Update Spring AI to 2.0.0-M4 (#1316)

Author: labkey-adam

build.gradle

@@ -59,6 +59,7 @@ allprojects {
         JavaCompile compile ->
             compile.options.incremental = true  // Gradle 3.4
             compile.options.encoding = 'UTF-8'
+            compile.options.compilerArgs << '-parameters'  // Preserve method parameter names for Spring AI reflection
     }
 }
 
@@ -317,7 +318,7 @@ allprojects {
                     // Reactor - transitive dependency via azure-core; force for version consistency across modules
                     force "io.projectreactor:reactor-core:${reactorCoreVersion}"
 
-                    // Netty - transitive dependency via azure-core-http-netty; force for CVE-2025-67735
+                    // Netty - transitive dependency via azure-core-http-netty; force for various CVEs
                     force "io.netty:netty-buffer:${nettyVersion}"
                     force "io.netty:netty-codec:${nettyVersion}"
                     force "io.netty:netty-codec-dns:${nettyVersion}"
@@ -375,6 +376,14 @@ allprojects {
                     // Force consistency for dependencies from pipeline and query
                     force "org.dom4j:dom4j:${dom4jVersion}"
 
+                    // Force spring-ai components to bring in spring-* versions that match the rest of spring
+                    force "org.springframework:spring-context-support:${springVersion}"
+                    force "org.springframework:spring-messaging:${springVersion}"
+                    force "org.springframework:spring-webflux:${springVersion}"
+
+                    // spring-ai dependency. Force to mitigate a CVE.
+                    force "io.modelcontextprotocol.sdk:mcp:${modelContextProtocolVersion}"
+
                     // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies
                     force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
 
@@ -390,6 +399,9 @@ allprojects {
                     // Force latest hadoop-hdfs-client for CVE-2021-37404, CVE-2022-25168, CVE-2022-26612, CVE-2021-25642, CVE-2021-33036, CVE-2023-26031
                     force "org.apache.hadoop:hadoop-hdfs-client:${hadoopHdfsClientVersion}"
 
+                    // Spring AI 2.0 brings in Jackson3. Force it to match embedded and mitigate CVEs.
+                    force "tools.jackson.core:jackson-core:${jackson3Version}"
+
                     dependencySubstitution {
                         // Because the client api artifact name is not the same as the directory structure, we use
                         // Gradle's dependency substitution so the dependency will appear correctly in the pom files that

dependencyCheckSuppression.xml

@@ -283,4 +283,24 @@
         <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-tools@.*$</packageUrl>
         <cve>CVE-2026-23907</cve>
     </suppress>
+
+    <!--
+    False-positives
+    https://github.com/dependency-check/DependencyCheck/issues/8391
+    https://github.com/dependency-check/DependencyCheck/issues/8392
+    -->
+    <suppress>
+        <notes><![CDATA[
+   file name: mcp-spring-webmvc-2.0.0-M3.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.ai/mcp-spring-webmvc@.*$</packageUrl>
+        <cpe>cpe:/a:vmware:server</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: mcp-spring-webmvc-2.0.0-M3.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.ai/mcp-spring-webmvc@.*$</packageUrl>
+        <cpe>cpe:/a:vmware:vmware_server</cpe>
+    </suppress>
 </suppressions>

gradle.properties

@@ -59,7 +59,7 @@ windowsProteomicsBinariesVersion=1.0
 # The current version numbers for the gradle plugins.
 artifactoryPluginVersion=5.2.5
 gradleNodePluginVersion=7.1.0
-gradlePluginsVersion=7.3.1
+gradlePluginsVersion=8.0.0
 owaspDependencyCheckPluginVersion=12.2.0
 
 # Versions of node and npm to use during the build. If set, these versions
@@ -261,10 +261,13 @@ luceneVersion=10.4.0
 # Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API
 microsoftGraphVersion=6.59.0
 
+# Spring-AI dependency that's showing a CVE
+modelContextProtocolVersion=1.1.1
+
 mssqlJdbcVersion=13.2.1.jre11
 
-# Netty - transitive dependency via azure-core-http-netty; force for CVE-2025-67735
-nettyVersion=4.2.8.Final
+# Netty - transitive dependency via azure-core-http-netty; force to mitigate multiple CVEs in older versions
+nettyVersion=4.2.12.Final
 # Reactor - transitive dependency via azure-core; force for version consistency across modules
 reactorCoreVersion=3.8.1
 
@@ -305,10 +308,10 @@ slf4jLog4jApiVersion=2.0.17
 snappyJavaVersion=1.1.10.8
 
 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version
-springBootVersion=4.0.3
+springBootVersion=4.0.4
 # This usually matches the Spring Framework version dictated by springBootVersion
-springVersion=7.0.5
-springAiVersion=2.0.0-M2
+springVersion=7.0.6
+springAiVersion=2.0.0-M4
 
 sqliteJdbcVersion=3.51.2.0