apache.httpcomponents.client5:httpclient5:5.3.1"
-    implementation "org.springframework.boot:spring-boot-starter-validation:$project.ext.SPRING_BOOT_VERSION"
     implementation 'commons-codec:commons-codec:1.17.0'
     implementation 'com.auth0:java-jwt:4.4.0'
     implementation 'io.netty:netty-common:4.1.117.Final'
@@ -485,25 +521,10 @@ dependencies {
     implementation "org.hibernate.orm:hibernate-community-dialects:$project.ext.HIBERNATE_VERSION"
 
     implementation('org.apache.tomcat:tomcat-jdbc:11.0.0')
-    implementation("org.springframework.boot:spring-boot-starter-tomcat:$project.ext.SPRING_BOOT_VERSION")
-    implementation("org.springframework.boot:spring-boot-starter-jdbc:$project.ext.SPRING_BOOT_VERSION") {
-        exclude group: 'com.zaxxer', module: 'HikariCP'
-    }
 
-    implementation("org.springframework.boot:spring-boot-starter-data-jpa:$project.ext.SPRING_BOOT_VERSION") {
-        exclude module: 'spring-boot-starter-tomcat'
-        exclude group: 'org.slf4j', module: 'jul-to-slf4j'
-    }
 
-    implementation("org.springframework.boot:spring-boot-starter-web:$project.ext.SPRING_BOOT_VERSION") {
-        exclude module: 'spring-boot-starter-tomcat'
-        exclude group: 'org.slf4j', module: 'jul-to-slf4j'
-    }
 
-    implementation "org.springframework.retry:spring-retry"
-    implementation "org.springframework.security:spring-security-core:$project.ext.SPRING_SECURITY_VERSION"
-    implementation "org.springframework.security:spring-security-crypto:$project.ext.SPRING_SECURITY_VERSION"
-    implementation "org.springframework.security:spring-security-web:$project.ext.SPRING_SECURITY_VERSION"
+
 
     // updated versions of transitive dependencies to resolve vulnerabilities
 
@@ -515,22 +536,6 @@ dependencies {
     // https://www.cve.org/CVERecord?id=CVE-2023-2976
     implementation 'com.google.guava:guava:33.4.0-jre'
 
-    // https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
-    implementation "org.springframework:spring-aop:$project.ext.SPRING_FRAMEWORK_VERSION"
-    implementation "org.springframework:spring-aspects:$project.ext.SPRING_FRAMEWORK_VERSION"
-    implementation "org.springframework:spring-beans:$project.ext.SPRING_FRAMEWORK_VERSION"
-    implementation "org.springframework:spring-context:$project.ext.SPRING_FRAMEWORK_VERSION"
-    implementation("org.springframework:spring-core:$project.ext.SPRING_FRAMEWORK_VERSION") {
-      exclude group: 'org.springframework', module: 'spring-jcl'
-    }
-    implementation "org.springframework:spring-expression:$project.ext.SPRING_FRAMEWORK_VERSION"
-    implementation "org.springframework:spring-jcl:$project.ext.SPRING_FRAMEWORK_VERSION"
-    implementation "org.springframework:spring-jdbc:$project.ext.SPRING_FRAMEWORK_VERSION"
-    implementation "org.springframework:spring-orm:$project.ext.SPRING_FRAMEWORK_VERSION"
-    implementation "org.springframework:spring-test:$project.ext.SPRING_FRAMEWORK_VERSION"
-    implementation "org.springframework:spring-tx:$project.ext.SPRING_FRAMEWORK_VERSION"
-    implementation "org.springframework:spring-web:$project.ext.SPRING_FRAMEWORK_VERSION"
-    implementation "org.springframework:spring-webmvc:$project.ext.SPRING_FRAMEWORK_VERSION"
 
     implementation "org.mapstruct:mapstruct:$project.ext.MAPSTRUCT_VERSION"
     implementation 'jakarta.mail:jakarta.mail-api:2.1.3'
@@ -573,9 +578,9 @@ dependencies {
     // Dependencies for Swagger codegen-generated sources. This should include all dependencies required by Swagger's
     // default okhttp API codegen templates (see https://github.com/swagger-api/swagger-codegen/blob/v2.2.3/samples/client/petstore/spring-stubs/pom.xml)
     // plus any custom templates included in our repo under the SWAGGER_2_TEMPLATE_DIR.
-    generatedCompile "org.springframework.boot:spring-boot-starter-data-rest:$project.ext.SPRING_BOOT_VERSION"
+    generatedCompile 'org.springframework.boot:spring-boot-starter-data-rest:3.3.7'
+    generatedCompile 'org.springframework.boot:spring-boot-starter-validation:3.3.7'
     generatedCompile "io.springfox:springfox-swagger-ui:$project.ext.SPRINGFOX_VERSION"
-    generatedCompile "org.springframework.boot:spring-boot-starter-validation:$project.ext.SPRING_BOOT_VERSION"
     generatedCompile "com.squareup.okhttp3:okhttp:$project.ext.OKHTTP_VERSION"
     generatedCompile "com.squareup.okhttp3:logging-interceptor:$project.ext.OKHTTP_VERSION"
     generatedCompile "com.google.code.gson:gson:$project.ext.GSON_VERSION"
@@ -610,7 +615,7 @@ dependencies {
     testImplementation 'org.bitbucket.radistao.test:before-after-spring-test-runner:0.1.0'
 
     // Test deps
-    testImplementation("org.springframework.boot:spring-boot-starter-test:$project.ext.SPRING_BOOT_VERSION") {
+    testImplementation("org.springframework.boot:spring-boot-starter-test:3.3.7") {
         exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
         exclude group: 'com.vaadin.external.google', module: 'android-json'
     }