Dependency updates to eliminate vulnerabilities discovered by dependency-check

Eliminated all CRITICAL and HIGH except for CVE-2016-1000027 (which more or less forbids the use of Spring since 2016 -- it's moderately controversial.

@road

.gitlab-ci.yml

 include:
   # Security scanning
   - template: Security/SAST.gitlab-ci.yml
+  - template: Security/SAST-IaC.latest.gitlab-ci.yml
   - template: Security/Secret-Detection.gitlab-ci.yml
   - template: Security/Dependency-Scanning.gitlab-ci.yml
 
@@ -27,25 +28,52 @@ default:
     - docker
 
 stages:
-  - test # GitLab security scanning jobs use the 'test' stage
+  - build
+  - test
   - deploy
 
-test:
-  stage: test
+build_jar:
+  stage: build
+  cache:
+    paths:
+      - .m2/repository
   script:
-    - mvn clean $MAVEN_CLI_OPTS verify
+    - mvn $MAVEN_CLI_OPTS clean verify
   artifacts:
     paths:
+      - .m2/
+      - target/
       - uw-spring-security-config/target/dependency-check-report.html
       - uw-spring-security-core/target/dependency-check-report.html
       - uw-spring-security-sample-war/target/dependency-check-report.html
       - uw-spring-security-web/target/dependency-check-report.html
-    expire_in: 1 year
+    expire_in: 1 week
+
+secret_detection:
+  needs: []
+
+semgrep-sast:
+  needs: []
+
+gemnasium-maven-dependency_scanning:
+  variables:
+    DS_JAVA_VERSION: 8
+  needs:
+    - build_jar
+
+spotbugs-sast:
+  tags:
+  needs:
+    - build_jar
+  variables:
+    SAST_JAVA_VERSION: 8
+    MAVEN_REPO_PATH: $CI_PROJECT_DIR/.m2/repository
+    COMPILE: "false"
 
 deploy:
   stage: deploy
   only:
-    - main
+    - trunk
   script:
     - env
     - mvn $MAVEN_CLI_OPTS deploy -Pdeploy -X