From c05d508b3dc793a7bf87025a136ca51bbc52dcd5 Mon Sep 17 00:00:00 2001
From: stecurran-est-tech <stephen.curran@est.tech>
Date: Mon, 10 Nov 2025 17:08:12 +0000
Subject: [PATCH 1/4] updating jettison from 1.3.7 to 1.5.2

Resolves CVE-2022-40149
CVE-2022-40150
CVE-2022-45685
CVE-2022-45693
CVE-2023-1436
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 9aa123fee3..ac1a4797fe 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2242,7 +2242,7 @@
         <javassist.version>3.30.2-GA</javassist.version>
         <jersey1.version>1.19.3</jersey1.version>
         <jersey1.last.final.version>${jersey1.version}</jersey1.last.final.version>
-        <jettison.version>1.3.7</jettison.version> <!-- TODO: 1.3.8 doesn't work; AbstractJsonTest complexBeanWithAttributes -->
+        <jettison.version>1.5.2</jettison.version> <!-- TODO: 1.3.8 doesn't work; AbstractJsonTest complexBeanWithAttributes -->
         <jboss.vfs.version>3.3.2.Final</jboss.vfs.version>
         <jboss.vfs.jdk8.version>3.2.17.Final</jboss.vfs.jdk8.version>
         <jboss.logging.version>3.6.1.Final</jboss.logging.version>

From 1f9b781d9a885ff6da74e4a21b959ede388e943c Mon Sep 17 00:00:00 2001
From: stecurran-est-tech <stephen.curran@est.tech>
Date: Tue, 11 Nov 2025 23:51:55 +0000
Subject: [PATCH 2/4] adding 'provided' scope for jettison in Jersey 2.x

This avoids bundling Jettison in the artifact, eliminating direct dependency and preventing known CVEs from being included in the package
---
 pom.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pom.xml b/pom.xml
index ac1a4797fe..f294139557 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1756,6 +1756,7 @@
                 <groupId>org.codehaus.jettison</groupId>
                 <artifactId>jettison</artifactId>
                 <version>${jettison.version}</version>
+                <scope>provided</scope>
                 <exclusions>
                     <exclusion>
                         <groupId>stax</groupId>

From e6880dd21672776c41c6f21d243fd752696abd0d Mon Sep 17 00:00:00 2001
From: stecurran-est-tech <stephen.curran@est.tech>
Date: Wed, 12 Nov 2025 12:32:22 +0000
Subject: [PATCH 3/4] =?UTF-8?q?updating=20pom.xml=20in=20root=20and=20e2e-?=
 =?UTF-8?q?entity=20-=20Add=20Jettison=20with=20<scope>test</scope>=20in?=
 =?UTF-8?q?=20e2e-entity=20to=20restore=20test=20compilation=20-=20Fix=20t?=
 =?UTF-8?q?ypo=20in=20root=20Surefire=20config:=20<classpathDependencyExcl?=
 =?UTF-8?q?udes>=20=E2=86=92=20<classpathDependencyExclude>?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This will ensure all Jettison-specific tests continue to run and validate behavior

Signed-off-by: stecurran-est-tech <stephen.curran@est.tech>
---
 pom.xml                  | 2 +-
 tests/e2e-entity/pom.xml | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index f294139557..5309a6b886 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1091,7 +1091,7 @@
                                 <additionalClasspathElement>${xdk.absolute.path}</additionalClasspathElement>
                             </additionalClasspathElements>
                             <classpathDependencyExcludes>
-                                <classpathDependencyExcludes>xerces:xercesImpl</classpathDependencyExcludes>
+                                <classpathDependencyExclude>xerces:xercesImpl</classpathDependencyExclude>
                             </classpathDependencyExcludes>
                         </configuration>
                     </plugin>
diff --git a/tests/e2e-entity/pom.xml b/tests/e2e-entity/pom.xml
index 3e10874bc7..861fc691ec 100644
--- a/tests/e2e-entity/pom.xml
+++ b/tests/e2e-entity/pom.xml
@@ -91,6 +91,12 @@
             <artifactId>jersey-media-json-jackson</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.codehaus.jettison</groupId>
+            <artifactId>jettison</artifactId>
+            <version>${jettison.version}</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.glassfish.jersey.media</groupId>
             <artifactId>jersey-media-json-jackson1</artifactId>

From 7cff542978fdafcde855b73979e1c55a28b3c62d Mon Sep 17 00:00:00 2001
From: stecurran-est-tech <stephen.curran@est.tech>
Date: Wed, 19 Nov 2025 18:17:19 +0000
Subject: [PATCH 4/4] Updating JSON data for e2e-entity tests

Jettison upgrade 1.3.7 to 1.5.2 alters JSON serialisation - integers are no longer output as Strings. Updates to test data correspond to change in behaviour.

