fix(security): Patch Spring4Shell RCE — upgrade Spring Boot 2.2.6 → 2.7.18 [COG-423]

[devin-ai-integration]

Summary

Remediates CVE-2022-22965 (Spring4Shell) — a critical (CVSS 9.8) Remote Code Execution vulnerability in org.springframework:spring-beans@5.2.5.RELEASE, which was transitively pulled by Spring Boot 2.2.6.RELEASE.

Root cause: Spring MVC data binding on JDK 9+ allowed attackers to manipulate class.module.classLoader properties to achieve RCE by reaching Tomcat's AccessLogValve. This vulnerability is actively exploited in the wild and listed in CISA's KEV catalog.

Fix applied:

• Upgraded spring-boot-starter-parent from 2.2.6.RELEASE → 2.7.18 in monolith/pom.xml
• This pulls Spring Framework 5.3.31 (≥ 5.3.18 fix threshold), which restricts property access through CachedIntrospectionResults to block class loader traversal
• Added spring-boot-starter-validation as an explicit dependency (required since Spring Boot 2.3+ no longer bundles it in spring-boot-starter-web)

Tests added (3 new tests):

• Spring4Shell_ClassLoaderNotBindable_CVE_2022_22965 — uses BeanWrapperImpl to verify class.module.classLoader is not reachable as a readable property (the exact mechanism patched in 5.3.18)
• Spring4Shell_ClassPropertyValueIsNull_CVE_2022_22965 — attempts to resolve class.module.classLoader via getPropertyValue() and asserts it throws or returns null
• Spring4Shell_FrameworkVersionPatched_CVE_2022_22965 — asserts the resolved Spring Framework version meets the minimum patched version (5.3.18+)

Verification: All 10 tests pass (7 existing + 3 new). spring-beans resolved to 5.3.31.

Review & Testing Checklist for Human

• Verify spring-beans version in dependency tree is ≥ 5.3.18 (./mvnw dependency:tree | grep spring-beans)
• Run ./mvnw clean test — all 10 tests should pass
• Spot-check that spring-boot-starter-validation addition doesn't change API behavior (validation annotations were already in the codebase, just missing the transitive dep)
• Start the app (./mvnw spring-boot:run) and verify /bonds, /counterparties, /rfqs endpoints respond correctly

Notes

• The Spring Boot 2.2 → 2.7 upgrade is a minor version bump within the 2.x line; the main breaking change was the removal of hibernate-validator from spring-boot-starter-web (addressed by adding spring-boot-starter-validation)
• No source code changes were required beyond pom.xml — all existing APIs, entities, and DTOs are fully compatible with Spring Boot 2.7
• Linear ticket: COG-423
• Snyk ID: SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751

Link to Devin session: https://app.devin.ai/sessions/1efea42db4f741119f3e7c0d6115954f
Requested by: @patrickbradley-cog

---

Devin Review

Status	Commit
⚪ Not started	—

Run Devin Review

💡 Connect your GitHub account to enable automatic code reviews.

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring