chore: [DevOps] bump the production-major group across 1 directory with 2 updates

[dependabot]

Bumps the production-major group with 2 updates in the / directory: com.sap.cloud.security:java-bom and org.checkerframework:checker-qual.

Updates com.sap.cloud.security:java-bom from 3.6.8 to 4.0.3

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

4.0.3

Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0

Major release upgrading to Spring Boot 4.x and Jakarta EE 10. Spring Boot 3.x compatibility modules provided.

Breaking Changes

Framework Upgrades:

• Spring Boot 3.x → 4.0.3
• Spring Framework 6.x → 7.0.5
• Spring Security 6.x → 7.0.3
• Jakarta Servlet API 6.0.0 → 6.1.0

Token Client HTTP Change:

• Now uses Java 11 HttpClient by default (no Apache HttpClient dependency)
• Apache HttpClient 4 constructors deprecated (removed in 5.0.0)
• Custom HTTP clients supported via SecurityHttpClientFactory

Removed Modules:

• spring-xsuaa* → use spring-security or spring-security-3
• spring-security-compatibility → use spring-security-3

Token Client Spring Classes:

• Spring-dependent classes moved to new token-client-spring module

New Features

Spring Boot 3.x Compatibility:

• spring-security-3 - Core module for Spring Boot 3.5.9
• resourceserver-security-spring-boot-3-starter - Starter for Spring Boot 3.x

Pluggable HTTP Client:

• Support for Apache HttpClient 4.x/5.x, OkHttp, SAP Cloud SDK, custom implementations

Documentation

• https://github.com/SAP/cloud-security-services-integration-library/blob/main/MIGRATION_4.0.md

https://github.com/SAP/cloud-security-services-integration-library/blob/main/token-client/APACHE_HTTPCLIENT_MIGRATION.md

• https://github.com/SAP/cloud-security-services-integration-library/blob/main/CHANGELOG.md#400---major-release

3.6.12

... (truncated)

Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

4.0.3

• Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

• Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0 - Major Release

This is a major release with breaking changes. The library has been upgraded to Spring Boot 4.x and Jakarta EE 10. For applications still on Spring Boot 3.x, compatibility modules are provided. Please check the 4.0 Migration Guide for comprehensive upgrade instructions

⚠️ BREAKING CHANGES

Spring Boot and Jakarta EE Version Upgrades

• Spring Boot: Upgraded from 3.x to 4.0.3
• Spring Framework: Upgraded from 6.x to 7.0.5
• Spring Security: Upgraded from 6.x to 7.0.3
• Jakarta Servlet API: Upgraded from 6.0.0 to 6.1.0
• Java: Minimum version remains Java 17
• JUnit Jupiter: Upgraded from 5.12.2 to 6.0.3

HTTP Client Default Changed

Token-client module now uses Java 11's HttpClient as the default implementation. Apache HttpClient 4 remains available as a dependency for backward compatibility.

Impact:

• ✅ No code changes required if you use the default (parameterless) constructors
• ⚠️ Deprecated constructors added for backward compatibility with Apache HttpClient 4
• ❌ Will be removed in version 5.0.0 - Plan to migrate to Java HttpClient or custom implementation

Deprecated in 4.0.0 (Removed in 5.0.0):

• DefaultOAuth2TokenKeyService(CloseableHttpClient)
• DefaultOAuth2TokenService(CloseableHttpClient)
• DefaultOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
• DefaultOidcConfigurationService(CloseableHttpClient)
• HttpClientFactory interface and DefaultHttpClientFactory implementation

Migration Path:

• Option 1 (Recommended): Use default constructors - Java 11 HttpClient is used automatically
• Option 2 (Temporary): Continue using deprecated constructors with Apache HttpClient 4
• Option 3 (Custom): Implement SecurityHttpClientFactory interface for custom HTTP clients (see CUSTOM_HTTPCLIENT.md)

See the comprehensive Apache HttpClient Migration Guide for detailed migration instructions.

... (truncated)

Commits

• ed3b9ef Bugfix/4.0.2 (#1939)
• ea432c8 Bugfix/4.0.2 (#1938)
• 4dce88b Merge pull request #1936 from SAP/feature/token-client-spring-3-module
• 3073f80 docs: Update migration guide with correct Spring Boot 3.x starter name
• f25b05e refactor: Centralize Spring Boot 3.x versions in parent POM
• c3fba41 feat: Add token-client-spring-3 module for Spring Boot 3.x compatibility
• 315650b Bugfix/id token exchange cert url and release 4.0.1 (#1935)
• 5e226d8 Major release 4 (#1924)
• 2c6f46b fix: Correct token exchange logic for App2App flows in DefaultIdTokenExtensio...
• See full diff in compare view

Updates org.checkerframework:checker-qual from 3.54.0 to 4.0.0

Release notes

Sourced from org.checkerframework:checker-qual's releases.

Release 4.0.0 of the Checker Framework

Version 4.0.0 (2026-04-07)

User-visible changes

To run the Checker Framework, you need to use a JDK 17 or later version of javac. That is, you need to use JDK 17 or later when compiling your code.

The Checker Framework can type-check any Java project, including projects that compile to Java 8 or 11 bytecodes and run on JRE versions 8 or 11. That is, your code can run under any release of Java, from Java 8 onward.

The type qualifiers and utility libraries in checker-qual.jar and checker-util.jar still use Java 11 bytecode. Thus, they may be used in projects that run under Java 11 or later.

Changes since version 3.0.0

Since version 3.0.0, 91 authors have made over 4500 commits and closed over 600 issues. Thanks to everyone who contributed!

New checkers include:

• The Index Checker warns about out-of-bounds accesses to arrays and strings.
• The Initialized Fields Checker warns if a constructor does not initialize a field.
• The Resource Leak Checker guarantees that every resource is closed rather than leaked. Examples of resources are a channel, executor, ExecutionControl, file, FileLock, Formatter, reader, Scanner, socket, stream, writer, etc.
• The SQL Quotes Checker helps prevent SQL injection vulnerabilities.

New command-line arguments include:

• -AskipFiles, -AonlyFiles
• -AassumeSideEffectFree, -AassumeDeterministic, -AassumePure, -AassumePureGetters
• -AuseConservativeDefaultsForUncheckedCode
• -AignoreRawTypeArguments
• -AwarnRedundantAnnotations
• -Ainfer=ajava, -AinferOutputDirectory, -AinferOutputOriginal, -AshowWpiFailedInferences
• -AshowSuppressWarningsStrings, -AwarnUnneededSuppressionsExceptions
• -AshowPrefixInWarningMessages
• -AstubNoWarnIfNotFound, -AstubWarnNote, -AmergeStubsWithSource
• -Aonelinemsg, -AdumpOnErrors, -AexceptionLineSeparator
• -ApermitMissingJdk, -AparseAllJdk
• -AslowTypecheckingSeconds
• -Aversion, -AprintGitProperties
• You can pass an option to only a particular checker (not all checkers) by using an underscore prefix.

Other improvements include thousands of enhancements and bug fixes -- too many to list here.

Implementation details

All previously-deprecated methods and classes have been removed. If your project builds upon the Checker Framework, we suggest that you upgrade to version 3.55.1, resolve all the deprecation warnings, then upgrade to version 4.0.0.

Checker Framework 3.55.1

Version 3.55.1 (2026-04-03)

No user-visible changes.

... (truncated)

Changelog

Sourced from org.checkerframework:checker-qual's changelog.

Version 4.0.0 (2026-04-07)

User-visible changes

To run the Checker Framework, you need to use a JDK 17 or later version of javac. That is, you need to use JDK 17 or later when compiling your code.

The Checker Framework can type-check any Java project, including projects that compile to Java 8 or 11 bytecodes and run on JRE versions 8 or 11. That is, your code can run under any release of Java, from Java 8 onward.

The type qualifiers and utility libraries in checker-qual.jar and checker-util.jar still use Java 11 bytecode. Thus, they may be used in projects that run under Java 11 or later.

Changes since version 3.0.0

Since version 3.0.0, 91 authors have made over 4500 commits and closed over 600 issues. Thanks to everyone who contributed!

New checkers include:

• The Index Checker warns about out-of-bounds accesses to arrays and strings.
• The Initialized Fields Checker warns if a constructor does not initialize a field.
• The Resource Leak Checker guarantees that every resource is closed rather than leaked. Examples of resources are a channel, executor, ExecutionControl, file, FileLock, Formatter, reader, Scanner, socket, stream, writer, etc.
• The SQL Quotes Checker helps prevent SQL injection vulnerabilities.

New command-line arguments include:

• -AskipFiles, -AonlyFiles
• -AassumeSideEffectFree, -AassumeDeterministic, -AassumePure, -AassumePureGetters
• -AuseConservativeDefaultsForUncheckedCode
• -AignoreRawTypeArguments
• -AwarnRedundantAnnotations
• -Ainfer=ajava, -AinferOutputDirectory, -AinferOutputOriginal, -AshowWpiFailedInferences
• -AshowSuppressWarningsStrings, -AwarnUnneededSuppressionsExceptions
• -AshowPrefixInWarningMessages
• -AstubNoWarnIfNotFound, -AstubWarnNote, -AmergeStubsWithSource
• -Aonelinemsg, -AdumpOnErrors, -AexceptionLineSeparator
• -ApermitMissingJdk, -AparseAllJdk
• -AslowTypecheckingSeconds

... (truncated)

Commits

• 479d087 new release 4.0.0
• bfff757 Put the manual in the right place.
• c532f6d Put a copy of manual.pdf at top level of website as expected.
• 5e53e6c No closed issues.
• e67ae85 Prep for release.
• 4192d0d Remove file SKIP-REQUIRE-JAVADOC
• 7d6d856 Remove or update references to JDK 8-16
• b1e3761 Remove all deprecated methods
• a1b3064 Directly use Java 17 and below Javac APIs. (#7582)
• 4efdbdb Remove support for Java 8 from scripts and build scripts. (#7575)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[CharlesDuboisSAP]

BLI: Security library v4 update