Enforce dependency convergence.

Add `dependencyConvergence` rule to `maven-enforcer-plugin`
avoiding multiple versions of the same transitive dependency
in different modules.

Dependencies forced to a given version are confined to the
`dependencyConvergence` maven profile.

Dependency upgrades to avoid CVE's are confined to the `cve`
maven profile.

.env

@@ -3,7 +3,7 @@ COMPOSE_PROJECT_NAME=gscloud
 TAG=1.3-SNAPSHOT
 GS_USER="1000:1000"
 BASE_PATH=/geoserver/cloud
-DEFAULT_PROFILES="debug"
+DEFAULT_PROFILES="default"
 EUREKA_SERVER_URL=http://discovery:8761/eureka
 JDBCCONFIG_DBNAME=geoserver_config
 JDBCCONFIG_URL=jdbc:postgresql://database:5432/${JDBCCONFIG_DBNAME}

src/pom.xml

@@ -28,8 +28,10 @@
     <gs.community.version>2.23-CLOUD</gs.community.version>
     <gt.version>29-SNAPSHOT</gt.version>
     <acl.version>1.0.1</acl.version>
-    <!-- downgrade netty.version used by spring-boot to the one used by geoserver azure client -->
-    <!-- (software.amazon.awssdk:netty-nio-client:jar:2.9.24) for COG and GWC Azure plugin -->
+    <!-- downgrade netty.version used by spring-boot to the one used by
+		geoserver azure client -->
+    <!-- (software.amazon.awssdk:netty-nio-client:jar:2.9.24) for COG and
+		GWC Azure plugin -->
     <netty.version>4.1.41.Final</netty.version>
     <lombok.version>1.18.24</lombok.version>
     <mapstruct.version>1.4.2.Final</mapstruct.version>
@@ -40,19 +42,30 @@
     <!-- Set docker.image.name on each service pom -->
     <docker.image.name>change_me</docker.image.name>
     <docker.image.repository>${docker.image.prefix}/${docker.image.name}</docker.image.repository>
-    <!-- set dockerfile.skip to false in service projects to we can run mvn dockerfile:build from the root directory -->
+    <!-- set dockerfile.skip to false in service projects to we can run mvn
+		dockerfile:build from the root directory -->
     <dockerfile.skip>true</dockerfile.skip>
     <dockerfile.build.pullNewerImage>false</dockerfile.build.pullNewerImage>
     <dockerfile.push.skip>true</dockerfile.push.skip>
     <!-- 
-    aws.version overrides the old version provided by gs-cog->imageio-ext-cog (2.9.24), which
-    doesn't support IAM roles for service accounts (min version 2.10.11 as explained in
-    https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html)
+    aws.version overrides the old version provided by gs-cog->imageio-ext-cog
+		(2.9.24), which
+    doesn't support IAM roles for service accounts (min version 2.10.11 as
+		explained in
+		https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html)
     -->
-    <aws.version>2.20.73</aws.version>
+    <aws.version>2.20.117</aws.version>
   </properties>
   <dependencyManagement>
+    <!-- Note dependencies added purely to satisfy the dependencyConvergence maven-enforcer-plugin rule are in the dependencyConvergence maven profile -->
     <dependencies>
+      <dependency>
+        <!-- Upgrade to snakeyaml 2.0 to get rid of several CVE's from
+				the 1.30 version included with spring-boot -->
+        <groupId>org.yaml</groupId>
+        <artifactId>snakeyaml</artifactId>
+        <version>2.0</version>
+      </dependency>
       <dependency>
         <groupId>org.apache.logging.log4j</groupId>
         <artifactId>log4j-bom</artifactId>
@@ -62,19 +75,13 @@
       </dependency>
       <dependency>
         <!-- Upgrade jackson from the 2.13.5 version provided by spring-boot to 2.14.2 which supports snakeyaml 2.0 -->
-        <!-- Note the trick for it to take effect and override all jackson deps is to declare it before the spring-boot bom -->
+        <!-- Note the trick for it to take effect and override all  deps is to declare it before the spring-boot bom -->
         <groupId>com.fasterxml.jackson</groupId>
         <artifactId>jackson-bom</artifactId>
         <version>${jackson.version}</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
-      <dependency>
-        <!-- Upgrade to snakeyaml 2.0 to get rid of several CVE's from the 1.30 version included with spring-boot -->
-        <groupId>org.yaml</groupId>
-        <artifactId>snakeyaml</artifactId>
-        <version>2.0</version>
-      </dependency>
       <dependency>
         <groupId>org.springframework.cloud</groupId>
         <artifactId>spring-cloud-dependencies</artifactId>
@@ -578,7 +585,8 @@
         <groupId>org.geoserver.importer</groupId>
         <artifactId>gs-importer-core</artifactId>
         <version>${gs.version}</version>
-        <!-- exclude data formats, let them be managed by the ones explicitly imported by the service that uses it -->
+        <!-- exclude data formats, let them be managed by the ones
+				explicitly imported by the service that uses it -->
         <exclusions>
           <exclusion>
             <groupId>org.geotools</groupId>
@@ -659,13 +667,13 @@
         </exclusions>
       </dependency>
       <dependency>
-        <!--- Override  old aws version withou support for "IAM roles for service accounts" -->
+        <!--- Override  old aws version without support for "IAM roles for service accounts" -->
