chore: Maintenance (#1928)

- Update all dependencies
- Suppress CVEs in Netty and Azure dependencies
- Change workflow to reduce Sonatype Guide usage
- Set service versions to V7.6 in tests and Lowkey Vault clients

{patch}

Signed-off-by: Esta Nagy <nagyesta@gmail.com>

Author: nagyesta

.github/workflows/gradle-dependency-check.yml

@@ -41,7 +41,14 @@ jobs:
           key: gradle-build-dependency-check
           restore-keys: |
             gradle-build-dependency-check
-      - name: Check dependencies with Gradle
+      - name: Check dependencies with Gradle (if not scheduled)
+        if: ${{ github.event_name != 'schedule' }}
+        run: >
+          ./gradlew dependencyCheckAnalyze 
+          -PnvdApiKey=${{ secrets.NVD_API_KEY }} 
+          --no-parallel
+      - name: Check dependencies with Gradle (if scheduled)
+        if: ${{ github.event_name == 'schedule' }}
         run: >
           ./gradlew dependencyCheckAnalyze 
           -PnvdApiKey=${{ secrets.NVD_API_KEY }} 

build.gradle.kts

@@ -284,12 +284,14 @@ allprojects {
     if (project.name != "lowkey-vault-docker") {
         dependencyCheck {
             nvd.apiKey.set(rootProject.extra.get("nvdApiKey").toString())
-            analyzers.ossIndex.enabled.set(true)
-            analyzers.ossIndex.username = rootProject.extra.get("ossIndexUser").toString()
-            analyzers.ossIndex.password = rootProject.extra.get("ossIndexPass").toString()
-            analyzers.ossIndex.url = "https://api.guide.sonatype.com"
+            if (rootProject.extra.get("ossIndexUser") != "" && rootProject.extra.get("ossIndexPass") != "") {
+                analyzers.ossIndex.enabled.set(true)
+                analyzers.ossIndex.username = rootProject.extra.get("ossIndexUser").toString()
+                analyzers.ossIndex.password = rootProject.extra.get("ossIndexPass").toString()
+                analyzers.ossIndex.url = "https://api.guide.sonatype.com"
+                cache.ossIndex.set(true)
+            }
             analyzers.retirejs.enabled.set(false)
-            cache.ossIndex.set(true)
             cache.central.set(true)
             cache.nodeAudit.set(true)
             failBuildOnCVSS.set(1.0f)

config/dependency-check/suppressions.xml

@@ -79,4 +79,24 @@
     <packageUrl regex="true">^pkg:maven/io\.netty/netty-.+@.+$</packageUrl>
     <vulnerabilityName>CVE-2026-42585</vulnerabilityName>
   </suppress>
+  <suppress>
+    <notes>Transitive dependency, not relevant for the intended use-case.</notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty-.+@.+$</packageUrl>
+    <vulnerabilityName>CVE-2026-42582</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes>Transitive dependency, not relevant for the intended use-case.</notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty-.+@.+$</packageUrl>
+    <vulnerabilityName>CVE-2026-44248</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes>Transitive dependency, not relevant for the intended use-case.</notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty-.+@.+$</packageUrl>
+    <vulnerabilityName>CVE-2026-42586</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes>Probably false positive, already updated clients to latest</notes>
+    <packageUrl regex="true">^pkg:maven/com\.azure/azure-.+@.+$</packageUrl>
+    <vulnerabilityName>CVE-2026-33117</vulnerabilityName>
+  </suppress>
 </suppressions>

