Update Spring AI to 2.0.0-M4 (#1316) (#1325)

Author: labkey-adam

build.gradle

@@ -59,6 +59,7 @@ allprojects {
         JavaCompile compile ->
             compile.options.incremental = true  // Gradle 3.4
             compile.options.encoding = 'UTF-8'
+            compile.options.compilerArgs << '-parameters'  // Preserve method parameter names for Spring AI reflection
     }
 }
 
@@ -347,6 +348,14 @@ allprojects {
                     // Force consistency for dependencies from pipeline and query
                     force "org.dom4j:dom4j:${dom4jVersion}"
 
+                    // Force spring-ai components to bring in spring-* versions that match the rest of spring
+                    force "org.springframework:spring-context-support:${springVersion}"
+                    force "org.springframework:spring-messaging:${springVersion}"
+                    force "org.springframework:spring-webflux:${springVersion}"
+
+                    // spring-ai dependency. Force to mitigate a CVE.
+                    force "io.modelcontextprotocol.sdk:mcp:${modelContextProtocolVersion}"
+
                     // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies
                     force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
 
@@ -362,6 +371,9 @@ allprojects {
                     // Force latest hadoop-hdfs-client for CVE-2021-37404, CVE-2022-25168, CVE-2022-26612, CVE-2021-25642, CVE-2021-33036, CVE-2023-26031
                     force "org.apache.hadoop:hadoop-hdfs-client:${hadoopHdfsClientVersion}"
 
+                    // Spring AI 2.0 brings in Jackson3. Force it to match embedded and mitigate CVEs.
+                    force "tools.jackson.core:jackson-core:${jackson3Version}"
+
                     dependencySubstitution {
                         // Because the client api artifact name is not the same as the directory structure, we use
                         // Gradle's dependency substitution so the dependency will appear correctly in the pom files that

dependencyCheckSuppression.xml

@@ -255,4 +255,24 @@
         <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-tools@.*$</packageUrl>
         <cve>CVE-2026-23907</cve>
     </suppress>
+
+    <!--
+    False-positives
+    https://github.com/dependency-check/DependencyCheck/issues/8391
+    https://github.com/dependency-check/DependencyCheck/issues/8392
+    -->
+    <suppress>
+        <notes><![CDATA[
+   file name: mcp-spring-webmvc-2.0.0-M3.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.ai/mcp-spring-webmvc@.*$</packageUrl>
+        <cpe>cpe:/a:vmware:server</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: mcp-spring-webmvc-2.0.0-M3.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.ai/mcp-spring-webmvc@.*$</packageUrl>
+        <cpe>cpe:/a:vmware:vmware_server</cpe>
+    </suppress>
 </suppressions>

gradle.properties

@@ -252,6 +252,9 @@ lombokVersion=1.18.42
 
 luceneVersion=10.3.2
 
+# Spring-AI dependency that's showing a CVE
+modelContextProtocolVersion=1.1.1
+
 mssqlJdbcVersion=13.2.1.jre11
 
 objenesisVersion=1.0
@@ -291,10 +294,10 @@ slf4jLog4jApiVersion=2.0.17
 snappyJavaVersion=1.1.10.8
 
 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version
-springBootVersion=4.0.3
+springBootVersion=4.0.4
 # This usually matches the Spring Framework version dictated by springBootVersion
-springVersion=7.0.5
-springAiVersion=2.0.0-M2
+springVersion=7.0.6
+springAiVersion=2.0.0-M4
 
 sqliteJdbcVersion=3.51.1.0