Signed-off-by: stecurran-est-tech <stephen.curran@est.tech>
---
 ...ettisonMappedJsonTestProvider_ComplexBeanWithAttributes.json | 2 +-
 ...ttisonMappedJsonTestProvider_ComplexBeanWithAttributes2.json | 2 +-
 ...nMappedJsonTestProvider_ComplexBeanWithAttributes2_MOXy.json | 2 +-
 ...onMappedJsonTestProvider_ComplexBeanWithAttributes_MOXy.json | 2 +-
 .../entity/JettisonMappedJsonTestProvider_RegisterMessage.json  | 2 +-
 .../JettisonMappedJsonTestProvider_RegisterMessage_MOXy.json    | 2 +-
 ...JettisonMappedJsonTestProvider_SimpleBeanWithAttributes.json | 2 +-
 ...sonMappedJsonTestProvider_SimpleBeanWithAttributes_MOXy.json | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_ComplexBeanWithAttributes.json b/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_ComplexBeanWithAttributes.json
index 4f8ff54bab..052e398ec9 100644
--- a/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_ComplexBeanWithAttributes.json
+++ b/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_ComplexBeanWithAttributes.json
@@ -1 +1 @@
-{"complexBeanWithAttributes":{"@a2":"31415926","@a1":"hello dolly","filler1":111,"list":[{"@j":"bumper","@i":"312","@uri":"http://localhost:8080/jedna/bedna/","s1":"hi there"},{"@j":"bumper","@i":"312","@uri":"http://localhost:8080/jedna/bedna/","s1":"hi there"}],"filler2":222,"b":{"@j":"bumper","@i":"312","@uri":"http://localhost:8080/jedna/bedna/","s1":"hi there"}}}
\ No newline at end of file
+{"complexBeanWithAttributes":{"@a2":31415926,"@a1":"hello dolly","filler1":111,"list":[{"@j":"bumper","@i":312,"@uri":"http://localhost:8080/jedna/bedna/","s1":"hi there"},{"@j":"bumper","@i":312,"@uri":"http://localhost:8080/jedna/bedna/","s1":"hi there"}],"filler2":222,"b":{"@j":"bumper","@i":312,"@uri":"http://localhost:8080/jedna/bedna/","s1":"hi there"}}}
\ No newline at end of file
diff --git a/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_ComplexBeanWithAttributes2.json b/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_ComplexBeanWithAttributes2.json
index a738f36417..d639cadef9 100644
--- a/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_ComplexBeanWithAttributes2.json
+++ b/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_ComplexBeanWithAttributes2.json
@@ -1 +1 @@
-{"complexBeanWithAttributes2":{"@a2":"31415926","@a1":"hello dolly","filler1":111,"list":[{"@uri":"http://localhost:8080/jedna/bedna/"},{"@uri":"http://localhost:8080/jedna/bedna/"}],"filler2":222,"b":{"@uri":"http://localhost:8080/jedna/bedna/"}}}
\ No newline at end of file
+{"complexBeanWithAttributes2":{"@a2":31415926,"@a1":"hello dolly","filler1":111,"list":[{"@uri":"http://localhost:8080/jedna/bedna/"},{"@uri":"http://localhost:8080/jedna/bedna/"}],"filler2":222,"b":{"@uri":"http://localhost:8080/jedna/bedna/"}}}
\ No newline at end of file
diff --git a/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_ComplexBeanWithAttributes2_MOXy.json b/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_ComplexBeanWithAttributes2_MOXy.json
index 457c937998..586f9e7cff 100644
--- a/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_ComplexBeanWithAttributes2_MOXy.json
+++ b/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_ComplexBeanWithAttributes2_MOXy.json
@@ -1 +1 @@
-{"complexBeanWithAttributes2":{"@a1":"hello dolly","@a2":"31415926","filler1":111,"list":[{"@uri":"http://localhost:8080/jedna/bedna/"},{"@uri":"http://localhost:8080/jedna/bedna/"}],"filler2":222,"b":{"@uri":"http://localhost:8080/jedna/bedna/"}}}
\ No newline at end of file
+{"complexBeanWithAttributes2":{"@a1":"hello dolly","@a2":31415926,"filler1":111,"list":[{"@uri":"http://localhost:8080/jedna/bedna/"},{"@uri":"http://localhost:8080/jedna/bedna/"}],"filler2":222,"b":{"@uri":"http://localhost:8080/jedna/bedna/"}}}
\ No newline at end of file