gradle/libs.versions.toml

@@ -5,7 +5,7 @@ snakeYaml = "2.6"
 mapstruct = "1.6.3"
 tomcat = "11.0.22"
 jjwt = "0.13.0"
-logback = "1.5.33"
+logback = "1.5.34"
 bouncycastle = "1.84"
 hibernateValidator = "9.1.0.Final"
 jspecify = "1.0.0"
@@ -14,19 +14,19 @@ handlebars = "4.5.1"
 httpClient = "4.5.14"
 commonsCodec = "1.22.0"
 commonsCompress = "1.28.0"
-azureKeyVaultKeyClient = "4.10.7"
-azureKeyVaultSecretsClient = "4.10.7"
-azureKeyVaultCertClient = "4.8.7"
+azureKeyVaultKeyClient = "4.11.0"
+azureKeyVaultSecretsClient = "4.11.0"
+azureKeyVaultCertClient = "4.9.0"
 testcontainers = "2.0.5"
 mysqlDriver = "9.7.0"
 cucumber = "7.34.3"
 mockitoCore = "5.23.0"
 jupiter = "6.1.0"
-abortMission = "7.1.7"
+abortMission = "7.1.23"
 checkstyle = "12.3.1"
 jacoco = "0.8.14"
-jackson = { strictly = "3.1.3" }
-jacksonAnnotations = { strictly = "2.21" }
+jackson = { strictly = "3.1.4" }
+jacksonAnnotations = { strictly = "2.22" }
 openApiUi = "3.0.3"
 
 abortMissionPlugin = "5.2.53"
@@ -37,7 +37,7 @@ owaspPlugin = "12.2.2"
 cycloneDxBomPlugin = "3.2.4"
 licenseePlugin = "1.14.1"
 nexusPublishPlugin = "2.0.0"
-sonarPlugin = "7.3.0.8198"
+sonarPlugin = "7.3.1.8318"
 
 [libraries]
 spring-boot-starter = { module = "org.springframework.boot:spring-boot-starter", version.ref = "springBoot" }

