From d7d9d6833735601280fed00ca69055acaa0ea024 Mon Sep 17 00:00:00 2001
From: cx-anand-nandeshwar
 <73646287+cx-anand-nandeshwar@users.noreply.github.com>
Date: Tue, 7 Apr 2026 14:07:03 +0530
Subject: [PATCH 1/6] - Fixed spring security vulnerability - AST-142710

---
 checkmarx-ast-teamcity-plugin-server/pom.xml | 18 ++++++++++++++++++
 pom.xml                                      | 15 ++++++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/checkmarx-ast-teamcity-plugin-server/pom.xml b/checkmarx-ast-teamcity-plugin-server/pom.xml
index 850db08..fa9d524 100644
--- a/checkmarx-ast-teamcity-plugin-server/pom.xml
+++ b/checkmarx-ast-teamcity-plugin-server/pom.xml
@@ -26,6 +26,12 @@
           <groupId>commons-httpclient</groupId>
           <artifactId>commons-httpclient</artifactId>
         </exclusion>
+        <!-- CVE-2026-22732: exclude EOL spring-security-oauth2 to prevent
+             its transitive pull of vulnerable spring-security-web < 6.5.9 -->
+        <exclusion>
+          <groupId>org.springframework.security.oauth</groupId>
+          <artifactId>spring-security-oauth2</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
@@ -40,6 +46,13 @@
           <groupId>commons-httpclient</groupId>
           <artifactId>commons-httpclient</artifactId>
         </exclusion>
+        <!-- CVE-2026-22732: exclude EOL spring-security-oauth2 to prevent
+             its transitive pull of vulnerable spring-security-web < 6.5.9
+             via web-openapi -> common-spring-security -> spring-security-oauth2 -->
+        <exclusion>
+          <groupId>org.springframework.security.oauth</groupId>
+          <artifactId>spring-security-oauth2</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
@@ -52,6 +65,11 @@
           <groupId>commons-httpclient</groupId>
           <artifactId>commons-httpclient</artifactId>
         </exclusion>
+        <!-- CVE-2026-22732: exclude EOL spring-security-oauth2 -->
+        <exclusion>
+          <groupId>org.springframework.security.oauth</groupId>
+          <artifactId>spring-security-oauth2</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
diff --git a/pom.xml b/pom.xml
index a9b9860..77b56bc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -17,7 +17,7 @@
         <project.build.resourceEncoding>UTF-8</project.build.resourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <springFramework.version>6.2.11</springFramework.version>
-        <springSecurity.version>6.3.5</springSecurity.version>
+        <springSecurity.version>6.5.9</springSecurity.version>
     </properties>
 
     <modules>
@@ -88,6 +88,12 @@
                         <groupId>commons-lang</groupId>
                         <artifactId>commons-lang</artifactId>
                     </exclusion>
+                    <!-- CVE-2026-22732: exclude EOL spring-security-oauth2 to prevent
+                         its transitive pull of vulnerable spring-security-web < 6.5.9 -->
+                    <exclusion>
+                        <groupId>org.springframework.security.oauth</groupId>
+                        <artifactId>spring-security-oauth2</artifactId>
+                    </exclusion>
                 </exclusions>
             </dependency>
             <dependency>
@@ -135,6 +141,13 @@
                         <groupId>commons-fileupload</groupId>
                         <artifactId>commons-fileupload</artifactId>
                     </exclusion>
+                    <!-- CVE-2026-22732 mitigation: springSecurity.version is now 6.5.9.
+                         Keep excluding EOL spring-security-oauth2 to avoid its legacy
+                         transitive chain and prevent vulnerable spring-security-web pull-ins. -->
+                    <exclusion>
+                        <groupId>org.springframework.security.oauth</groupId>
+                        <artifactId>spring-security-oauth2</artifactId>
+                    </exclusion>
                 </exclusions>
             </dependency>
             <dependency>

