From f1bd36691dbdac8894acc977aeb7a439627d1282 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Fri, 20 Mar 2026 12:34:41 -0700
Subject: [PATCH 01/12] Update Spring AI to 2.0.0-M3

---
 gradle.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle.properties b/gradle.properties
index 2b26e3b577..cd38938de3 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -308,7 +308,7 @@ snappyJavaVersion=1.1.10.8
 springBootVersion=4.0.3
 # This usually matches the Spring Framework version dictated by springBootVersion
 springVersion=7.0.5
-springAiVersion=2.0.0-M2
+springAiVersion=2.0.0-M3
 
 sqliteJdbcVersion=3.51.2.0
 

From 177a5842a5777c2d3951c12f84108db8823e4f86 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Sun, 22 Mar 2026 13:39:38 -0700
Subject: [PATCH 02/12] Force ByteBuddy version to avoid conflict

---
 build.gradle      | 3 +++
 gradle.properties | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/build.gradle b/build.gradle
index d7d6ec57d5..8196d2c164 100644
--- a/build.gradle
+++ b/build.gradle
@@ -314,6 +314,9 @@ allprojects {
                     force "net.java.dev.jna:jna:${jnaVersion}"
                     force "net.java.dev.jna:jna-platform:${jnaVersion}"
 
+                    // Spring AI 2.0 and Duo SDK bring in different versions
+                    force "net.bytebuddy:byte-buddy:${byteBuddyVersion}"
+
                     // Reactor - transitive dependency via azure-core; force for version consistency across modules
                     force "io.projectreactor:reactor-core:${reactorCoreVersion}"
 
diff --git a/gradle.properties b/gradle.properties
index cd38938de3..d2bfba6ea5 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -117,6 +117,8 @@ batikVersion=1.19
 bouncycastlePgpVersion=1.83
 bouncycastleVersion=1.83
 
+byteBuddyVersion=1.18.7
+
 cglibNodepVersion=2.2.3
 
 checkerQualVersion=3.53.0

From 80cc90910a7c16abfae04eab775605efcdcfc1cf Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Sun, 22 Mar 2026 14:59:13 -0700
Subject: [PATCH 03/12] Force Jackson3 and upgrade Spring versions because
 conflicts and CVEs

---
 build.gradle      | 3 +++
 gradle.properties | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 8196d2c164..cb735be450 100644
--- a/build.gradle
+++ b/build.gradle
@@ -393,6 +393,9 @@ allprojects {
                     // Force latest hadoop-hdfs-client for CVE-2021-37404, CVE-2022-25168, CVE-2022-26612, CVE-2021-25642, CVE-2021-33036, CVE-2023-26031
                     force "org.apache.hadoop:hadoop-hdfs-client:${hadoopHdfsClientVersion}"
 
+                    // Spring AI 2.0 brings in Jackson3. Force it to match embedded and mitigate CVEs.
+                    force "tools.jackson.core:jackson-core:${jackson3Version}"
+
                     dependencySubstitution {
                         // Because the client api artifact name is not the same as the directory structure, we use
                         // Gradle's dependency substitution so the dependency will appear correctly in the pom files that
diff --git a/gradle.properties b/gradle.properties
index d2bfba6ea5..652a15fa85 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -307,9 +307,9 @@ slf4jLog4jApiVersion=2.0.17
 snappyJavaVersion=1.1.10.8
 
 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version
-springBootVersion=4.0.3
+springBootVersion=4.0.4
 # This usually matches the Spring Framework version dictated by springBootVersion
-springVersion=7.0.5
+springVersion=7.0.6
 springAiVersion=2.0.0-M3
 
 sqliteJdbcVersion=3.51.2.0

From e5252c75a63db2383ea95e1757503f97511240c9 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Mon, 23 Mar 2026 07:54:30 -0700
Subject: [PATCH 04/12] Force more spring dependencies to use our official
 version

---
 build.gradle | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/build.gradle b/build.gradle
index cb735be450..5915b505d3 100644
--- a/build.gradle
+++ b/build.gradle
@@ -378,6 +378,11 @@ allprojects {
                     // Force consistency for dependencies from pipeline and query
                     force "org.dom4j:dom4j:${dom4jVersion}"
 
+                    // Force spring-ai components to bring in spring-* versions that match the rest of spring
+                    force "org.springframework:spring-context-support:${springVersion}"
+                    force "org.springframework:spring-messaging:${springVersion}"
+                    force "org.springframework:spring-webflux:${springVersion}"
+
                     // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies
                     force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
 