gradle/verification-metadata.xml

@@ -77,6 +77,11 @@
             <sha256 value="6d9ab1406e884084105940fe71378b53d2fe3b4806d856945703a27216014c97" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="ch.qos.logback" name="logback-classic" version="1.5.34">
+         <artifact name="logback-classic-1.5.34.jar">
+            <sha256 value="b65e05076a5c1aadb659b4fe4bc5fee31cb26cd70390292eb03e4a7a24cff10f" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="ch.qos.logback" name="logback-core" version="1.5.23">
          <artifact name="logback-core-1.5.23.jar">
             <sha256 value="c07ee90df0c49d8890bfbe9844d34324f2751b81caf69cd84caddcc1f6107400" origin="Generated by Gradle"/>
@@ -127,6 +132,11 @@
             <sha256 value="48b106f3abf3498eff7e59406a15226f351cf9c625017652e63c346a07011d81" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="ch.qos.logback" name="logback-core" version="1.5.34">
+         <artifact name="logback-core-1.5.34.jar">
+            <sha256 value="42eda264c0c650c2bec59e66151a88b708a8663dc1b49d788202d53e78b8caae" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.azure" name="azure-core" version="1.57.0">
          <artifact name="azure-core-1.57.0.jar">
             <sha256 value="32b479b85ac12ec624d42551cc210834c98ca2b623b2ee0c777debac3adbddaa" origin="Generated by Gradle"/>
@@ -187,6 +197,11 @@
             <sha256 value="59fe5530aa4ed5b55d3edfb8caf7659f6259818fb34eeb76cbfbbfffec9fe32a" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.azure" name="azure-security-keyvault-certificates" version="4.9.0">
+         <artifact name="azure-security-keyvault-certificates-4.9.0.jar">
+            <sha256 value="e28c2423dd8ce91ebeaaec3f62c9fe90306ad742a27ed02342fcbb9e3c2801b5" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.azure" name="azure-security-keyvault-keys" version="4.10.4">
          <artifact name="azure-security-keyvault-keys-4.10.4.jar">
             <sha256 value="3d4599b4cc343ca36c612beb96a232b9a4f856eb8a39100816a11e448fe29dfd" origin="Generated by Gradle"/>
@@ -207,6 +222,11 @@
             <sha256 value="705229bc4b7513e91eac91df4cbdd92a84ab86738dfe61955c8c5006d0c61a3a" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.azure" name="azure-security-keyvault-keys" version="4.11.0">
+         <artifact name="azure-security-keyvault-keys-4.11.0.jar">
+            <sha256 value="a26b68cf04999cd755ff46c03a00defcacac699019b93dc2711c8f31fdc7fbe3" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.azure" name="azure-security-keyvault-secrets" version="4.10.4">
          <artifact name="azure-security-keyvault-secrets-4.10.4.jar">
             <sha256 value="317b9609dd427c219cf18d8b571299ae282adf186c09408cd7e1eea73b76f8bb" origin="Generated by Gradle"/>
@@ -227,6 +247,11 @@
             <sha256 value="162c14ceae9ea4a839ee040da0829a2f390b6b4e3e99a1d709470a4c5801897c" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.azure" name="azure-security-keyvault-secrets" version="4.11.0">
+         <artifact name="azure-security-keyvault-secrets-4.11.0.jar">
+            <sha256 value="eef9a441d2b7d8a11cd2f7fb78d2e5ccb7f24425aa0c76dfaeae637e28c84852" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.azure" name="azure-xml" version="1.2.0">
          <artifact name="azure-xml-1.2.0.jar">
             <sha256 value="69d9559c561d3125bfd2bf9b5248601e442902bc755d935dde3edba97dc0d931" origin="Generated by Gradle"/>
@@ -272,6 +297,11 @@
             <sha256 value="53ca085f4a150f703f49e1aabd935bd03b43e1ea3d55d135438292af22cef56b" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.fasterxml.jackson.core" name="jackson-annotations" version="2.22">
+         <artifact name="jackson-annotations-2.22.jar">
+            <sha256 value="21ddb598807d3a51a876704eb979d9296e1c6a6f47ab1826ff88c6d6a127a2d0" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.fasterxml.jackson.core" name="jackson-core" version="2.18.4.1">
          <artifact name="jackson-core-2.18.4.1.jar">
             <sha256 value="56934543aee549896c1c665b1a58400ec1076562fb5407f53270ecafc120af3a" origin="Generated by Gradle"/>
@@ -567,6 +597,11 @@
             <sha256 value="8bdba62a0ee5b2a79e7bd7b4822237d4f0a125f1a7ae38b60ec85ae7ab4880e2" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.github.nagyesta.abort-mission" name="abort.mission-control" version="7.1.23">
+         <artifact name="abort.mission-control-7.1.23.jar">
+            <sha256 value="d3590a4e606b2111b28ead3f3cb80f48cf0ea54959a86bad309b47e06a288b0d" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.github.nagyesta.abort-mission" name="abort.mission-control" version="7.1.7">
          <artifact name="abort.mission-control-7.1.7.jar">
             <sha256 value="e37d05c2dc60e1ecc8bc279e2bcf39dbc0bb291a7aae89c5b8b96a38fa06b7ef" origin="Generated by Gradle"/>
@@ -612,6 +647,11 @@
             <sha256 value="c4df10d17fc1e58fd5c76a1ceef005821d4ed14fde042848fd15e0ec9ee60bc5" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.github.nagyesta.abort-mission.boosters" name="abort.booster-cucumber-jvm" version="7.1.23">
+         <artifact name="abort.booster-cucumber-jvm-7.1.23.jar">