From 5b45d392d089702de666bed5381d264a70cd389f Mon Sep 17 00:00:00 2001
From: cx-anand-nandeshwar
 <73646287+cx-anand-nandeshwar@users.noreply.github.com>
Date: Wed, 8 Apr 2026 10:53:07 +0530
Subject: [PATCH 2/6] Fix transitive CVE vulnerabilities in dependency tree -
 AST-142710

Addresses three CVEs introduced via TeamCity transitive dependencies:

1. spring-security-web (CVE-2026-22732)
   - Affected: spring-security-web <= 6.5.8; HTTP response headers not written
   - Fix: pin springSecurity.version=6.5.9 in dependencyManagement
   - Exclude EOL spring-security-oauth2 from server-api, server-web-api,
     tests-support to sever the transitive pull chain at source

2. jackson-core async-parser DoS
   - Affected: jackson-core < 2.19.1; async parser bypasses maxNumberLength
     constraint, enabling unbounded memory/CPU usage (DoS)
   - Fix: pin jackson.version=2.21.1 for all jackson-* artifacts in
     dependencyManagement; exclude common-jackson (TeamCity internal bundle)
     from server-api, server-web-api, tests-support to cut the chain
     web-openapi -> common-jackson -> jackson-datatype-jdk8 -> jackson-core

3. commons-lang3 uncontrolled recursion (StackOverflowError DoS)
   - Affected: commons-lang3 3.0-3.17.0; ClassUtils.getClass() recurses
     unboundedly on crafted long inputs
   - commons-text 1.13.1 declared commons-lang3 @ 3.17.0 in its own POM,
     causing scanners to flag the path even with a managed-version override
   - Fix: upgrade commons-text to 1.15.0 (natively declares commons-lang3
     3.20.0); pin commons-lang3.version=3.20.0 and commons-text.version=1.15.0
     in dependencyManagement so no transitive path can reintroduce an older
     version; align common module direct declaration to use the property

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 checkmarx-ast-teamcity-plugin-common/pom.xml |  3 +-
 checkmarx-ast-teamcity-plugin-server/pom.xml | 19 +++++
 pom.xml                                      | 84 +++++++++++++++++++-
 3 files changed, 104 insertions(+), 2 deletions(-)

diff --git a/checkmarx-ast-teamcity-plugin-common/pom.xml b/checkmarx-ast-teamcity-plugin-common/pom.xml
index 3e39c86..5f54d3a 100644
--- a/checkmarx-ast-teamcity-plugin-common/pom.xml
+++ b/checkmarx-ast-teamcity-plugin-common/pom.xml
@@ -23,10 +23,11 @@
             </exclusions>
         </dependency>
 
+        <!-- Version governed by commons-lang3.version in root POM (CVE fix: 3.18.0) -->
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
-            <version>3.18.0</version>
+            <version>${commons-lang3.version}</version>
         </dependency>
 