diff --git a/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_ComplexBeanWithAttributes_MOXy.json b/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_ComplexBeanWithAttributes_MOXy.json
index 5b67d072a7..50cb27b676 100644
--- a/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_ComplexBeanWithAttributes_MOXy.json
+++ b/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_ComplexBeanWithAttributes_MOXy.json
@@ -1 +1 @@
-{"complexBeanWithAttributes":{"@a1":"hello dolly","@a2":"31415926","filler1":111,"list":[{"@uri":"http://localhost:8080/jedna/bedna/","@i":"312","@j":"bumper","s1":"hi there"},{"@uri":"http://localhost:8080/jedna/bedna/","@i":"312","@j":"bumper","s1":"hi there"}],"filler2":222,"b":{"@uri":"http://localhost:8080/jedna/bedna/","@i":"312","@j":"bumper","s1":"hi there"}}}
\ No newline at end of file
+{"complexBeanWithAttributes":{"@a1":"hello dolly","@a2":31415926,"filler1":111,"list":[{"@uri":"http://localhost:8080/jedna/bedna/","@i":312,"@j":"bumper","s1":"hi there"},{"@uri":"http://localhost:8080/jedna/bedna/","@i":312,"@j":"bumper","s1":"hi there"}],"filler2":222,"b":{"@uri":"http://localhost:8080/jedna/bedna/","@i":312,"@j":"bumper","s1":"hi there"}}}
\ No newline at end of file
diff --git a/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_RegisterMessage.json b/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_RegisterMessage.json
index 308b42b05c..71eec0d1ed 100644
--- a/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_RegisterMessage.json
+++ b/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_RegisterMessage.json
@@ -1 +1 @@
-{"registerMessage":{"@requestTime":"1234","@agentUID":"agentKocka"}}
\ No newline at end of file
+{"registerMessage":{"@requestTime":1234,"@agentUID":"agentKocka"}}
\ No newline at end of file
diff --git a/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_RegisterMessage_MOXy.json b/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_RegisterMessage_MOXy.json
index d288d4976a..e8f42c6c15 100644
--- a/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_RegisterMessage_MOXy.json
+++ b/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_RegisterMessage_MOXy.json
@@ -1 +1 @@
-{"registerMessage":{"@agentUID":"agentKocka","@requestTime":"1234"}}
\ No newline at end of file
+{"registerMessage":{"@agentUID":"agentKocka","@requestTime":1234}}
\ No newline at end of file
diff --git a/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_SimpleBeanWithAttributes.json b/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_SimpleBeanWithAttributes.json
index 09bb1f5962..9e99fc4406 100644
--- a/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_SimpleBeanWithAttributes.json
+++ b/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_SimpleBeanWithAttributes.json
@@ -1 +1 @@
-{"simpleBeanWithAttributes":{"@j":"bumper","@i":"312","@uri":"http://localhost:8080/jedna/bedna/","s1":"hi there"}}
\ No newline at end of file
+{"simpleBeanWithAttributes":{"@j":"bumper","@i":312,"@uri":"http://localhost:8080/jedna/bedna/","s1":"hi there"}}
\ No newline at end of file
diff --git a/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_SimpleBeanWithAttributes_MOXy.json b/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_SimpleBeanWithAttributes_MOXy.json
index 6be03ab389..c492593a9d 100644
--- a/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_SimpleBeanWithAttributes_MOXy.json
+++ b/tests/e2e-entity/src/test/resources/org/glassfish/jersey/tests/e2e/json/entity/JettisonMappedJsonTestProvider_SimpleBeanWithAttributes_MOXy.json
@@ -1 +1 @@
-{"simpleBeanWithAttributes":{"@uri":"http://localhost:8080/jedna/bedna/","@i":"312","@j":"bumper","s1":"hi there"}}
\ No newline at end of file
+{"simpleBeanWithAttributes":{"@uri":"http://localhost:8080/jedna/bedna/","@i":312,"@j":"bumper","s1":"hi there"}}
\ No newline at end of file