java: Deprecate FServlet

[brettkail-wk]

Story:

Jakarta EE has renamed all packages to jakarta.. #1410 added FJakartaServlet as a replacement. We would like to remove FServlet in the future, so start warning developers that FServlet is going away.

How To Test:

N/A. Deprecation only.

Reviewers:

@Workiva/service-platform

[aviary2-wf]

Security Insights

(5) Vulnerable direct dependencies were detected

1 vulns in aiohttp via lib/python/requirements_dev_asyncio.txt

1 vulns in github.com/nats-io/nats-server/v2 via lib/go/go.mod

1 vulns in org.apache.thrift:libthrift via lib/java/pom.xml

1 vulns in org.apache.thrift:libthrift via test/integration/java/frugal-integration-test/pom.xml

1 vulns in org.nanohttpd:nanohttpd via test/integration/java/frugal-integration-test/pom.xml with no fix reported by GitHub

Action Items

• Review dependencies for available updates
• See this Splunk dashboard for more CVE details
• Review PR for security impact; comment "security review required" if needed or unsure
• Verify aviary.yaml coverage of security relevant code

---

Questions or Comments? Reach out on Slack: #support-infosec.

[macleodbroad-wf]

Anything holding back a merge here, or are we OK to call rosie?

[brettkail-wk]

From Workiva-internal discussions, Spring won't support jakarta.servlet until Q4, so services using Spring can't actually take action on the deprecation warnings until then, so we're going to hold off for now.