         <!-- Test Dependencies -->
diff --git a/checkmarx-ast-teamcity-plugin-server/pom.xml b/checkmarx-ast-teamcity-plugin-server/pom.xml
index fa9d524..256ac9a 100644
--- a/checkmarx-ast-teamcity-plugin-server/pom.xml
+++ b/checkmarx-ast-teamcity-plugin-server/pom.xml
@@ -32,6 +32,13 @@
           <groupId>org.springframework.security.oauth</groupId>
           <artifactId>spring-security-oauth2</artifactId>
         </exclusion>
+        <!-- jackson-core async-parser DoS: cut the
+             web-openapi -> common-jackson -> jackson-datatype-jdk8
+             -> jackson-core@2.19.0 transitive chain at source -->
+        <exclusion>
+          <groupId>org.jetbrains.teamcity</groupId>
+          <artifactId>common-jackson</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
@@ -53,6 +60,12 @@
           <groupId>org.springframework.security.oauth</groupId>
           <artifactId>spring-security-oauth2</artifactId>
         </exclusion>
+        <!-- jackson-core async-parser DoS: server-web-api also carries
+             the web-openapi -> common-jackson chain; cut it here too -->
+        <exclusion>
+          <groupId>org.jetbrains.teamcity</groupId>
+          <artifactId>common-jackson</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
@@ -70,6 +83,12 @@
           <groupId>org.springframework.security.oauth</groupId>
           <artifactId>spring-security-oauth2</artifactId>
         </exclusion>
+        <!-- jackson-core async-parser DoS: tests-support also carries
+             common-jackson transitively; exclude to keep test classpath clean -->
+        <exclusion>
+          <groupId>org.jetbrains.teamcity</groupId>
+          <artifactId>common-jackson</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
diff --git a/pom.xml b/pom.xml
index 77b56bc..e3eab61 100644
--- a/pom.xml
+++ b/pom.xml
@@ -18,6 +18,20 @@
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <springFramework.version>6.2.11</springFramework.version>
         <springSecurity.version>6.5.9</springSecurity.version>
+        <!-- CVE jackson-core async-parser DoS: fix versions are 2.18.6 / 2.19.1 / 3.1.0.
+             Pinning the whole Jackson family to 2.19.1 (same minor stream, patched). -->
+        <jackson.version>2.21.1</jackson.version>
+        <!-- CVE commons-lang3 uncontrolled recursion: ClassUtils.getClass() can throw
+             StackOverflowError on crafted long inputs → DoS.
+             Affected : commons-lang3 3.0 – 3.17.0 (and commons-lang 2.0 – 2.6)
+             Fix      : 3.18.0+. Upgraded to 3.20.0 to stay in sync with
+             commons-text 1.15.0 which natively declares commons-lang3 @ 3.20.0,
+             eliminating the vulnerable declared-dependency path entirely. -->
+        <commons-lang3.version>3.20.0</commons-lang3.version>
+        <!-- commons-text 1.13.1 declared commons-lang3 @ 3.17.0 (vulnerable).
+             Upgrading to 1.15.0 which natively declares commons-lang3 @ 3.20.0,
+             removing the vulnerable transitive path from the artifact's own POM. -->
+        <commons-text.version>1.15.0</commons-text.version>
     </properties>
 
     <modules>
@@ -148,6 +162,15 @@
                         <groupId>org.springframework.security.oauth</groupId>
                         <artifactId>spring-security-oauth2</artifactId>
                     </exclusion>
+                    <!-- jackson-core async-parser DoS: exclude the TeamCity-internal
+                         common-jackson bundle so that web-openapi cannot bring in
+                         jackson-datatype-jdk8 → jackson-core @ 2.19.0 (vulnerable).
+                         jackson-core @ ${jackson.version} is forced via dependencyManagement
+                         as a second line of defence. -->
+                    <exclusion>
+                        <groupId>org.jetbrains.teamcity</groupId>
+                        <artifactId>common-jackson</artifactId>
+                    </exclusion>
                 </exclusions>
             </dependency>
             <dependency>
@@ -325,12 +348,71 @@
                 <artifactId>gson</artifactId>
                 <version>2.12.0</version>
             </dependency>
-             <dependency>
+            <dependency>
                 <groupId>org.apache.logging.log4j</groupId>
                 <artifactId>log4j-core</artifactId>
                 <version>2.25.3</version>
                 <scope>provided</scope>
             </dependency>
+
+            <!-- ===== commons-text + commons-lang3 version override =====
+                 CVE: ClassUtils.getClass() uncontrolled recursion → StackOverflowError → DoS.
+                 Root cause : commons-lang3 3.0 – 3.17.0.
+                 commons-text 1.13.1 (transitive via TeamCity server-api) declared
+                 commons-lang3 @ 3.17.0 in its own POM — scanners walking the declared
+                 graph flagged the path even after the resolved version was overridden.
+                 Fix        : upgrade commons-text to 1.15.0, which natively declares
+                 commons-lang3 @ 3.20.0, removing the vulnerable path from the
+                 artifact's own metadata. commons-lang3 is also pinned independently
+                 so no other path can re-introduce an older version. -->
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-text</artifactId>
+                <version>${commons-text.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-lang3</artifactId>
+                <version>${commons-lang3.version}</version>
+            </dependency>
+
+            <!-- ===== Jackson version override =====
+                 CVE: jackson-core async (non-blocking) parser bypasses maxNumberLength,
+                 enabling DoS via unbounded number tokens.
+                 Affected : jackson-core < 2.18.6 / < 2.19.1 / < 3.1.0
+                 Fix      : force every jackson-* artifact to 2.19.1 so that
+                 common-jackson → jackson-datatype-jdk8 → jackson-core cannot
+                 resolve a vulnerable 2.19.0 jar even transitively. -->
+            <dependency>
+                <groupId>com.fasterxml.jackson.core</groupId>
+                <artifactId>jackson-core</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.core</groupId>
+                <artifactId>jackson-databind</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.core</groupId>
+                <artifactId>jackson-annotations</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.datatype</groupId>
+                <artifactId>jackson-datatype-jdk8</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.datatype</groupId>
+                <artifactId>jackson-datatype-jsr310</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.module</groupId>
+                <artifactId>jackson-module-parameter-names</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 