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>s3</artifactId>
         <version>${aws.version}</version>
       </dependency>
       <dependency>
-        <!--- Override  old aws version withou support for "IAM roles for service accounts" -->
+        <!--- Override  old aws version without support for "IAM roles for service accounts" -->
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>auth</artifactId>
         <version>${aws.version}</version>
@@ -909,10 +917,10 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-enforcer-plugin</artifactId>
-        <version>3.0.0</version>
+        <version>3.3.0</version>
         <executions>
           <execution>
-            <id>enforce-maven-and-java</id>
+            <id>enforce</id>
             <goals>
               <goal>enforce</goal>
             </goals>
@@ -924,6 +932,9 @@
                 <requireMavenVersion>
                   <version>[3.6.3,)</version>
                 </requireMavenVersion>
+                <dependencyConvergence>
+                  <excludedScopes>test</excludedScopes>
+                </dependencyConvergence>
               </rules>
             </configuration>
           </execution>
@@ -950,4 +961,249 @@
       </plugin>
     </plugins>
   </build>
+  <profiles>
+    <!-- Section to satisfy enforcer-maven-plugin's dependencyConvergence		rule -->
+    <!-- and make sure there are no duplicate dependencies with conflicting		version numbers-->
+    <profile>
+      <id>dependencyConvergence</id>
+      <activation>
+        <activeByDefault>true</activeByDefault>
+      </activation>
+      <dependencyManagement>
+        <dependencies>
+          <dependency>
+            <groupId>org.locationtech.jts</groupId>
+            <artifactId>jts-core</artifactId>
+            <version>1.19.0</version>
+          </dependency>
+          <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <version>32.1.1-jre</version>
+          </dependency>
+          <dependency>
+            <groupId>commons-beanutils</groupId>
+            <artifactId>commons-beanutils</artifactId>
+            <version>1.9.4</version>
+          </dependency>
+          <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.2.2</version>
+          </dependency>
+          <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+            <version>2.6</version>
+          </dependency>
+          <dependency>
+            <groupId>commons-logging</groupId>
+            <artifactId>commons-logging</artifactId>
+            <version>1.2</version>
+          </dependency>
+          <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.12.0</version>
+          </dependency>
+          <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>1.10.0</version>
+          </dependency>
+          <dependency>
+            <groupId>org.codehaus.jettison</groupId>
+            <artifactId>jettison</artifactId>
+            <version>1.5.4</version>
+          </dependency>
+          <dependency>
+            <groupId>javax.measure</groupId>
+            <artifactId>unit-api</artifactId>
+            <version>2.1.3</version>
+          </dependency>
+          <dependency>
+            <groupId>com.google.code.findbugs</groupId>
+            <artifactId>findbugs</artifactId>
+            <version>3.0.1</version>
+          </dependency>
+          <dependency>
+            <groupId>com.google.code.findbugs</groupId>
+            <artifactId>jsr305</artifactId>
+            <version>3.0.2</version>
+          </dependency>
+          <dependency>
+            <groupId>org.checkerframework</groupId>
+            <artifactId>checker-qual</artifactId>
+            <version>3.33.0</version>
+          </dependency>
+          <dependency>
+            <groupId>com.google.errorprone</groupId>
+            <artifactId>error_prone_annotations</artifactId>
+            <version>2.18.0</version>
+          </dependency>
+          <dependency>
+            <groupId>com.google.j2objc</groupId>
+            <artifactId>j2objc-annotations</artifactId>
+            <version>2.8</version>
+          </dependency>
+          <dependency>
+            <groupId>org.apache.wicket</groupId>
+            <artifactId>wicket-core</artifactId>
+            <version>7.18.0</version>
+          </dependency>
+          <dependency>
+            <groupId>com.thoughtworks.xstream</groupId>
+            <artifactId>xstream</artifactId>
+            <version>1.4.20</version>
+          </dependency>
+          <dependency>
+            <groupId>com.fasterxml.woodstox</groupId>
+            <artifactId>woodstox-core</artifactId>
+            <version>6.5.1</version>
+          </dependency>
+          <dependency>
+            <groupId>com.netflix.servo</groupId>
+            <artifactId>servo-core</artifactId>
+            <version>0.12.21</version>
+          </dependency>
+          <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-core</artifactId>
+            <version>1.19.4</version>
+          </dependency>
+          <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-client</artifactId>