+            <sha256 value="5cf8aaffaecc4a074196caff8d1496059ec1e4aed92dd71abeb3e14d9baf63c3" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.github.nagyesta.abort-mission.boosters" name="abort.booster-cucumber-jvm" version="7.1.7">
          <artifact name="abort.booster-cucumber-jvm-7.1.7.jar">
             <sha256 value="5a1103f45c935048133072361bcd02832c0697bfc63485e1c9b5243e0b1f24d5" origin="Generated by Gradle"/>
@@ -657,6 +697,11 @@
             <sha256 value="e88ed8a1ab256b904e4233044024cf1e3f25ac4cc2416d8893664adb4bfddc50" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.github.nagyesta.abort-mission.boosters" name="abort.booster-junit-jupiter" version="7.1.23">
+         <artifact name="abort.booster-junit-jupiter-7.1.23.jar">
+            <sha256 value="0cedb0007a9319f4101960a57fa5e5e852db21f38119ebd89be265027d4852ea" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.github.nagyesta.abort-mission.boosters" name="abort.booster-junit-jupiter" version="7.1.7">
          <artifact name="abort.booster-junit-jupiter-7.1.7.jar">
             <sha256 value="3a627762eab8f98751c18bbe61fb766a609a13a9641f382676f77b6ef0923c5d" origin="Generated by Gradle"/>
@@ -702,6 +747,11 @@
             <sha256 value="c0e6643a87938e5ca5e95999e500499a34e396196b4345e3cb01787a54723f22" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.github.nagyesta.abort-mission.reports" name="abort.flight-evaluation-report" version="7.1.23">
+         <artifact name="abort.flight-evaluation-report-7.1.23.jar">
+            <sha256 value="b7833b068efb02836dde71809913f38a048ad5311b279c11af999c0ae902b18e" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.github.nagyesta.abort-mission.reports" name="abort.flight-evaluation-report" version="7.1.7">
          <artifact name="abort.flight-evaluation-report-7.1.7.jar">
             <sha256 value="711b6b0a0273b4c137eafed37cff132304f480442dbff5f4a2ec1e59c1d812f3" origin="Generated by Gradle"/>
@@ -3402,6 +3452,11 @@
             <sha256 value="7b751d952061954d5abfed7181c1f645d336091b679891591d63329c622eb832" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.slf4j" name="slf4j-api" version="2.0.18">
+         <artifact name="slf4j-api-2.0.18.jar">
+            <sha256 value="44508fd1576500688c790b190acdd16fec4f8c79a3e0b900afd70503cf055f55" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.slf4j" name="slf4j-simple" version="2.0.17">
          <artifact name="slf4j-simple-2.0.17.jar">
             <sha256 value="ddfea59ac074c6d3e24ac2c38622d2d963895e17f70b38ed4bdae4d780be6964" origin="Generated by Gradle"/>
@@ -3422,6 +3477,11 @@
             <sha256 value="cd00843dc609f5b08231388e1f7d83d13b42f01e1d9bbcf37510a6928f7cd278" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.sonarsource.scanner.gradle" name="sonarqube-gradle-plugin" version="7.3.1.8318">
+         <artifact name="sonarqube-gradle-plugin-7.3.1.8318.jar">
+            <sha256 value="d1c22a9ae0b08de5a5092c27faf6ab7447263b7b90af7c40dc5352343089443c" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.sonarsource.scanner.lib" name="sonar-scanner-download-cache" version="4.0.1.1587">
          <artifact name="sonar-scanner-download-cache-4.0.1.1587.jar">
             <sha256 value="d64cc2cee46c48fffac89ee68a9be3c93484b00b01c721d11cb709aa59a01c01" origin="Generated by Gradle"/>
@@ -4698,6 +4758,11 @@
             <sha256 value="e85ded25f75d8dabef7aa09fc155ef616f0a97e96bef6615f7a7800c2a76c6ef" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="tools.jackson.core" name="jackson-core" version="3.1.4">
+         <artifact name="jackson-core-3.1.4.jar">
+            <sha256 value="3bda1cd6eff0a8d47bdfcaeae7c2bd5311d6c8ed494ef5f3e51029bb44aa9bdf" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="tools.jackson.core" name="jackson-databind" version="3.0.3">
          <artifact name="jackson-databind-3.0.3.jar">
             <sha256 value="dfbb79130910decf063125c1e693a39c5ec8fb8b478d7f39671901d47ce7f6a2" origin="Generated by Gradle"/>
@@ -4728,6 +4793,11 @@
             <sha256 value="aeddf2462d4783a1b16f6ff1e242582a76edd9ccd69b6b6386905c65a4ec6077" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="tools.jackson.core" name="jackson-databind" version="3.1.4">
+         <artifact name="jackson-databind-3.1.4.jar">
+            <sha256 value="14034bfdf392b6ebec1b4bb6c1de29d604f0aa97251259a19d5f19af8719bb20" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="tools.jackson.dataformat" name="jackson-dataformat-xml" version="3.0.3">
          <artifact name="jackson-dataformat-xml-3.0.3.jar">
             <sha256 value="6355fdefc86df07d122221081ffdf4eb9f7f5d3762a5f667723bbbc999567a14" origin="Generated by Gradle"/>
@@ -4758,6 +4828,11 @@
             <sha256 value="b089e6d9d3bbbe2b569c9f8fa208545ada2a2352e590e8d71085e287c67e799b" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="tools.jackson.dataformat" name="jackson-dataformat-xml" version="3.1.4">
+         <artifact name="jackson-dataformat-xml-3.1.4.jar">
+            <sha256 value="840309252329c79dedc84b45179bc976934619d17c96cee69f4e07380d7e8705" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="us.springett" name="cpe-parser" version="3.0.1">
          <artifact name="cpe-parser-3.0.1.jar">
             <sha256 value="f98a50dce0a381e08f0f0ac067801c7f4c51dc7f8f1fe7a3c9960c684a809705" origin="Generated by Gradle"/>