From 1cfebb319b5ac495f0c015953eff43f27d8a25fe Mon Sep 17 00:00:00 2001
From: cx-anand-nandeshwar
 <73646287+cx-anand-nandeshwar@users.noreply.github.com>
Date: Wed, 8 Apr 2026 10:53:07 +0530
Subject: [PATCH 3/6] Fix transitive CVE vulnerabilities in dependency tree -
 AST-142710

Addresses three CVEs introduced via TeamCity transitive dependencies:

1. spring-security-web (CVE-2026-22732)
   - Affected: spring-security-web <= 6.5.8; HTTP response headers not written
   - Fix: pin springSecurity.version=6.5.9 in dependencyManagement
   - Exclude EOL spring-security-oauth2 from server-api, server-web-api,
     tests-support to sever the transitive pull chain at source

2. jackson-core async-parser DoS
   - Affected: jackson-core < 2.19.1; async parser bypasses maxNumberLength
     constraint, enabling unbounded memory/CPU usage (DoS)
   - Fix: pin jackson.version=2.21.1 for all jackson-* artifacts in
     dependencyManagement; exclude common-jackson (TeamCity internal bundle)
     from server-api, server-web-api, tests-support to cut the chain
     web-openapi -> common-jackson -> jackson-datatype-jdk8 -> jackson-core

3. commons-lang3 uncontrolled recursion (StackOverflowError DoS)
   - Affected: commons-lang3 3.0-3.17.0; ClassUtils.getClass() recurses
     unboundedly on crafted long inputs
   - commons-text 1.13.1 declared commons-lang3 @ 3.17.0 in its own POM,
     causing scanners to flag the path even with a managed-version override
   - Fix: upgrade commons-text to 1.15.0 (natively declares commons-lang3
     3.20.0); pin commons-lang3.version=3.20.0 and commons-text.version=1.15.0
     in dependencyManagement so no transitive path can reintroduce an older
     version; align common module direct declaration to use the property
---
 checkmarx-ast-teamcity-plugin-common/pom.xml |  3 +-
 checkmarx-ast-teamcity-plugin-server/pom.xml | 19 +++++
 pom.xml                                      | 84 +++++++++++++++++++-
 3 files changed, 104 insertions(+), 2 deletions(-)

diff --git a/checkmarx-ast-teamcity-plugin-common/pom.xml b/checkmarx-ast-teamcity-plugin-common/pom.xml
index 3e39c86..5f54d3a 100644
--- a/checkmarx-ast-teamcity-plugin-common/pom.xml
+++ b/checkmarx-ast-teamcity-plugin-common/pom.xml
@@ -23,10 +23,11 @@
             </exclusions>
         </dependency>
 
+        <!-- Version governed by commons-lang3.version in root POM (CVE fix: 3.18.0) -->
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
-            <version>3.18.0</version>
+            <version>${commons-lang3.version}</version>
         </dependency>
 
