AUT-1511 Update dependencies to latest version

pom.xml

@@ -25,36 +25,48 @@
 
     <properties>
         <java.version>11</java.version>
+        <bouncycastle.version>1.76</bouncycastle.version>
         <eidas.node.version>2.6.0</eidas.node.version>
+        <encoder-jsp.version>1.2.3</encoder-jsp.version>
+        <guava.version>32.1.3-jre</guava.version>
+        <ignite.version>2.8.1</ignite.version><!-- eIDAS-Node 2.6.0 uses Apache Ignite 2.8.1 -->
+        <jacoco-maven-plugin.version>0.8.11</jacoco-maven-plugin.version>
+        <logstash-logback-encoder.version>7.3</logstash-logback-encoder.version><!-- TODO Upgrade to >= 7.4 after Spring Boot is upgraded to 3.x which includes Logback >= 1.3 -->
         <!-- TODO AUT-907 Upgrade to OpenSAML 4.x -->
         <opensaml.version>3.4.6</opensaml.version>
-        <wiremock.version>2.35.1</wiremock.version>
+        <spring-cloud.version>2.2.8.RELEASE</spring-cloud.version><!-- TODO Version 3.x doesn't work with Spring Boot 2.3 -->
+        <wiremock.version>2.35.1</wiremock.version> <!-- TODO Upgrade to >=3.0.1 after Spring Boot is upgraded to 3.x which includes jetty >= 11.0.12 -->
         <sonar.jacoco.reportPath>target/jacoco.exec</sonar.jacoco.reportPath>
 
-        <spring-security.version>5.8.6</spring-security.version>
-        <!-- Using newer version than Spring Boot's default to fix vulnerability CVE-2022-22965.
-             TODO Remove this property after upgrading Spring Boot. -->
-        <spring-framework.version>5.3.29</spring-framework.version>
+        <!-- Using newer version than opensaml-saml-impl's default to fix vulnerability CVE-2020-7226.
+             TODO Remove this property after upgrading opensaml-saml-impl. -->
+        <cryptacular.version>1.2.6</cryptacular.version>
         <!-- Using newer version than Spring Boot's default to fix vulnerability CVE-2020-36518.
              TODO Remove this property after upgrading Spring Boot. -->
-        <jackson-bom.version>2.15.2</jackson-bom.version>
+        <jackson-bom.version>2.15.3</jackson-bom.version>
+        <!-- Using newer version than Spring Boot's default to fix vulnerability CVE-2022-22965.
+             TODO Remove this property after upgrading Spring Boot. -->
+        <spring-framework.version>5.3.30</spring-framework.version>
+        <spring-security.version>5.8.8</spring-security.version>
+        <!-- Replacement for vulnerable jstl libraries -->
+        <taglibs-standard.version>1.2.5</taglibs-standard.version>
+        <!-- Using newer version than opensaml-saml-impl's default to fix vulnerability CVE-2021-40690.
+             TODO Remove this property after upgrading opensaml-saml-impl.
+             TODO xmlsec 3.0.3 causes error: InvalidKeyException: Private keys must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding -->
+        <xmlsec.version>3.0.2</xmlsec.version>
     </properties>
 
     <dependencyManagement>
         <dependencies>
             <dependency>
-                <!-- Using newer version than opensaml-saml-impl's default to fix vulnerability CVE-2021-40690.
-                     TODO Remove this property after upgrading opensaml-saml-impl. -->
                 <groupId>org.apache.santuario</groupId>
                 <artifactId>xmlsec</artifactId>
-                <version>3.0.2</version>
+                <version>${xmlsec.version}</version>
             </dependency>
             <dependency>
-                <!-- Using newer version than opensaml-saml-impl's default to fix vulnerability CVE-2020-7226.
-                     TODO Remove this property after upgrading opensaml-saml-impl. -->
                 <groupId>org.cryptacular</groupId>
                 <artifactId>cryptacular</artifactId>
-                <version>1.2.6</version>
+                <version>${cryptacular.version}</version>
             </dependency>
         </dependencies>
     </dependencyManagement>
@@ -93,7 +105,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>32.1.2-jre</version>
+            <version>${guava.version}</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
@@ -106,28 +118,25 @@
             <artifactId>tomcat-embed-jasper</artifactId>
             <scope>provided</scope>
         </dependency>
-        <!-- Replacement for vulnerable jstl library -->
         <dependency>
             <groupId>org.apache.taglibs</groupId>
             <artifactId>taglibs-standard-spec</artifactId>
-            <version>1.2.5</version>
+            <version>${taglibs-standard.version}</version>
         </dependency>
-        <!-- Replacement for vulnerable jstl library -->
         <dependency>
             <groupId>org.apache.taglibs</groupId>
             <artifactId>taglibs-standard-impl</artifactId>
-            <version>1.2.5</version>
+            <version>${taglibs-standard.version}</version>
         </dependency>
-        <!-- Replacement for vulnerable jstl library -->
         <dependency>
             <groupId>org.apache.taglibs</groupId>
             <artifactId>taglibs-standard-jstlel</artifactId>
-            <version>1.2.5</version>
+            <version>${taglibs-standard.version}</version>
         </dependency>
         <dependency>
             <groupId>org.owasp.encoder</groupId>
             <artifactId>encoder-jsp</artifactId>
-            <version>1.2.3</version>
+            <version>${encoder-jsp.version}</version>
         </dependency>
 
         <!-- OpenSAML dependencies -->
@@ -174,7 +183,7 @@
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk18on</artifactId>
-            <version>1.76</version>
+            <version>${bouncycastle.version}</version>
         </dependency>
 
         <!-- eIDAS node specific dependencies -->
@@ -203,14 +212,12 @@
         <dependency>
             <groupId>net.logstash.logback</groupId>
             <artifactId>logstash-logback-encoder</artifactId>
-            <!-- TODO Upgrade to >= 7.4 after Spring Boot is upgraded to 3.x which includes Logback >= 1.3 -->
-            <version>7.3</version>
+            <version>${logstash-logback-encoder.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.cloud</groupId>
-            <!-- TODO Version 3.x doesn't work with Spring Boot 2.3 -->
             <artifactId>spring-cloud-starter-sleuth</artifactId>
-            <version>2.2.8.RELEASE</version>
+            <version>${spring-cloud.version}</version>
             <exclusions>
                 <!-- Excluded because we are already using bcprov-jdk18on as a dependency.-->
                 <exclusion>
@@ -259,8 +266,7 @@
         <dependency>
             <groupId>org.apache.ignite</groupId>
             <artifactId>ignite-core</artifactId>
-            <!-- eIDAS-Node 2.6.0 uses Apache Ignite 2.8.1 -->
-            <version>2.8.1</version>
+            <version>${ignite.version}</version>
             <type>test-jar</type>
             <scope>test</scope>
         </dependency>
@@ -331,7 +337,7 @@
             <plugin>
                 <groupId>org.jacoco</groupId>
                 <artifactId>jacoco-maven-plugin</artifactId>
-                <version>0.8.10</version>
+                <version>${jacoco-maven-plugin.version}</version>
                 <executions>
                     <execution>
                         <goals>