From 5507883c6c417b6f69ba9e5368b3b2c02bb126b5 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Mon, 23 Mar 2026 08:26:06 -0700
Subject: [PATCH 05/12] Force assertj version

---
 build.gradle      | 3 +++
 gradle.properties | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/build.gradle b/build.gradle
index 5915b505d3..9d484c8e9b 100644
--- a/build.gradle
+++ b/build.gradle
@@ -383,6 +383,9 @@ allprojects {
                     force "org.springframework:spring-messaging:${springVersion}"
                     force "org.springframework:spring-webflux:${springVersion}"
 
+                    // Force spring-ai components to bring in the AssertJ version we want
+                    force "org.assertj:assertj-core:${assertjVersion}"
+
                     // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies
                     force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
 
diff --git a/gradle.properties b/gradle.properties
index 652a15fa85..2808adc087 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -107,6 +107,9 @@ apacheTomcatVersion=11.0.18
 # tika
 asmVersion=9.9.1
 
+# Also defined in testAutomation/gradle.properties
+assertjVersion=3.27.7
+
 # Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API
 azureIdentityVersion=1.18.2
 

From e17f4f135f87749217edda4431b06b69c75bf890 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Tue, 24 Mar 2026 17:14:14 -0700
Subject: [PATCH 06/12] Fix version discrepancy with jsonschema-generator

---
 build.gradle      | 9 ++++++++-
 gradle.properties | 5 +++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 9d484c8e9b..57608dcf13 100644
--- a/build.gradle
+++ b/build.gradle
@@ -383,9 +383,16 @@ allprojects {
                     force "org.springframework:spring-messaging:${springVersion}"
                     force "org.springframework:spring-webflux:${springVersion}"
 
-                    // Force spring-ai components to bring in the AssertJ version we want
+                    // Force spring-ai components to bring in the latest AssertJ version to avoid CVEs. Note that
+                    // spring-ai 2.0.0-M3 probably pulled this in by mistake. https://github.com/spring-projects/spring-ai/issues/5646
                     force "org.assertj:assertj-core:${assertjVersion}"
 
+                    // spring-ai 2.0.0-M3 was compiled against jsonschema-generator 4.38.0 (Jackson 2.x) but
+                    // its pom mistakenly declares 5.0.0 (Jackson 3.x/tools.jackson), causing NoSuchMethodError
+                    force "com.github.victools:jsonschema-generator:${jsonschemaGeneratorVersion}"
+                    force "com.github.victools:jsonschema-module-jackson:${jsonschemaGeneratorVersion}"
+                    force "com.github.victools:jsonschema-module-swagger-2:${jsonschemaGeneratorVersion}"
+
                     // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies
                     force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
 
diff --git a/gradle.properties b/gradle.properties
index 2808adc087..0b24150068 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -108,6 +108,7 @@ apacheTomcatVersion=11.0.18
 asmVersion=9.9.1
 
 # Also defined in testAutomation/gradle.properties
+# This was probably added to spring-ai by mistake: https://github.com/spring-projects/spring-ai/issues/5646
 assertjVersion=3.27.7
 
 # Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API
@@ -315,6 +316,10 @@ springBootVersion=4.0.4
 springVersion=7.0.6
 springAiVersion=2.0.0-M3
 
+# spring-ai 2.0.0-M3 was compiled against 4.38.0 but its pom mistakenly declares 5.0.0, which uses
+# Jackson 3.x (tools.jackson) instead of Jackson 2.x (com.fasterxml.jackson), causing NoSuchMethodError
+jsonschemaGeneratorVersion=4.38.0
+
 sqliteJdbcVersion=3.51.2.0
 
 # NLP and SAML bring stax2-api in as a transitive dependency but with very different versions. We force the later version.

From ea9d448590421332c5bd2b85c262838bcd4a71fd Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Tue, 24 Mar 2026 17:53:57 -0700
Subject: [PATCH 07/12] Add -parameters to Java build so spring can resolve
 parameter names

---
 build.gradle | 1 +
 1 file changed, 1 insertion(+)

diff --git a/build.gradle b/build.gradle
index 57608dcf13..084c20be3b 100644
--- a/build.gradle
+++ b/build.gradle
@@ -59,6 +59,7 @@ allprojects {
         JavaCompile compile ->
             compile.options.incremental = true  // Gradle 3.4
             compile.options.encoding = 'UTF-8'
+            compile.options.compilerArgs << '-parameters'  // Preserve method parameter names for Spring AI reflection
     }
 }
 

From 251de5b4d3f1738458c7979c77b87697c3c76c7d Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Wed, 25 Mar 2026 08:37:28 -0700
Subject: [PATCH 08/12] Correct version of jsonschema