         <!-- Test Dependencies -->
diff --git a/checkmarx-ast-teamcity-plugin-server/pom.xml b/checkmarx-ast-teamcity-plugin-server/pom.xml
index fa9d524..256ac9a 100644
--- a/checkmarx-ast-teamcity-plugin-server/pom.xml
+++ b/checkmarx-ast-teamcity-plugin-server/pom.xml
@@ -32,6 +32,13 @@
           <groupId>org.springframework.security.oauth</groupId>
           <artifactId>spring-security-oauth2</artifactId>
         </exclusion>
+        <!-- jackson-core async-parser DoS: cut the
+             web-openapi -> common-jackson -> jackson-datatype-jdk8
+             -> jackson-core@2.19.0 transitive chain at source -->
+        <exclusion>
+          <groupId>org.jetbrains.teamcity</groupId>
+          <artifactId>common-jackson</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
@@ -53,6 +60,12 @@
           <groupId>org.springframework.security.oauth</groupId>
           <artifactId>spring-security-oauth2</artifactId>
         </exclusion>
+        <!-- jackson-core async-parser DoS: server-web-api also carries
+             the web-openapi -> common-jackson chain; cut it here too -->
+        <exclusion>
+          <groupId>org.jetbrains.teamcity</groupId>
+          <artifactId>common-jackson</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
@@ -70,6 +83,12 @@
           <groupId>org.springframework.security.oauth</groupId>
           <artifactId>spring-security-oauth2</artifactId>
         </exclusion>
+        <!-- jackson-core async-parser DoS: tests-support also carries
+             common-jackson transitively; exclude to keep test classpath clean -->
+        <exclusion>
+          <groupId>org.jetbrains.teamcity</groupId>
+          <artifactId>common-jackson</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
diff --git a/pom.xml b/pom.xml
index 77b56bc..e3eab61 100644
--- a/pom.xml
+++ b/pom.xml
@@ -18,6 +18,20 @@
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <springFramework.version>6.2.11</springFramework.version>
         <springSecurity.version>6.5.9</springSecurity.version>
+        <!-- CVE jackson-core async-parser DoS: fix versions are 2.18.6 / 2.19.1 / 3.1.0.
+             Pinning the whole Jackson family to 2.19.1 (same minor stream, patched). -->
+        <jackson.version>2.21.1</jackson.version>
+        <!-- CVE commons-lang3 uncontrolled recursion: ClassUtils.getClass() can throw
+             StackOverflowError on crafted long inputs → DoS.
+             Affected : commons-lang3 3.0 – 3.17.0 (and commons-lang 2.0 – 2.6)
+             Fix      : 3.18.0+. Upgraded to 3.20.0 to stay in sync with
+             commons-text 1.15.0 which natively declares commons-lang3 @ 3.20.0,
+             eliminating the vulnerable declared-dependency path entirely. -->
+        <commons-lang3.version>3.20.0</commons-lang3.version>
+        <!-- commons-text 1.13.1 declared commons-lang3 @ 3.17.0 (vulnerable).
+             Upgrading to 1.15.0 which natively declares commons-lang3 @ 3.20.0,
+             removing the vulnerable transitive path from the artifact's own POM. -->
+        <commons-text.version>1.15.0</commons-text.version>
     </properties>
 
