Merge branch 'release/3.1.0-RC6'

Author: yumioka

core/pom.xml

@@ -22,7 +22,7 @@
 		<maven.compiler.target>17</maven.compiler.target>
 		<nemakiware.version>${project.version}</nemakiware.version>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-		<org.springframework.version>6.1.13</org.springframework.version>
+		<org.springframework.version>6.1.21</org.springframework.version>
 		<org.apache.chemistry.opencmis.version>1.1.0-nemakiware</org.apache.chemistry.opencmis.version>
 		<opencmis.github.packages.url>https://maven.pkg.github.com/aegif/chemistry-opencmis-nemakiware</opencmis.github.packages.url>
 		<opencmis.github.packages.repository.id>github-opencmis</opencmis.github.packages.repository.id>
@@ -186,12 +186,12 @@
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-core</artifactId>
-			<version>2.20.1</version>
+			<version>2.21.1</version>
 		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-databind</artifactId>
-			<version>2.20.1</version>
+			<version>2.21.1</version>
 		</dependency>
 		<!-- WebAuthn (Passkey) support -->
 		<dependency>
@@ -208,14 +208,14 @@
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-annotations</artifactId>
-			<version>2.20</version>
+			<version>2.21</version>
 		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.datatype</groupId>
 			<artifactId>jackson-datatype-jdk8</artifactId>
-			<version>2.20.1</version>
+			<version>2.21.1</version>
 		</dependency>
-		<!-- SECURITY UPDATE (2025-11-19): Updated Jackson from 2.17.1 to 2.20.x for security fixes -->
+		<!-- SECURITY UPDATE: Jackson 2.21.1 fixes GHSA-72hv-8253-57qq (async parser DoS) -->
 		<!-- NOTE: jackson-annotations 2.20+ uses major.minor versioning only (no patch version) -->
 
 
@@ -373,7 +373,7 @@
 		<dependency>
 			<groupId>org.springframework.ldap</groupId>
 			<artifactId>spring-ldap-core</artifactId>
-			<version>3.2.4</version>
+			<version>3.2.8</version>
 		</dependency>
 
 		<dependency>
@@ -636,17 +636,13 @@
 			<artifactId>commons-codec</artifactId>
 			<version>1.20.0</version>
 		</dependency>
-		<!-- Previously transitive via cobertura-maven-plugin (now removed) -->
+		<!-- SECURITY FIX: commons-beanutils 1.11.0 fixes CVE-2025-48734 (CVSS 8.8) -->
 		<dependency>
 			<groupId>commons-beanutils</groupId>
 			<artifactId>commons-beanutils</artifactId>
-			<version>1.9.4</version>
-		</dependency>
-		<dependency>
-			<groupId>commons-lang</groupId>
-			<artifactId>commons-lang</artifactId>
-			<version>2.6</version>
+			<version>1.11.0</version>
 		</dependency>
+		<!-- commons-lang 2.6 removed: migrated to commons-lang3 (see below) -->
 
 		<dependency>
 			<groupId>org.apache.commons</groupId>
@@ -698,16 +694,16 @@
 		</dependency>
 
 		<!-- Apache Tika for full-text content extraction (PDF, Office, etc.) -->
-		<!-- FEATURE: Full-text search support for NemakiWare 3.0 (2025-11-27) -->
+		<!-- SECURITY FIX: Tika 3.2.3 fixes CVE-2025-66516 (XXE, CVSS 10.0) -->
 		<dependency>
 			<groupId>org.apache.tika</groupId>
 			<artifactId>tika-core</artifactId>
-			<version>2.9.2</version>
+			<version>3.2.3</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.tika</groupId>
 			<artifactId>tika-parsers-standard-package</artifactId>
-			<version>2.9.2</version>
+			<version>3.2.3</version>
 			<exclusions>
 				<!-- Exclude conflicting logging implementations -->
 				<exclusion>
@@ -869,10 +865,11 @@
 		</dependency>
 
