From fe117fcc4be288a37db07788a2fd3cc857beeb28 Mon Sep 17 00:00:00 2001
From: Martin Stockhammer <martin_s@apache.org>
Date: Tue, 25 May 2021 19:35:54 +0200
Subject: [PATCH] Upgrading transient dependencies to address vulnerability
 report

---
 .../metadata-store-cassandra/pom.xml          | 34 ++++++-------------
 1 file changed, 10 insertions(+), 24 deletions(-)

diff --git a/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml b/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml
index 36bf6a218..fc76755f2 100644
--- a/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml
+++ b/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml
@@ -161,10 +161,16 @@
           <groupId>com.fasterxml.jackson.core</groupId>
           <artifactId>jackson-core</artifactId>
         </exclusion>
+        <!-- Brings hibernate-validator dependency with ancient version, which is vulnerable. Not necessary for archiva. -->
         <exclusion>
           <groupId>com.addthis.metrics</groupId>
           <artifactId>reporter-config3</artifactId>
         </exclusion>
+        <!-- Version upgrade, see below -->
+        <exclusion>
+          <groupId>org.apache.tika</groupId>
+          <artifactId>tika-core</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
@@ -223,18 +229,11 @@
       <artifactId>jbcrypt</artifactId>
       <version>0.4</version>
     </dependency>
-    <!--
-    <dependency>
-      <groupId>org.codehaus.jackson</groupId>
-      <artifactId>jackson-core-asl</artifactId>
-      <version>1.9.13</version>
-    </dependency>
     <dependency>
-      <groupId>org.codehaus.jackson</groupId>
-      <artifactId>jackson-mapper-asl</artifactId>
-      <version>1.9.13</version>
+      <groupId>org.apache.tika</groupId>
+      <artifactId>tika-core</artifactId>
+      <version>1.26</version>
     </dependency>
-    -->
 
     <!-- Transitive dependency. Declared here to increase the version. -->
     <dependency>
@@ -252,20 +251,7 @@
       <groupId>org.jboss.logging</groupId>
       <artifactId>jboss-logging</artifactId>
     </dependency>
-    <!-- Dependency of cassandra -> replacing by new version -->
-<!--
-    <dependency>
-      <groupId>org.hibernate</groupId>
-      <artifactId>hibernate-validator</artifactId>
-      <version>4.3.2.Final</version>
-      <exclusions>
-        <exclusion>
-          <groupId>javax.validation</groupId>
-          <artifactId>validation-api</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
--->
+
     <!-- TEST Scope -->
     <dependency>
       <groupId>org.apache.archiva</groupId>
-- 
2.39.5