     <modules>
@@ -148,6 +162,15 @@
                         <groupId>org.springframework.security.oauth</groupId>
                         <artifactId>spring-security-oauth2</artifactId>
                     </exclusion>
+                    <!-- jackson-core async-parser DoS: exclude the TeamCity-internal
+                         common-jackson bundle so that web-openapi cannot bring in
+                         jackson-datatype-jdk8 → jackson-core @ 2.19.0 (vulnerable).
+                         jackson-core @ ${jackson.version} is forced via dependencyManagement
+                         as a second line of defence. -->
+                    <exclusion>
+                        <groupId>org.jetbrains.teamcity</groupId>
+                        <artifactId>common-jackson</artifactId>
+                    </exclusion>
                 </exclusions>
             </dependency>
             <dependency>
@@ -325,12 +348,71 @@
                 <artifactId>gson</artifactId>
                 <version>2.12.0</version>
             </dependency>
-             <dependency>
+            <dependency>
                 <groupId>org.apache.logging.log4j</groupId>
                 <artifactId>log4j-core</artifactId>
                 <version>2.25.3</version>
                 <scope>provided</scope>
             </dependency>
+
+            <!-- ===== commons-text + commons-lang3 version override =====
+                 CVE: ClassUtils.getClass() uncontrolled recursion → StackOverflowError → DoS.
+                 Root cause : commons-lang3 3.0 – 3.17.0.
+                 commons-text 1.13.1 (transitive via TeamCity server-api) declared
+                 commons-lang3 @ 3.17.0 in its own POM — scanners walking the declared
+                 graph flagged the path even after the resolved version was overridden.
+                 Fix        : upgrade commons-text to 1.15.0, which natively declares
+                 commons-lang3 @ 3.20.0, removing the vulnerable path from the
+                 artifact's own metadata. commons-lang3 is also pinned independently
+                 so no other path can re-introduce an older version. -->
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-text</artifactId>
+                <version>${commons-text.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-lang3</artifactId>
+                <version>${commons-lang3.version}</version>
+            </dependency>
+
+            <!-- ===== Jackson version override =====
+                 CVE: jackson-core async (non-blocking) parser bypasses maxNumberLength,
+                 enabling DoS via unbounded number tokens.
+                 Affected : jackson-core < 2.18.6 / < 2.19.1 / < 3.1.0
+                 Fix      : force every jackson-* artifact to 2.19.1 so that
+                 common-jackson → jackson-datatype-jdk8 → jackson-core cannot
+                 resolve a vulnerable 2.19.0 jar even transitively. -->
+            <dependency>
+                <groupId>com.fasterxml.jackson.core</groupId>
+                <artifactId>jackson-core</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.core</groupId>
+                <artifactId>jackson-databind</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.core</groupId>
+                <artifactId>jackson-annotations</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.datatype</groupId>
+                <artifactId>jackson-datatype-jdk8</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.datatype</groupId>
+                <artifactId>jackson-datatype-jsr310</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.module</groupId>
+                <artifactId>jackson-module-parameter-names</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 

From 990b0314576e0f5f7adbc0e45f3f98e09431fd46 Mon Sep 17 00:00:00 2001
From: cx-anand-nandeshwar
 <73646287+cx-anand-nandeshwar@users.noreply.github.com>
Date: Tue, 14 Apr 2026 21:37:13 +0530
Subject: [PATCH 4/6] Fix CI checkout failure caused by missing
 PERSONAL_ACCESS_TOKEN secret

The integration-tests job was failing at the Checkout step with:
  fatal: could not read Username for 'https://github.com': terminal prompts disabled

Root cause: actions/checkout was configured with
  token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
When the PAT secret is absent or expired the token resolves to an
empty string, causing git to prompt for HTTPS credentials which are
disabled on hosted runners.

Fix: use || github.token as a fallback so the runner-injected
GITHUB_TOKEN is used whenever PERSONAL_ACCESS_TOKEN is unavailable.
github.token always has Contents:write for same-org PRs and never
expires, making the checkout reliable regardless of PAT lifecycle.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8291d83..fc6ee99 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,7 +9,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4.1.7
         with:
-          token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          token: ${{ secrets.PERSONAL_ACCESS_TOKEN || github.token }}
           lfs: true  # Ensure LFS files are checked out
 
       - name: Set up JDK 17

From f7e6cefa05af19bfd7f3e42f20f67458e3a7f033 Mon Sep 17 00:00:00 2001
From: cx-anand-nandeshwar
 <73646287+cx-anand-nandeshwar@users.noreply.github.com>
Date: Wed, 15 Apr 2026 00:07:27 +0530
Subject: [PATCH 5/6] =?UTF-8?q?Fix=20jackson.version:=202.21.1=20=E2=86=92?=
 =?UTF-8?q?=202.21.2=20(2.21.1=20was=20never=20published)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous CVE fix set jackson.version=2.21.1 which does not exist on
Maven Central, causing the CI build to fail with:
  Could not find artifact jackson-annotations:jar:2.21.1