 		<!-- Cloud Authentication: Microsoft / generic JWKS token verification -->
+		<!-- SECURITY FIX: 9.37.4 fixes CVE-2025-53864 (nested JSON DoS) -->
 		<dependency>
 			<groupId>com.nimbusds</groupId>
 			<artifactId>nimbus-jose-jwt</artifactId>
-			<version>9.37.3</version>
+			<version>9.37.4</version>
 		</dependency>
 
 		<!-- Google Drive API -->
@@ -916,10 +913,11 @@
 			<artifactId>microsoft-graph</artifactId>
 			<version>6.5.0</version>
 		</dependency>
+		<!-- SECURITY FIX: 1.18.0 fixes CVE-2024-35255 (EoP, affected <1.12.2) + latest MSAL4J -->
 		<dependency>
 			<groupId>com.azure</groupId>
 			<artifactId>azure-identity</artifactId>
-			<version>1.12.1</version>
+			<version>1.18.0</version>
 		</dependency>
 
 		<!-- AWS SDK (Bedrock Runtime) for embedding generation -->

core/src/main/java/jp/aegif/nemaki/cmis/aspect/impl/CompileServiceImpl.java

@@ -927,11 +927,14 @@ public AllowableActions compileAllowableActions(CallContext callContext, String
 				if (Action.CAN_MOVE_OBJECT == convertKeyToAction(key)) {
 					continue;
 				}
-				// CRITICAL CMIS COMPLIANCE FIX: Root folder cannot have CAN_GET_FOLDER_PARENT action
-				// because root folder has no parent by definition
+				// CMIS 1.1 §2.2.2.1: Root folder has no parent — both parent navigation
+				// actions must be excluded from AllowableActions.
 				if (PermissionMapping.CAN_GET_FOLDER_PARENT_OBJECT.equals(key)) {
 					continue;
 				}
+				if (PermissionMapping.CAN_GET_PARENTS_FOLDER.equals(key)) {
+					continue;
+				}
 			}
 			if (versionSeries != null) {
 				Document d = (Document) content;

core/src/main/java/jp/aegif/nemaki/cmis/service/impl/NavigationServiceImpl.java

@@ -438,14 +438,15 @@ public ObjectData getFolderParent(CallContext callContext, String repositoryId,
 			// //////////////////
 			// Specific Exception
 			// //////////////////
+			// CMIS 1.1 §2.2.3.3: Root folder has no parent — must reject before lock
+			exceptionService.invalidArgumentRootFolder(repositoryId, folder);
+
 			Folder parent = contentService.getParent(repositoryId, folderId);
+			exceptionService.objectNotFoundParentFolder(repositoryId, folderId, parent);
 
 			Lock parentLock = threadLockService.getReadLock(repositoryId, parent.getId());
 			try{
 				parentLock.lock();
-				
-				exceptionService.objectNotFoundParentFolder(repositoryId, folderId, parent);
-				exceptionService.invalidArgumentRootFolder(repositoryId, folder);
 
 				// //////////////////
 				// Body of the method

core/src/main/java/jp/aegif/nemaki/rest/AuthenticationFilter.java

@@ -37,7 +37,7 @@
 import org.apache.chemistry.opencmis.commons.enums.CmisVersion;
 import org.apache.chemistry.opencmis.commons.server.CallContext;
 import org.apache.chemistry.opencmis.server.impl.CallContextImpl;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.ObjectUtils;
 import jakarta.servlet.Filter;
 import jakarta.servlet.FilterChain;

core/src/main/java/jp/aegif/nemaki/rest/GroupItemResource.java

@@ -40,7 +40,7 @@
 import org.apache.chemistry.opencmis.commons.impl.dataobjects.PropertyIdImpl;
 import org.apache.chemistry.opencmis.commons.impl.dataobjects.PropertyStringImpl;
 import org.apache.commons.collections4.CollectionUtils;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.ObjectUtils;
 import org.json.simple.JSONArray;
 import org.json.simple.JSONObject;

core/src/main/webapp/WEB-INF/classes/repositories-default.yml

@@ -6,6 +6,6 @@ default:
   thinClientUri: http://localhost:8080/core/ui/
   vendor: aegif
   product.name: NemakiWare
-  product.version: 3.0.0
+  product.version: 3.1.0
   namespace: http://www.aegif.jp/NemakiWare/
 super.users: bedroom

docker/solr/pom.xml

@@ -24,7 +24,7 @@
 		<maven.dependency.version>3.6.1</maven.dependency.version>
 		<maven.assembly.version>3.7.1</maven.assembly.version>
 		<org.apache.chemistry.opencmis.version>1.1.0</org.apache.chemistry.opencmis.version>
-		<org.apache.solr.version>9.8.0</org.apache.solr.version>
+		<org.apache.solr.version>9.10.0</org.apache.solr.version>
 	</properties>
 
