chore: upgrade appsec kit to 4.0.2 [skip ci]

[ZheSun88]

No description provided.

[github-actions]

Dependencies Report

• 🚫 Vulnerabilities:

  • Vulnerabilities in: pkg:maven/org.apache.tomcat.embed/[email protected] [CVE-2026-34500, CVE-2026-34486, CVE-2026-34483, CVE-2026-34487, BIT-tomcat-2026-34500, BIT-tomcat-2026-34486, BIT-tomcat-2026-34483, BIT-tomcat-2026-34487] (osv-bomber,osv-scan,owasp)
    · cpe:2.3:a:apache:tomcat::::::::
    · cpe:2.3:a:apache:tomcat:11.0.0:milestone14::::::
    · cpe:2.3:a:apache:tomcat:11.0.0:milestone15::::::
    · cpe:2.3:a:apache:tomcat:11.0.0:milestone16::::::
    · cpe:2.3:a:apache:tomcat:11.0.0:milestone17::::::
    · cpe:2.3:a:apache:tomcat:11.0.0:milestone18::::::
    · cpe:2.3:a:apache:tomcat:11.0.0:milestone19::::::
    · cpe:2.3:a:apache:tomcat:11.0.0:milestone20::::::
    · cpe:2.3:a:apache:tomcat:11.0.0:milestone21::::::
    · cpe:2.3:a:apache:tomcat:11.0.0:milestone22::::::
    · cpe:2.3:a:apache:tomcat:11.0.0:milestone23::::::
    · cpe:2.3:a:apache:tomcat:11.0.0:milestone24::::::
    · cpe:2.3:a:apache:tomcat:11.0.0:milestone25::::::
    · cpe:2.3:a:apache:tomcat:11.0.0:milestone26::::::
    · cpe:2.3:a:apache:tomcat:9.0.116:::::::*
    · cpe:2.3:a:apache:tomcat:10.1.53:::::::*
    · cpe:2.3:a:apache:tomcat:11.0.20:::::::*
    ·
  • Vulnerabilities in: pkg:maven/org.apache.tomcat/[email protected] [BIT-tomcat-2026-34500, CVE-2026-34500, BIT-tomcat-2026-34486, CVE-2026-34486, BIT-tomcat-2026-34483, CVE-2026-34483, BIT-tomcat-2026-34487, CVE-2026-34487] (osv-scan)
    ·
  • Vulnerabilities in: pkg:maven/org.apache.tomcat/[email protected] [BIT-tomcat-2026-34500, CVE-2026-34500, BIT-tomcat-2026-34486, CVE-2026-34486, BIT-tomcat-2026-34483, CVE-2026-34483, BIT-tomcat-2026-34487, CVE-2026-34487] (osv-scan)
    ·

• 🟠 Known Vulnerabilities:

  • Vulnerabilities in: pkg:maven/me.friwi/jcef-api@jcef-ca49ada%2Bcef-135.0.20%2Bge7de5c3%2Bchromium-135.0.7049.85 [CVE-2024-21639, CVE-2024-21640, CVE-2024-9410] (owasp)
    👌 Wait for the update from the jcefmaven community. Meanwhile the swing-kit is supposed to be used with fixed websites and not to browse the internet, we have a check for that, so the only possible attacker would be the same person that created the swing application, aka our customer devs. so this vulnerability is not classified by us as critical issue
    · cpe:2.3:a:chromiumembedded:chromium_embedded_framework::::::::
    · cpe:2.3:a:ada:ada::::::::
  • Vulnerabilities in: pkg:maven/org.codehaus.plexus/[email protected] [CVE-2025-67030] (owasp)
    👌 FP: based on GHSA-6fmv-xxpf-w3cw, version 3.6.1 should have the fix.
    · cpe:2.3:a:codehaus-plexus:plexus-utils::::::::

• 📔 Found Core License Issues:

  • Invalid license 'https://vaadin.com/commercial-license-and-service-terms' in: pkg:maven/com.vaadin/[email protected]

• 📔 No License Issues

• 🟠 Changes in 25.2-SNAPSHOT since V25.2.0-alpha2

  • 263 packages removed (263 external, 0 vaadin)
  • 7 packages added (7 external, 0 vaadin)
  • 131 packages modified (31 external, 100 vaadin)
  • 514 packages same (379 external, 135 vaadin)

[Click for more Details]

[vaadin-bot]

Hi @ZheSun88 and @ZheSun88, when i performed cherry-pick to this commit to 25.1, i have encountered the following issue. Can you take a look and pick it manually?
Error Message:
Error: Command failed: git cherry-pick 2f3bf98
error: could not apply 2f3bf98... chore: upgrade appsec kit to 4.0.2 (#8766)
hint: After resolving the conflicts, mark them with
hint: "git add/rm ", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".