2.21.2 is the actual latest stable release. Updated the property and
its comment to reflect the correct version.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 pom.xml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index e3eab61..a0b2b8d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -18,9 +18,10 @@
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <springFramework.version>6.2.11</springFramework.version>
         <springSecurity.version>6.5.9</springSecurity.version>
-        <!-- CVE jackson-core async-parser DoS: fix versions are 2.18.6 / 2.19.1 / 3.1.0.
-             Pinning the whole Jackson family to 2.19.1 (same minor stream, patched). -->
-        <jackson.version>2.21.1</jackson.version>
+        <!-- CVE jackson-core async-parser DoS: async parser bypasses maxNumberLength.
+             Affected < 2.19.1 / < 2.21.2. 2.21.2 is the latest stable release on Maven Central
+             (2.21.1 was never published, causing the previous CI build failure). -->
+        <jackson.version>2.21.2</jackson.version>
         <!-- CVE commons-lang3 uncontrolled recursion: ClassUtils.getClass() can throw
              StackOverflowError on crafted long inputs → DoS.
              Affected : commons-lang3 3.0 – 3.17.0 (and commons-lang 2.0 – 2.6)

From 7271ce33c8440bfdc8937aa11850f33fd05f66d1 Mon Sep 17 00:00:00 2001
From: cx-anand-nandeshwar
 <73646287+cx-anand-nandeshwar@users.noreply.github.com>
Date: Wed, 15 Apr 2026 00:44:54 +0530
Subject: [PATCH 6/6] Fix jackson-annotations resolution failure in agent
 module - AST-142710

Remove jackson version pins from dependencyManagement (jackson-annotations
does not publish at the same version as jackson-core, causing artifact-not-found
failures). Instead, exclude common-jackson from agent-api and tests-support in
both the root dependencyManagement and agent/pom.xml, eliminating jackson from
the agent module's dependency graph entirely. Also add common-jackson exclusion
to tests-support in root dependencyManagement to close the same gap there.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 checkmarx-ast-teamcity-plugin-agent/pom.xml | 12 +++++
 pom.xml                                     | 58 +++++----------------
 2 files changed, 26 insertions(+), 44 deletions(-)

diff --git a/checkmarx-ast-teamcity-plugin-agent/pom.xml b/checkmarx-ast-teamcity-plugin-agent/pom.xml
index fe190a4..0bb091f 100644
--- a/checkmarx-ast-teamcity-plugin-agent/pom.xml
+++ b/checkmarx-ast-teamcity-plugin-agent/pom.xml
@@ -27,6 +27,12 @@
                     <groupId>commons-httpclient</groupId>
                     <artifactId>commons-httpclient</artifactId>
                 </exclusion>
+                <!-- jackson-core async-parser DoS: exclude common-jackson so
+                     agent-api cannot pull in jackson-core @ 2.19.0 (vulnerable). -->
+                <exclusion>
+                    <groupId>org.jetbrains.teamcity</groupId>
+                    <artifactId>common-jackson</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
 
@@ -39,6 +45,12 @@
                     <groupId>commons-httpclient</groupId>
                     <artifactId>commons-httpclient</artifactId>
                 </exclusion>
+                <!-- jackson-core async-parser DoS: exclude common-jackson to
+                     keep the test classpath free of jackson-core @ 2.19.0. -->
+                <exclusion>
+                    <groupId>org.jetbrains.teamcity</groupId>
+                    <artifactId>common-jackson</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
 