+            <version>1.19.4</version>
+          </dependency>
+          <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-server</artifactId>
+            <version>1.19.4</version>
+          </dependency>
+          <dependency>
+            <groupId>joda-time</groupId>
+            <artifactId>joda-time</artifactId>
+            <version>2.10.13</version>
+          </dependency>
+          <dependency>
+            <groupId>org.ow2.asm</groupId>
+            <artifactId>asm</artifactId>
+            <version>9.5</version>
+          </dependency>
+          <dependency>
+            <groupId>com.google.protobuf</groupId>
+            <artifactId>protobuf-java</artifactId>
+            <version>3.19.4</version>
+          </dependency>
+          <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-buffer</artifactId>
+            <version>4.1.94.Final</version>
+          </dependency>
+          <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-codec</artifactId>
+            <version>4.1.94.Final</version>
+          </dependency>
+          <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-codec-http</artifactId>
+            <version>4.1.94.Final</version>
+          </dependency>
+          <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-codec-http2</artifactId>
+            <version>4.1.94.Final</version>
+          </dependency>
+          <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-codec-socks</artifactId>
+            <version>4.1.94.Final</version>
+          </dependency>
+          <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-common</artifactId>
+            <version>4.1.94.Final</version>
+          </dependency>
+          <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-handler</artifactId>
+            <version>4.1.94.Final</version>
+          </dependency>
+          <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-handler-proxy</artifactId>
+            <version>4.1.94.Final</version>
+          </dependency>
+          <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-resolver</artifactId>
+            <version>4.1.94.Final</version>
+          </dependency>
+          <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-transport</artifactId>
+            <version>4.1.94.Final</version>
+          </dependency>
+          <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-transport-native-unix-common</artifactId>
+            <version>4.1.94.Final</version>
+          </dependency>
+        </dependencies>
+      </dependencyManagement>
+    </profile>
+    <profile>
+      <id>cve</id>
+      <activation>
+        <activeByDefault>true</activeByDefault>
+      </activation>
+      <dependencyManagement>
+        <dependencies>
+          <dependency>
+            <groupId>com.amazonaws</groupId>
+            <artifactId>aws-java-sdk-s3</artifactId>
+            <version>1.12.520</version>
+          </dependency>
+          <dependency>
+            <groupId>com.google.oauth-client</groupId>
+            <artifactId>google-oauth-client</artifactId>
+            <version>1.34.1</version>
+          </dependency>
+          <dependency>
+            <groupId>com.google.http-client</groupId>
+            <artifactId>google-http-client-gson</artifactId>
+            <version>1.42.0</version>
+          </dependency>
+          <dependency>
+            <groupId>com.google.protobuf</groupId>
+            <artifactId>protobuf-java</artifactId>
+            <version>3.23.4</version>
+          </dependency>
+          <dependency>
+            <groupId>com.google.protobuf</groupId>
+            <artifactId>protobuf-java-util</artifactId>
+            <version>3.23.4</version>
+          </dependency>
+          <dependency>
+            <groupId>org.hsqldb</groupId>
+            <artifactId>hsqldb</artifactId>
+            <version>2.7.2</version>
+          </dependency>
+          <dependency>
+            <groupId>org.xerial</groupId>
+            <artifactId>sqlite-jdbc</artifactId>
+            <version>3.42.0.0</version>
+          </dependency>
+          <dependency>
+            <!-- actually to get rid of its com.squareup.okio:okio:2.8.0 dependency -->
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>okhttp</artifactId>
+            <version>4.10.0</version>
+          </dependency>
+        </dependencies>
+      </dependencyManagement>
+    </profile>
+  </profiles>
 </project>

src/starters/event-bus/pom.xml

@@ -17,18 +17,6 @@
     <dependency>
       <groupId>org.springframework.cloud</groupId>
       <artifactId>spring-cloud-starter-bus-amqp</artifactId>
-      <exclusions>
-        <exclusion>
-          <groupId>org.jsoup</groupId>
-          <!-- trivy: Upgrade jsoup version carried over by spring-cloud-starter-bus-amqp:3.1.0 due to CVE-2021-37714 -->
-          <artifactId>jsoup</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
-    <dependency>
-      <groupId>org.jsoup</groupId>
-      <artifactId>jsoup</artifactId>
-      <version>1.14.3</version>
     </dependency>
   </dependencies>
 </project>