Update Tomcat to a version >= 9.0.80 and >= 10.1.13

[ThorbenLindhauer]

Acceptance Criteria (Required on creation)

• Tomcat is updated in the Tomcat distribution and Camunda Run
• Where possible, the Spring Boot starter patch level is raised to a version that includes these Tomcat versions

Hints

Links

• https://jira.camunda.com/browse/SEC-495
• https://jira.camunda.com/browse/SEC-681
• https://jira.camunda.com/browse/SEC-722

Breakdown

### Pull Requests
- [ ] https://github.com/camunda/camunda-bpm-platform/pull/3811
- [ ] https://github.com/camunda/camunda-bpm-platform-maintenance/pull/1079
- [ ] https://github.com/camunda/camunda-bpm-platform-maintenance/pull/1080
- [ ] https://github.com/camunda/camunda-bpm-platform-maintenance/pull/1081
- [ ] https://github.com/camunda/camunda-bpm-rpa-bridge-ee/pull/91
- [ ] https://github.com/camunda/camunda-bpm-platform/pull/3888
- [ ] https://github.com/camunda/camunda-bpm-platform-maintenance/pull/1098
- [ ] https://github.com/camunda/camunda-bpm-platform-maintenance/pull/1099
- [ ] https://github.com/camunda/camunda-bpm-platform-maintenance/pull/1100
- [ ] https://github.com/camunda/camunda-bpm-rpa-bridge-ee/pull/94

Dev2QA handover

• [ ] Does this ticket need a QA test and the testing goals are not clear from the description? Add a Dev2QA handover comment

[ThorbenLindhauer]

@yanavasileva you can try out the new dependency check workflow by adding the workflow file temporarily to the PR: https://github.com/camunda/camunda-bpm-platform/pull/3537/files

[yanavasileva]

To be completed:

• [x] the license check

[yanavasileva]

There is OOM on PR 7.19 spring boot IT stage. Similar issue occurs on the 7.19 branch - already reported https://github.com/camunda/camunda-bpm-platform/issues/3616

[yanavasileva]

No license changes.

[psavidis]

❓ There are some failing PRs e.g for 7.18. Should we run them again before we merge?

[yanavasileva]

There are some failing PRs e.g for 7.18. Should we run them again before we merge?

There is a green execution for 7.18: https://ci-pipeline.cambpm.camunda.cloud/blue/organizations/jenkins/7.18%2Fcambpm-ce%2Fcambpm-main/detail/PR-1081/1/pipeline

I executed the spring boot IT locally and faced no issue on 7.19 and 7.18, so I think the agents on which the stages are executed are running out of memory. I will note that in https://github.com/camunda/camunda-bpm-platform/issues/3616

So I will proceed with the merge.

[yanavasileva]

I will try to update tomcat again as another vulnerability was found out.

[yanavasileva]

Current status:

• CORS tests for Run are failing for all versions with the latest update. The failure seems to be related to the tomcat update (https://tomcat.apache.org/tomcat-9.0-doc/changelog.html). I will investigate further on Monday.

[tasso94]

This change in Tomcat causes the failing tests: https://github.com/apache/tomcat/commit/e610e313765a9724bbba9ca8ceb6f14af9ae9782

I assume the problem is that the tests are designed so that not actual cross-origin requests are asserted. With the new Tomcat patch, CORS headers are removed for requests that are not actual cross-origin requests.

Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=67472

When fixing the tests is not easily possible, we could also consider ignoring these tests and creating a follow-up to investigate how to rewrite them accordingly.

[yanavasileva]

I was able to confirm that the failing tests were not testing cross-origin requests. After adjust the origin the tests are passing. Two tests are removed as obsolete where the same origin was used.

[yanavasileva]

No license updates.

[yanavasileva]

To reviewer: It will be great to manage do the review before end of tomorrow (to have enough time to merge and run the CI before the patch).