[7.67.x-blue] RHPAM-3709: upgrade maven dependencies to address CVE-2…

…021-26291 (#3044) * RHPAM-3709: upgrade maven dependencies to address CVE-2021-26291 * adding exclusions for jcl-over-slf4j in jbpm-spring-boot-autoconfiguration <exclusions> <exclusion> <groupId>org.slf4j</groupId> <artifactId>jcl-over-slf4j</artifactId> </exclusion> </exclusions> --------- Co-authored-by: Alex Porcelli <alex@porcelli.me> Co-authored-by: Marek Novotný <hotmana76@gmail.com>
kiegroup · Apr 3, 2024 · f89371b · f89371b
1 parent 11f3b99
commit f89371b
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 18 deletions.
diff --git a/kie-maven-plugin/pom.xml b/kie-maven-plugin/pom.xml
@@ -70,6 +70,10 @@
   </dependencyManagement>
 
   <dependencies>
+    <dependency>
+      <groupId>jakarta.inject</groupId>
+      <artifactId>jakarta.inject-api</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.apache.maven</groupId>
       <artifactId>maven-artifact</artifactId>
@@ -80,15 +84,7 @@
       <exclusions>
         <exclusion>
           <groupId>org.sonatype.sisu</groupId>
-          <artifactId>sisu-guice</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>javax.inject</groupId>
-          <artifactId>javax.inject</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>aopalliance</groupId>
-          <artifactId>aopalliance</artifactId>
+          <artifactId>sisu-inject-plexus</artifactId>
         </exclusion>
       </exclusions>
     </dependency>

diff --git a/kie-maven-plugin/src/main/java/org/kie/maven/plugin/PackageKjarDependenciesMojo.java b/kie-maven-plugin/src/main/java/org/kie/maven/plugin/PackageKjarDependenciesMojo.java
@@ -50,14 +50,14 @@
 import org.apache.maven.project.ProjectBuildingRequest;
 import org.apache.maven.repository.RepositorySystem;
 import org.apache.maven.settings.Settings;
-import org.apache.maven.shared.artifact.ArtifactCoordinate;
-import org.apache.maven.shared.artifact.DefaultArtifactCoordinate;
-import org.apache.maven.shared.artifact.resolve.ArtifactResolver;
-import org.apache.maven.shared.artifact.resolve.ArtifactResolverException;
-import org.apache.maven.shared.artifact.resolve.ArtifactResult;
-import org.apache.maven.shared.dependencies.DefaultDependableCoordinate;
-import org.apache.maven.shared.dependencies.resolve.DependencyResolver;
-import org.apache.maven.shared.dependencies.resolve.DependencyResolverException;
+import org.apache.maven.shared.transfer.artifact.ArtifactCoordinate;
+import org.apache.maven.shared.transfer.artifact.DefaultArtifactCoordinate;
+import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolver;
+import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolverException;
+import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResult;
+import org.apache.maven.shared.transfer.dependencies.DefaultDependableCoordinate;
+import org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolver;
+import org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolverException;
 import org.apache.maven.shared.utils.StringUtils;
 import org.apache.maven.shared.utils.WriterFactory;
 import org.apache.maven.shared.utils.io.IOUtil;

diff --git a/kie-server-parent/kie-server-tests/kie-server-integ-tests-all/pom.xml b/kie-server-parent/kie-server-tests/kie-server-integ-tests-all/pom.xml
@@ -114,6 +114,11 @@
       <scope>test</scope>
     </dependency>
 
+    <dependency>
+      <groupId>org.jsoup</groupId>
+      <artifactId>jsoup</artifactId>
+      <scope>test</scope>
+    </dependency>
 
   </dependencies>
 

diff --git a/kie-server-parent/kie-server-tests/kie-server-integ-tests-controller/pom.xml b/kie-server-parent/kie-server-tests/kie-server-integ-tests-controller/pom.xml
@@ -94,6 +94,12 @@
       <scope>test</scope>
     </dependency>
 
+    <dependency>
+      <groupId>org.jsoup</groupId>
+      <artifactId>jsoup</artifactId>
+      <scope>test</scope>
+    </dependency>
+
     <!-- This is an artificial dependency to make sure the kie-server-tests modules are executed one at a time during
          parallel build (otherwise the tests fail because of conflicting port binding) -->
     <dependency>

diff --git a/kie-spring-boot/kie-spring-boot-autoconfiguration/jbpm-spring-boot-autoconfiguration/pom.xml b/kie-spring-boot/kie-spring-boot-autoconfiguration/jbpm-spring-boot-autoconfiguration/pom.xml
@@ -59,6 +59,12 @@
     <dependency>
       <groupId>org.jbpm</groupId>
       <artifactId>jbpm-workitems-rest</artifactId>
+      <exclusions>
+        <exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>jcl-over-slf4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.jbpm</groupId>
@@ -95,6 +101,12 @@
     <dependency>
       <groupId>org.jbpm</groupId>
       <artifactId>jbpm-human-task-audit</artifactId>
+      <exclusions>
+        <exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>jcl-over-slf4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.jbpm</groupId>
@@ -249,4 +261,4 @@
       </exclusions>
     </dependency>
   </dependencies>
-</project>
+</project>