Merge pull request #10 from fpapon/GERONIMO-6843
[GERONIMO-6843] Upgrade dependencies to avoid CVE in ossindex:audit
diff --git a/arthur-maven-plugin/pom.xml b/arthur-maven-plugin/pom.xml
index 0835f87..49bc2ac 100644
--- a/arthur-maven-plugin/pom.xml
+++ b/arthur-maven-plugin/pom.xml
@@ -77,28 +77,35 @@
<dependency>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-core</artifactId>
- <version>0.17.0</version>
+ <version>0.23.0</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
- <version>2.13.2.2</version>
+ <version>2.14.1</version>
</dependency>
+
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
- <version>4.5.13</version>
+ <version>4.5.14</version>
</dependency>
+ <dependency><!-- avoid CVE on commons-codec:1.11 in dependency tree from httpclient -->
+ <groupId>commons-codec</groupId>
+ <artifactId>commons-codec</artifactId>
+ <version>1.15</version>
+ </dependency>
+
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
- <version>30.0-jre</version>
+ <version>31.1-jre</version>
</dependency>
<dependency>
<groupId>org.apache.maven.shared</groupId>
<artifactId>maven-dependency-tree</artifactId>
- <version>3.0.1</version>
+ <version>3.2.1</version>
</dependency>
<dependency>
@@ -177,4 +184,4 @@
</plugin>
</plugins>
</reporting>
-</project>
\ No newline at end of file
+</project>
diff --git a/documentation/pom.xml b/documentation/pom.xml
index b3a417c..92b5fd2 100644
--- a/documentation/pom.xml
+++ b/documentation/pom.xml
@@ -111,17 +111,17 @@
<dependency>
<groupId>org.asciidoctor</groupId>
<artifactId>asciidoctorj</artifactId>
- <version>2.1.0</version>
+ <version>2.5.7</version>
</dependency>
<dependency>
<groupId>org.asciidoctor</groupId>
<artifactId>asciidoctorj-diagram</artifactId>
- <version>1.5.18</version>
+ <version>2.2.3</version>
</dependency>
<dependency>
<groupId>org.jruby</groupId>
<artifactId>jruby-complete</artifactId>
- <version>9.2.9.0</version>
+ <version>9.4.0.0</version>
</dependency>
</dependencies>
diff --git a/knights/winegrower-knight/pom.xml b/knights/winegrower-knight/pom.xml
index e4ff2d3..66f9369 100644
--- a/knights/winegrower-knight/pom.xml
+++ b/knights/winegrower-knight/pom.xml
@@ -49,6 +49,11 @@
<artifactId>winegrower-build-common</artifactId>
<version>${winegrower.version}</version>
</dependency>
+ <dependency><!-- avoid CVE on commons-text:1.9 in dependency tree from winegrower-build-common -->
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-text</artifactId>
+ <version>1.10.0</version>
+ </dependency>
<dependency>
<groupId>org.graalvm.nativeimage</groupId>
diff --git a/pom.xml b/pom.xml
index 62c041a..dd4a228 100644
--- a/pom.xml
+++ b/pom.xml
@@ -225,7 +225,7 @@
<plugin><!-- mvn ossindex:audit -->
<groupId>org.sonatype.ossindex.maven</groupId>
<artifactId>ossindex-maven-plugin</artifactId>
- <version>3.1.0</version>
+ <version>3.2.0</version>
<executions>
<execution>
<id>audit-dependencies</id>
@@ -237,6 +237,8 @@
</executions>
<configuration>
<scope>compile,runtime</scope>
+ <!-- Exclude for jackson, guava and maven-plugin //todo need to be removed when CVE fixes are released -->
+ <excludeVulnerabilityIds>CWE-346,CVE-2021-26291,CWE-400,sonatype-2022-6438,sonatype-2020-0491,sonatype-2012-0126,sonatype-2020-0926</excludeVulnerabilityIds>
</configuration>
</plugin>
</plugins>