---
 build.gradle      | 6 ------
 gradle.properties | 4 ----
 2 files changed, 10 deletions(-)

diff --git a/build.gradle b/build.gradle
index 084c20be3b..a4aa43b55f 100644
--- a/build.gradle
+++ b/build.gradle
@@ -388,12 +388,6 @@ allprojects {
                     // spring-ai 2.0.0-M3 probably pulled this in by mistake. https://github.com/spring-projects/spring-ai/issues/5646
                     force "org.assertj:assertj-core:${assertjVersion}"
 
-                    // spring-ai 2.0.0-M3 was compiled against jsonschema-generator 4.38.0 (Jackson 2.x) but
-                    // its pom mistakenly declares 5.0.0 (Jackson 3.x/tools.jackson), causing NoSuchMethodError
-                    force "com.github.victools:jsonschema-generator:${jsonschemaGeneratorVersion}"
-                    force "com.github.victools:jsonschema-module-jackson:${jsonschemaGeneratorVersion}"
-                    force "com.github.victools:jsonschema-module-swagger-2:${jsonschemaGeneratorVersion}"
-
                     // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies
                     force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
 
diff --git a/gradle.properties b/gradle.properties
index 0b24150068..6b7d04aa5b 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -316,10 +316,6 @@ springBootVersion=4.0.4
 springVersion=7.0.6
 springAiVersion=2.0.0-M3
 
-# spring-ai 2.0.0-M3 was compiled against 4.38.0 but its pom mistakenly declares 5.0.0, which uses
-# Jackson 3.x (tools.jackson) instead of Jackson 2.x (com.fasterxml.jackson), causing NoSuchMethodError
-jsonschemaGeneratorVersion=4.38.0
-
 sqliteJdbcVersion=3.51.2.0
 
 # NLP and SAML bring stax2-api in as a transitive dependency but with very different versions. We force the later version.

From f4cc0d82bb005e12f623b9fd74903045ea898a53 Mon Sep 17 00:00:00 2001
From: labkey-tchad <tchad@labkey.com>
Date: Mon, 30 Mar 2026 09:33:55 -0700
Subject: [PATCH 09/12] Suppress dependency check false-positives for Spring AI

---
 dependencyCheckSuppression.xml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index 8de7fea3d7..33289c2a56 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -283,4 +283,24 @@
         <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-tools@.*$</packageUrl>
         <cve>CVE-2026-23907</cve>
     </suppress>
+
+    <!--
+    False-positives
+    https://github.com/dependency-check/DependencyCheck/issues/8391
+    https://github.com/dependency-check/DependencyCheck/issues/8392
+    -->
+    <suppress>
+        <notes><![CDATA[
+   file name: mcp-spring-webmvc-2.0.0-M3.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.ai/mcp-spring-webmvc@.*$</packageUrl>
+        <cpe>cpe:/a:vmware:server</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: mcp-spring-webmvc-2.0.0-M3.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.ai/mcp-spring-webmvc@.*$</packageUrl>
+        <cpe>cpe:/a:vmware:vmware_server</cpe>
+    </suppress>
 </suppressions>

From 0c8415214523d71f76b2dcd30874b44c3c6f9ad2 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Wed, 1 Apr 2026 11:48:15 -0700
Subject: [PATCH 10/12] Upgrade to Spring AI 2.0.0-M4. No need to force AssertJ
 version now.

---
 build.gradle      | 4 ----
 gradle.properties | 6 +-----
 2 files changed, 1 insertion(+), 9 deletions(-)

diff --git a/build.gradle b/build.gradle
index a4aa43b55f..947c5c458f 100644
--- a/build.gradle
+++ b/build.gradle
@@ -384,10 +384,6 @@ allprojects {
                     force "org.springframework:spring-messaging:${springVersion}"
                     force "org.springframework:spring-webflux:${springVersion}"
 
-                    // Force spring-ai components to bring in the latest AssertJ version to avoid CVEs. Note that
-                    // spring-ai 2.0.0-M3 probably pulled this in by mistake. https://github.com/spring-projects/spring-ai/issues/5646
-                    force "org.assertj:assertj-core:${assertjVersion}"
-
                     // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies
                     force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
 
diff --git a/gradle.properties b/gradle.properties
index 6b7d04aa5b..86fac697a5 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -107,10 +107,6 @@ apacheTomcatVersion=11.0.18
 # tika
 asmVersion=9.9.1
 
-# Also defined in testAutomation/gradle.properties
-# This was probably added to spring-ai by mistake: https://github.com/spring-projects/spring-ai/issues/5646
-assertjVersion=3.27.7
-
 # Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API
 azureIdentityVersion=1.18.2
 
