Constrain logback lib version to address sec vul

annotationProcessor/gradle.lockfile

@@ -6,8 +6,8 @@ bio.terra:terra-common-lib:1.1.22-SNAPSHOT=compileClasspath,productionRuntimeCla
 ch.qos.logback.contrib:logback-jackson:0.1.5=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 ch.qos.logback.contrib:logback-json-classic:0.1.5=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 ch.qos.logback.contrib:logback-json-core:0.1.5=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-ch.qos.logback:logback-classic:1.5.12=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-ch.qos.logback:logback-core:1.5.12=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+ch.qos.logback:logback-classic:1.5.15=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+ch.qos.logback:logback-core:1.5.15=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 com.charleskorn.kaml:kaml-jvm:0.60.0=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 com.charleskorn.kaml:kaml:0.60.0=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 com.fasterxml.jackson.core:jackson-annotations:2.17.3=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath

build.gradle

@@ -9,6 +9,7 @@ buildscript {
         // library versions - constraints to address vulns
         vIoNetty = '4.1.115.Final'
         vIoNettyNative = '2.0.69.Final'
+        vLogback = '1.5.15'
 
         // library versions
         vPmd = '7.1.0'

buildSrc/src/main/groovy/tanagra.java-conventions.gradle

@@ -56,6 +56,11 @@ dependencyManagement {
         // GCP BOM includes 4.x protobuf versions which are not compatible with current beam libs
         dependency "com.google.protobuf:protobuf-java:${vGoogleProtobufProtoc}"
         dependency "com.google.protobuf:protobuf-java-util:${vGoogleProtobufProtoc}"
+
+        // addresses security vulnerabilities
+
+        dependency "ch.qos.logback:logback-classic:${vLogback}"
+        dependency "ch.qos.logback:logback-core:${vLogback}"
     }
 }
 

cli/build.gradle

@@ -10,9 +10,9 @@ dependencies {
 
     implementation "org.apache.commons:commons-text:${vApacheCommonsText}"
     implementation "org.slf4j:slf4j-api:${vSlf4jApi}"
-    implementation 'ch.qos.logback:logback-classic:1.5.8'
 
-    // GCP libraries versions are controlled by the BOM specified in buildSrc.
+    // version controlled in buildSrc.
+    implementation 'ch.qos.logback:logback-classic'
     implementation 'com.google.guava:guava'
 
     // Command parsing

cli/gradle.lockfile

@@ -1,8 +1,8 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-ch.qos.logback:logback-classic:1.5.8=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-ch.qos.logback:logback-core:1.5.8=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+ch.qos.logback:logback-classic:1.5.15=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+ch.qos.logback:logback-core:1.5.15=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 com.fasterxml.jackson.core:jackson-annotations:2.18.0=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 com.fasterxml.jackson.core:jackson-core:2.18.0=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 com.fasterxml.jackson.core:jackson-databind:2.18.0=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath

indexer/gradle.lockfile

@@ -2,8 +2,8 @@
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
 args4j:args4j:2.33=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-ch.qos.logback:logback-classic:1.5.8=runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-ch.qos.logback:logback-core:1.5.8=runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+ch.qos.logback:logback-classic:1.5.15=runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+ch.qos.logback:logback-core:1.5.15=runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 com.charleskorn.kaml:kaml-jvm:0.60.0=runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 com.charleskorn.kaml:kaml:0.60.0=runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 com.fasterxml.jackson.core:jackson-annotations:2.18.0=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath

service/gradle.lockfile

@@ -6,8 +6,8 @@ bio.terra:terra-common-lib:1.1.22-SNAPSHOT=compileClasspath,compileProtoPath,pro
 ch.qos.logback.contrib:logback-jackson:0.1.5=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
 ch.qos.logback.contrib:logback-json-classic:0.1.5=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
 ch.qos.logback.contrib:logback-json-core:0.1.5=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-ch.qos.logback:logback-classic:1.5.12=compileClasspath,compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-ch.qos.logback:logback-core:1.5.12=compileClasspath,compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
+ch.qos.logback:logback-classic:1.5.15=compileClasspath,compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
+ch.qos.logback:logback-core:1.5.15=compileClasspath,compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
 com.charleskorn.kaml:kaml-jvm:0.60.0=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
 com.charleskorn.kaml:kaml:0.60.0=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
 com.fasterxml.jackson.core:jackson-annotations:2.17.3=compileClasspath,compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath