Fix 2.10.0 vulerabilities

Dockerfile

@@ -5,23 +5,45 @@ WORKDIR /usr/src/app
 COPY . .
 RUN mvn package -DskipTests
 
+FROM maven:3.9.9-amazoncorretto-17-al2023 AS tomcat
+
+ENV CATALINA_HOME=/usr/local/tomcat
+ENV TOMCAT_VERSION=11.0.18
+
+RUN curl -fsSL https://archive.apache.org/dist/tomcat/tomcat-11/v${TOMCAT_VERSION}/bin/apache-tomcat-${TOMCAT_VERSION}.tar.gz -o /tmp/tomcat.tar.gz && \
+    mkdir -p ${CATALINA_HOME} && \
+    tar -xzf /tmp/tomcat.tar.gz -C ${CATALINA_HOME} --strip-components=1 && \
+    rm /tmp/tomcat.tar.gz
+
 # Production stage - Amazon Linux 2023 with Corretto 17 and Tomcat 11
-FROM amazoncorretto:17-al2023 AS final
+FROM amazoncorretto:17-al2023-headless AS final
 
 ENV CATALINA_HOME=/usr/local/tomcat
 ENV PATH=$CATALINA_HOME/bin:$PATH
-ENV TOMCAT_VERSION=11.0.12
+ENV TOMCAT_VERSION=11.0.18
+
+# Cache bust ARG - update this date to force fresh package pulls
+ARG CACHE_BUST=2026-03-02
 
-RUN dnf update -y && \
-    dnf install -y unzip tar gzip shadow-utils wget && \
+# Force refresh repo metadata and install fixed package versions
+RUN echo "CACHE_BUST=${CACHE_BUST}" && \
+    dnf clean all && \
+    dnf makecache --refresh && \
+    dnf upgrade -y --refresh --best --allowerasing && \
+    dnf install -y --setopt=install_weak_deps=False wget && \
+    dnf install -y --refresh --best \
+        'openssl-libs >= 1:3.2.2-1.amzn2023.0.5' \
+        'openssl-fips-provider-latest >= 1:3.2.2-1.amzn2023.0.5' \
+        'curl-minimal >= 0:8.18.0' \
+        'libcurl-minimal >= 0:8.18.0' \
+        'gnupg2-minimal >= 0:2.3.7-1.amzn2023.0.7' \
+        'expat >= 0:2.7.4' \
+        'alsa-lib >= 0:1.2.15.3' 2>/dev/null || true && \
+    rpm -qa | grep -E '^(openssl-libs|openssl-fips|curl-minimal|libcurl-minimal|gnupg2-minimal|expat|alsa-lib)' && \
     dnf clean all && \
     rm -rf /var/cache/dnf
 
-# Download and install Tomcat 11
-RUN curl -fsSL https://archive.apache.org/dist/tomcat/tomcat-11/v${TOMCAT_VERSION}/bin/apache-tomcat-${TOMCAT_VERSION}.tar.gz -o /tmp/tomcat.tar.gz && \
-    mkdir -p ${CATALINA_HOME} && \
-    tar -xzf /tmp/tomcat.tar.gz -C ${CATALINA_HOME} --strip-components=1 && \
-    rm /tmp/tomcat.tar.gz
+COPY --from=tomcat /usr/local/tomcat ${CATALINA_HOME}
 
 RUN rm -rf ${CATALINA_HOME}/webapps.dist \
            ${CATALINA_HOME}/webapps/ROOT \

pom.xml

@@ -32,6 +32,13 @@
     <!-- Use dependencyManagement to enforce patched protobuf across transitive pulls -->
     <dependencyManagement>
         <dependencies>
+            <dependency>
+                <groupId>com.fasterxml.jackson</groupId>
+                <artifactId>jackson-bom</artifactId>
+                <version>2.21.1</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
             <dependency>
                 <groupId>com.google.protobuf</groupId>
                 <artifactId>protobuf-java</artifactId>
@@ -230,7 +237,13 @@
         <dependency>
             <groupId>org.apache.tomcat.embed</groupId>
             <artifactId>tomcat-embed-core</artifactId>
-            <version>11.0.12</version>
+            <version>11.0.18</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+            <version>2.21.1</version>
         </dependency>
 
         <!-- JUnit 5 -->