Upgrading transient dependencies to address vulnerability report

author: Martin Stockhammer <martin_s@apache.org> 2021-05-25 19:35:54 +0200
committer: Martin Stockhammer <martin_s@apache.org> 2021-05-25 19:35:54 +0200
commit: fe117fcc4be288a37db07788a2fd3cc857beeb28 (patch)
tree: 00d3c7f1b2370c623b8652af7c11a7502b318d85
parent: e67e7cdc7c936e2f5c12209a221fcb0aea24f1a7 (diff)
download: archiva-fe117fcc4be288a37db07788a2fd3cc857beeb28.tar.gz
archiva-fe117fcc4be288a37db07788a2fd3cc857beeb28.zip
1 files changed, 10 insertions, 24 deletions
diff --git a/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml b/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml
index 36bf6a218..fc76755f2 100644
--- a/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml
+++ b/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml
@@ -161,10 +161,16 @@
           <groupId>com.fasterxml.jackson.core</groupId>
           <artifactId>jackson-core</artifactId>
         </exclusion>
+        <!-- Brings hibernate-validator dependency with ancient version, which is vulnerable. Not necessary for archiva. -->
         <exclusion>
           <groupId>com.addthis.metrics</groupId>
           <artifactId>reporter-config3</artifactId>
         </exclusion>
+        <!-- Version upgrade, see below -->
+        <exclusion>
+          <groupId>org.apache.tika</groupId>
+          <artifactId>tika-core</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
@@ -223,18 +229,11 @@
       <artifactId>jbcrypt</artifactId>
       <version>0.4</version>
     </dependency>
-    <!--
-    <dependency>
-      <groupId>org.codehaus.jackson</groupId>
-      <artifactId>jackson-core-asl</artifactId>
-      <version>1.9.13</version>
-    </dependency>
     <dependency>
-      <groupId>org.codehaus.jackson</groupId>
-      <artifactId>jackson-mapper-asl</artifactId>
-      <version>1.9.13</version>
+      <groupId>org.apache.tika</groupId>
+      <artifactId>tika-core</artifactId>
+      <version>1.26</version>
     </dependency>
-    -->
 
     <!-- Transitive dependency. Declared here to increase the version. -->
     <dependency>
@@ -252,20 +251,7 @@
       <groupId>org.jboss.logging</groupId>
       <artifactId>jboss-logging</artifactId>
     </dependency>
-    <!-- Dependency of cassandra -> replacing by new version -->
-<!--
-    <dependency>
-      <groupId>org.hibernate</groupId>
-      <artifactId>hibernate-validator</artifactId>
-      <version>4.3.2.Final</version>
-      <exclusions>
-        <exclusion>
-          <groupId>javax.validation</groupId>
-          <artifactId>validation-api</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
--->
+
     <!-- TEST Scope -->
     <dependency>
       <groupId>org.apache.archiva</groupId>
author	Martin Stockhammer <martin_s@apache.org>	2021-05-25 19:35:54 +0200
committer	Martin Stockhammer <martin_s@apache.org>	2021-05-25 19:35:54 +0200
commit	fe117fcc4be288a37db07788a2fd3cc857beeb28 (patch)
tree	00d3c7f1b2370c623b8652af7c11a7502b318d85
parent	e67e7cdc7c936e2f5c12209a221fcb0aea24f1a7 (diff)
download	archiva-fe117fcc4be288a37db07788a2fd3cc857beeb28.tar.gz archiva-fe117fcc4be288a37db07788a2fd3cc857beeb28.zip