@@ -314,7 +310,7 @@ snappyJavaVersion=1.1.10.8
 springBootVersion=4.0.4
 # This usually matches the Spring Framework version dictated by springBootVersion
 springVersion=7.0.6
-springAiVersion=2.0.0-M3
+springAiVersion=2.0.0-M4
 
 sqliteJdbcVersion=3.51.2.0
 

From d3754efc37d34681d0cd2a3371cfaf8c5e23b6ed Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Fri, 3 Apr 2026 12:52:48 -0700
Subject: [PATCH 11/12] Upgrade Gradle Plugins version to avoid duplicating
 Spring AI artifacts. Bump netty and modulecontextprotocol versions to
 mitigate CVEs.

---
 build.gradle      | 5 ++++-
 gradle.properties | 9 ++++++---
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/build.gradle b/build.gradle
index 947c5c458f..6d3c9027a3 100644
--- a/build.gradle
+++ b/build.gradle
@@ -321,7 +321,7 @@ allprojects {
                     // Reactor - transitive dependency via azure-core; force for version consistency across modules
                     force "io.projectreactor:reactor-core:${reactorCoreVersion}"
 
-                    // Netty - transitive dependency via azure-core-http-netty; force for CVE-2025-67735
+                    // Netty - transitive dependency via azure-core-http-netty; force for various CVEs
                     force "io.netty:netty-buffer:${nettyVersion}"
                     force "io.netty:netty-codec:${nettyVersion}"
                     force "io.netty:netty-codec-dns:${nettyVersion}"
@@ -384,6 +384,9 @@ allprojects {
                     force "org.springframework:spring-messaging:${springVersion}"
                     force "org.springframework:spring-webflux:${springVersion}"
 
+                    // spring-ai dependency. Force to mitigate a CVE.
+                    force "io.modelcontextprotocol.sdk:mcp:${modelContextProtocolVersion}"
+
                     // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies
                     force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
 
diff --git a/gradle.properties b/gradle.properties
index a42179de33..5da71d50e4 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -59,7 +59,7 @@ windowsProteomicsBinariesVersion=1.0
 # The current version numbers for the gradle plugins.
 artifactoryPluginVersion=5.2.5
 gradleNodePluginVersion=7.1.0
-gradlePluginsVersion=7.3.1
+gradlePluginsVersion=8.0.0
 owaspDependencyCheckPluginVersion=12.2.0
 
 # Versions of node and npm to use during the build. If set, these versions
@@ -263,10 +263,13 @@ luceneVersion=10.4.0
 # Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API
 microsoftGraphVersion=6.59.0
 
+# Spring-AI dependency that's showing a CVE
+modelContextProtocolVersion=1.1.1
+
 mssqlJdbcVersion=13.2.1.jre11
 
-# Netty - transitive dependency via azure-core-http-netty; force for CVE-2025-67735
-nettyVersion=4.2.8.Final
+# Netty - transitive dependency via azure-core-http-netty; force to mitigate multiple CVEs in older versions
+nettyVersion=4.2.12.Final
 # Reactor - transitive dependency via azure-core; force for version consistency across modules
 reactorCoreVersion=3.8.1
 

From 1c546754bf1801e952332e8c6c54e6b34806c92e Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Fri, 3 Apr 2026 12:58:09 -0700
Subject: [PATCH 12/12] Remove no longer necessary force of bytebuddy

---
 build.gradle      | 3 ---
 gradle.properties | 2 --
 2 files changed, 5 deletions(-)

diff --git a/build.gradle b/build.gradle
index 6d3c9027a3..ac68ece6e9 100644
--- a/build.gradle
+++ b/build.gradle
@@ -315,9 +315,6 @@ allprojects {
                     force "net.java.dev.jna:jna:${jnaVersion}"
                     force "net.java.dev.jna:jna-platform:${jnaVersion}"
 
-                    // Spring AI 2.0 and Duo SDK bring in different versions
-                    force "net.bytebuddy:byte-buddy:${byteBuddyVersion}"
-
                     // Reactor - transitive dependency via azure-core; force for version consistency across modules
                     force "io.projectreactor:reactor-core:${reactorCoreVersion}"
 
diff --git a/gradle.properties b/gradle.properties
index 5da71d50e4..2bf3d4511d 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -117,8 +117,6 @@ batikVersion=1.19
 bouncycastlePgpVersion=1.83
 bouncycastleVersion=1.83
 
-byteBuddyVersion=1.18.7
-
 cglibNodepVersion=2.2.3
 
 checkerQualVersion=3.53.0