lowkey-vault-client/src/main/java/com/github/nagyesta/lowkeyvault/http/ApacheHttpClientProvider.java

@@ -111,55 +111,55 @@ public LowkeyVaultManagementClient getLowkeyVaultManagementClient(final ObjectMa
     }
 
     public KeyAsyncClient getKeyAsyncClient() {
-        return getKeyAsyncClient(KeyServiceVersion.V7_4);
+        return getKeyAsyncClient(KeyServiceVersion.V7_6);
     }
 
     public KeyAsyncClient getKeyAsyncClient(final KeyServiceVersion version) {
         return getKeyBuilder().serviceVersion(version).buildAsyncClient();
     }
 
     public KeyClient getKeyClient() {
-        return getKeyClient(KeyServiceVersion.V7_4);
+        return getKeyClient(KeyServiceVersion.V7_6);
     }
 
     public KeyClient getKeyClient(final KeyServiceVersion version) {
         return getKeyBuilder().serviceVersion(version).buildClient();
     }
 
     public CertificateAsyncClient getCertificateAsyncClient() {
-        return getCertificateAsyncClient(CertificateServiceVersion.V7_4);
+        return getCertificateAsyncClient(CertificateServiceVersion.V7_6);
     }
 
     public CertificateAsyncClient getCertificateAsyncClient(final CertificateServiceVersion version) {
         return getCertificateBuilder().serviceVersion(version).buildAsyncClient();
     }
 
     public CertificateClient getCertificateClient() {
-        return getCertificateClient(CertificateServiceVersion.V7_4);
+        return getCertificateClient(CertificateServiceVersion.V7_6);
     }
 
     public CertificateClient getCertificateClient(final CertificateServiceVersion version) {
         return getCertificateBuilder().serviceVersion(version).buildClient();
     }
 
     public SecretAsyncClient getSecretAsyncClient() {
-        return getSecretAsyncClient(SecretServiceVersion.V7_4);
+        return getSecretAsyncClient(SecretServiceVersion.V7_6);
     }
 
     public SecretAsyncClient getSecretAsyncClient(final SecretServiceVersion version) {
         return getSecretBuilder().serviceVersion(version).buildAsyncClient();
     }
 
     public SecretClient getSecretClient() {
-        return getSecretClient(SecretServiceVersion.V7_4);
+        return getSecretClient(SecretServiceVersion.V7_6);
     }
 
     public SecretClient getSecretClient(final SecretServiceVersion version) {
         return getSecretBuilder().serviceVersion(version).buildClient();
     }
 
     public CryptographyAsyncClient getCryptoAsyncClient(final String webKeyId) {
-        return getCryptoAsyncClient(webKeyId, CryptographyServiceVersion.V7_4);
+        return getCryptoAsyncClient(webKeyId, CryptographyServiceVersion.V7_6);
     }
 
     public CryptographyAsyncClient getCryptoAsyncClient(
@@ -169,7 +169,7 @@ public CryptographyAsyncClient getCryptoAsyncClient(
     }
 
     public CryptographyClient getCryptoClient(final String webKeyId) {
-        return getCryptoClient(webKeyId, CryptographyServiceVersion.V7_4);
+        return getCryptoClient(webKeyId, CryptographyServiceVersion.V7_6);
     }
 
     public CryptographyClient getCryptoClient(