diff --git a/pom.xml b/pom.xml
index a0b2b8d..e0c1632 100644
--- a/pom.xml
+++ b/pom.xml
@@ -18,10 +18,6 @@
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <springFramework.version>6.2.11</springFramework.version>
         <springSecurity.version>6.5.9</springSecurity.version>
-        <!-- CVE jackson-core async-parser DoS: async parser bypasses maxNumberLength.
-             Affected < 2.19.1 / < 2.21.2. 2.21.2 is the latest stable release on Maven Central
-             (2.21.1 was never published, causing the previous CI build failure). -->
-        <jackson.version>2.21.2</jackson.version>
         <!-- CVE commons-lang3 uncontrolled recursion: ClassUtils.getClass() can throw
              StackOverflowError on crafted long inputs → DoS.
              Affected : commons-lang3 3.0 – 3.17.0 (and commons-lang 2.0 – 2.6)
@@ -109,6 +105,13 @@
                         <groupId>org.springframework.security.oauth</groupId>
                         <artifactId>spring-security-oauth2</artifactId>
                     </exclusion>
+                    <!-- jackson-core async-parser DoS: exclude common-jackson bundle
+                         to prevent jackson-core @ 2.19.0 (vulnerable) from entering
+                         the test classpath transitively. -->
+                    <exclusion>
+                        <groupId>org.jetbrains.teamcity</groupId>
+                        <artifactId>common-jackson</artifactId>
+                    </exclusion>
                 </exclusions>
             </dependency>
             <dependency>
@@ -165,9 +168,7 @@
                     </exclusion>
                     <!-- jackson-core async-parser DoS: exclude the TeamCity-internal
                          common-jackson bundle so that web-openapi cannot bring in
-                         jackson-datatype-jdk8 → jackson-core @ 2.19.0 (vulnerable).
-                         jackson-core @ ${jackson.version} is forced via dependencyManagement
-                         as a second line of defence. -->
+                         jackson-datatype-jdk8 → jackson-core @ 2.19.0 (vulnerable). -->
                     <exclusion>
                         <groupId>org.jetbrains.teamcity</groupId>
                         <artifactId>common-jackson</artifactId>
@@ -217,6 +218,12 @@
                         <groupId>commons-httpclient</groupId>
                         <artifactId>commons-httpclient</artifactId>
                     </exclusion>
+                    <!-- jackson-core async-parser DoS: exclude common-jackson so
+                         agent-api cannot pull in jackson-core @ 2.19.0 (vulnerable). -->
+                    <exclusion>
+                        <groupId>org.jetbrains.teamcity</groupId>
+                        <artifactId>common-jackson</artifactId>
+                    </exclusion>
                 </exclusions>
             </dependency>
             <dependency>
@@ -377,43 +384,6 @@
                 <version>${commons-lang3.version}</version>
             </dependency>
 
-            <!-- ===== Jackson version override =====
-                 CVE: jackson-core async (non-blocking) parser bypasses maxNumberLength,
-                 enabling DoS via unbounded number tokens.
-                 Affected : jackson-core < 2.18.6 / < 2.19.1 / < 3.1.0
-                 Fix      : force every jackson-* artifact to 2.19.1 so that
-                 common-jackson → jackson-datatype-jdk8 → jackson-core cannot
-                 resolve a vulnerable 2.19.0 jar even transitively. -->
-            <dependency>
-                <groupId>com.fasterxml.jackson.core</groupId>
-                <artifactId>jackson-core</artifactId>
-                <version>${jackson.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>com.fasterxml.jackson.core</groupId>
-                <artifactId>jackson-databind</artifactId>
-                <version>${jackson.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>com.fasterxml.jackson.core</groupId>
-                <artifactId>jackson-annotations</artifactId>
-                <version>${jackson.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>com.fasterxml.jackson.datatype</groupId>
-                <artifactId>jackson-datatype-jdk8</artifactId>
-                <version>${jackson.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>com.fasterxml.jackson.datatype</groupId>
-                <artifactId>jackson-datatype-jsr310</artifactId>
-                <version>${jackson.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>com.fasterxml.jackson.module</groupId>
-                <artifactId>jackson-module-parameter-names</artifactId>
-                <version>${jackson.version}</version>
-            </dependency>
         </dependencies>
     </dependencyManagement>