 	<repositories>
@@ -55,7 +55,7 @@
 				<enabled>false</enabled>
 			</snapshots>
 		</repository>
-	</repositories>    
+	</repositories>
 
 	<dependencies>
 		<dependency>
@@ -100,47 +100,34 @@
 		<dependency>
 			<groupId>ch.qos.logback</groupId>
 			<artifactId>logback-core</artifactId>
-			<version>1.4.14</version>
+			<version>1.5.16</version>
 		</dependency>
 		<dependency>
 			<groupId>ch.qos.logback</groupId>
 			<artifactId>logback-classic</artifactId>
-			<version>1.4.14</version>
-		</dependency>
-		<dependency>
-			<groupId>ch.qos.logback.contrib</groupId>
-			<artifactId>logback-json-core</artifactId>
-			<version>0.1.5</version>
-		</dependency>
-		<dependency>
-			<groupId>ch.qos.logback.contrib</groupId>
-			<artifactId>logback-json-classic</artifactId>
-			<version>0.1.5</version>
-		</dependency>
-		<dependency>
-			<groupId>ch.qos.logback.contrib</groupId>
-			<artifactId>logback-jackson</artifactId>
-			<version>0.1.5</version>
+			<version>1.5.16</version>
 		</dependency>
+		<!-- logback-contrib 0.1.5 is incompatible with logback 1.5.x;
+		     JSON logging is provided by logstash-logback-encoder instead -->
 		<dependency>
 			<groupId>net.logstash.logback</groupId>
 			<artifactId>logstash-logback-encoder</artifactId>
-			<version>7.4</version>
+			<version>8.0</version>
 		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-core</artifactId>
-			<version>2.8.11</version>
+			<version>2.18.6</version>
 		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-databind</artifactId>
-			<version>2.8.11.6</version>
+			<version>2.18.6</version>
 		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-annotations</artifactId>
-			<version>2.8.11</version>
+			<version>2.18.6</version>
 		</dependency>
 
 
@@ -158,12 +145,12 @@
 		<dependency>
 			<groupId>org.apache.tika</groupId>
 			<artifactId>tika-core</artifactId>
-			<version>1.28.5</version>
+			<version>3.2.3</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-lang3</artifactId>
-			<version>3.0.1</version>
+			<version>3.17.0</version>
 			<optional>false</optional>
 		</dependency>
 		<dependency>
@@ -175,27 +162,22 @@
 		<dependency>
 			<groupId>junit</groupId>
 			<artifactId>junit</artifactId>
-			<version>4.12</version>
+			<version>4.13.2</version>
 		</dependency>
-		<!--dependency>
-			<groupId>commons-collections</groupId>
-			<artifactId>commons-collections</artifactId>
-			<version>[3.2.2,)</version>
-		</dependency-->
 		<dependency>
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-collections4</artifactId>
-			<version>4.4</version>
+			<version>4.5.0</version>
 		</dependency>
 		<dependency>
-			<groupId>com.esotericsoftware.yamlbeans</groupId>
+			<groupId>com.contrastsecurity</groupId>
 			<artifactId>yamlbeans</artifactId>
-			<version>1.09</version>
+			<version>1.17</version>
 		</dependency>
 		<dependency>
 			<groupId>commons-io</groupId>
 			<artifactId>commons-io</artifactId>
-			<version>2.11.0</version>
+			<version>2.18.0</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.chemistry.opencmis</groupId>
@@ -217,7 +199,7 @@
 			<artifactId>jersey-client</artifactId>
 			<version>1.19</version>
 		</dependency>
-		
+
 
 	</dependencies>