From 1eea033164937595872997ef8448d3604600f4cf Mon Sep 17 00:00:00 2001 From: Joe Di Pol Date: Thu, 22 Feb 2024 10:50:25 -0800 Subject: [PATCH 1/2] Supress flase postives around plexus --- etc/dependency-check-suppression.xml | 39 +++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/etc/dependency-check-suppression.xml b/etc/dependency-check-suppression.xml index 8370d7608..29dd8df11 100644 --- a/etc/dependency-check-suppression.xml +++ b/etc/dependency-check-suppression.xml @@ -7,11 +7,38 @@ These are FPs. See https://github.com/jeremylong/DependencyCheck/issues/5973 --> - - ^pkg:maven/org\.codehaus\.plexus/plexus\-(cipher|classworlds|component-annotations|interpolation|container-default|sec-dispatcher)@.*$ - CVE-2022-4244 - CVE-2022-4245 - - + + ^pkg:maven/org\.codehaus\.plexus/plexus\-(cipher|classworlds|component-annotations|interpolation|container-default|sec-dispatcher)@.*$ + CVE-2022-4244 + CVE-2022-4245 + + + + ^pkg:maven/org\.codehaus\.plexus/plexus\-java@.*$ + CVE-2022-4244 + + + + ^pkg:maven/org\.codehaus\.plexus/plexus\-java@.*$ + CVE-2022-4245 + + + + ^pkg:maven/org\.codehaus\.plexus/plexus\-velocity@.*$ + CVE-2022-4244 + + + + ^pkg:maven/org\.codehaus\.plexus/plexus\-velocity@.*$ + CVE-2022-4245 + From fc353e7d8d9b016b10533d9f6d35220ee924aadf Mon Sep 17 00:00:00 2001 From: Joe Di Pol Date: Thu, 22 Feb 2024 10:51:35 -0800 Subject: [PATCH 2/2] Upgrade junit to 5.9.3. wagon-http to 3.5.3. Exclude jgit and ivy transative deps --- pom.xml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index d6e68844f..73538ef2e 100644 --- a/pom.xml +++ b/pom.xml @@ -140,7 +140,7 @@ 2.3.0.1 2.3.3 1.1.4 - 5.8.0-M1 + 5.9.3 1.8.0-M1 4.13.1 0.16.0 @@ -168,7 +168,7 @@ 1.7.25 2.0 3.1.12 - 3.3.4 + 3.5.3 1.10.0 + org.apache.ivy + ivy + + org.apache.maven.wagon