Updating dependency with owasp check

archiva-jetty/pom.xml

                   <systemProperty>archiva.cassandra.configuration.file=%ARCHIVA_BASE%/conf/archiva-cassandra.properties</systemProperty>
                   <systemProperty>org.apache.jackrabbit.core.state.validatehierarchy=true</systemProperty>
                 </systemProperties>
-                <extraArguments>
-                  <extraArgument>-XX:MaxPermSize=128m</extraArgument>
-                </extraArguments>
                 <initialMemorySize>512</initialMemorySize>
                 <maxMemorySize>512</maxMemorySize>
               </jvmSettings>
           <finalName>apache-archiva-${project.version}</finalName>
         </configuration>
       </plugin>
+
+
     </plugins>
     <pluginManagement>
       <plugins>

archiva-modules/archiva-web/archiva-rss/pom.xml

         <artifactId>maven-surefire-plugin</artifactId>
         <configuration>
           <reuseForks>false</reuseForks>
-          <!--
-                    <argLine>-Xms1024m -Xmx2048m -server -XX:MaxPermSize=256m @{jacocoproperty}</argLine>
-          -->
-          <argLine>-Xms512m -Xmx1024m -server -XX:MaxPermSize=256m</argLine>
+          <argLine>-Xms512m -Xmx1024m -server</argLine>
           <systemPropertyVariables>
             <appserver.base>${project.build.directory}/appserver-base</appserver.base>
             <plexus.home>${project.build.directory}/appserver-base</plexus.home>

archiva-modules/archiva-web/archiva-web-common/pom.xml

         <artifactId>maven-surefire-plugin</artifactId>
         <configuration>
           <reuseForks>false</reuseForks>
-<!--
-          <argLine>-Xms1024m -Xmx2048m -server -XX:MaxPermSize=256m @{jacocoproperty}</argLine>
--->
-          <argLine>-Xms1024m -Xmx2048m -server -XX:MaxPermSize=256m</argLine>
+          <argLine>-Xms1024m -Xmx2048m -server</argLine>
           <systemPropertyVariables>
             <appserver.base>${project.build.directory}/appserver-base</appserver.base>
             <plexus.home>${project.build.directory}/appserver-base</plexus.home>

archiva-modules/archiva-web/archiva-webapp/pom.xml

               <exclude>src/test/repositories/test-repo/**</exclude>
               <exclude>src/main/resources/META-INF/services/*</exclude>
               <exclude>src/main/resources/META-INF/cxf/*</exclude>
+              <exclude>src/main/resources/META-INF/owasp/cve-suppressions.xml</exclude>
             </excludes>
           </configuration>
         </plugin>
         </configuration>
       </plugin>
 
+
+      <plugin>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-maven</artifactId>
+        <version>5.3.2</version>
+        <configuration>
+          <skipProvidedScope>true</skipProvidedScope>
+          <failBuildOnCVSS>8</failBuildOnCVSS>
+          <suppressionFile>${project.basedir}/src/main/resources/META-INF/owasp/cve-suppressions.xml</suppressionFile>
+        </configuration>
+        <executions>
+          <execution>
+            <goals>
+              <goal>check</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
   </build>
 

archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress until="2020-09-01Z">
+    <notes><![CDATA[
+   file name: jackson-mapper-asl-1.9.2.jar is a dependency of cassandra - Waiting for update of cassandra
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$</packageUrl>
+    <cpe>cpe:/a:fasterxml:jackson-mapper-asl</cpe>
+    <cpe>cpe:/a:fasterxml:jackson</cpe>
+    <vulnerabilityName>CVE-2017-15095</vulnerabilityName>
+    <vulnerabilityName>CVE-2017-7525</vulnerabilityName>
+    <vulnerabilityName>CVE-2017-17485</vulnerabilityName>
+    <vulnerabilityName>CVE-2018-5968</vulnerabilityName>
+    <vulnerabilityName>CVE-2018-14718</vulnerabilityName>
+    <vulnerabilityName>CVE-2018-7489</vulnerabilityName>
+    <vulnerabilityName>CVE-2018-1000873</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-14540</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-14893</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-16335</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-17267</vulnerabilityName>
+    <vulnerabilityName>CVE-2020-10672</vulnerabilityName>
+    <vulnerabilityName>CVE-2020-10673</vulnerabilityName>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+   False positive for oak-jcr packages
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.jackrabbit/oak\-.*@.*$</packageUrl>
+    <cpe>cpe:/a:apache:jackrabbit</cpe>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+    False positive for oak-segment-tar-1.30.0.jar: netty-transport-4.1.14.Final.jar
+    Updated netty to higher version
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty\-transport@.*$</packageUrl>
+    <cpe>cpe:/a:netty:netty</cpe>
+    <vulnerabilityName>CVE-2020-11612</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-20445</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-20444</vulnerabilityName>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+    False positive for oak-segment-tar-1.30.0.jar: netty-transport-4.1.14.Final.jar
+    Updated netty to higher version
+   ]]></notes>
+    <packageUrl regex="true">^.*oak-segment-tar.*$</packageUrl>
+    <cpe>cpe:/a:netty:netty</cpe>
+    <vulnerabilityName>CVE-2020-11612</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-20445</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-20444</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: oak-segment-tar-1.30.0.jar: netty-codec-4.1.14.Final.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl>
+    <cpe>cpe:/a:netty:netty</cpe>
+    <vulnerabilityName>CVE-2020-11612</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-20445</vulnerabilityName>
+    <vulnerabilityName>CVE-2019-20444</vulnerabilityName>
+  </suppress>
+
+</suppressions>

archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml

 
   <properties>
     <site.staging.base>${project.parent.parent.basedir}</site.staging.base>
-    <cassandraVersion>3.11.2</cassandraVersion>
+    <cassandraVersion>3.11.6</cassandraVersion>
   </properties>
 
   <dependencies>
           <groupId>org.jboss.logging</groupId>
           <artifactId>jboss-logging</artifactId>
         </exclusion>
+
       </exclusions>
     </dependency>
 
         </exclusion>
       </exclusions>
     </dependency>
-
     <dependency>
       <groupId>org.apache.cassandra</groupId>
       <artifactId>cassandra-thrift</artifactId>
-      <version>3.11.2</version>
+      <version>${cassandraVersion}</version>
       <exclusions>
         <exclusion>
           <groupId>javax.servlet</groupId>
           <artifactId>servlet-api</artifactId>
         </exclusion>
+          <exclusion>
+            <groupId>org.apache.ant</groupId>
+            <artifactId>ant</artifactId>
+          </exclusion>
       </exclusions>
     </dependency>
+    <dependency>
+      <groupId>org.apache.thrift</groupId>
+      <artifactId>libthrift</artifactId>
+      <version>0.13.0</version>
+    </dependency>
+    <!--
+    <dependency>
+      <groupId>org.codehaus.jackson</groupId>
+      <artifactId>jackson-core-asl</artifactId>
+      <version>1.9.13</version>
+    </dependency>
+    <dependency>
+      <groupId>org.codehaus.jackson</groupId>
+      <artifactId>jackson-mapper-asl</artifactId>
+      <version>1.9.13</version>
+    </dependency>
+    -->
+
+    <!-- Transitive dependency. Declared here to increase the version. -->
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-all</artifactId>
+      <version>${netty.version}</version>
+    </dependency>
 
     <!-- Is a dependency of cassandra -> hibernate-validator and replaced by new version -->
     <dependency>
       <groupId>org.jboss.logging</groupId>
       <artifactId>jboss-logging</artifactId>
     </dependency>
+    <!-- Dependency of cassandra -> replacing by new version -->
+    <dependency>
+      <groupId>org.hibernate</groupId>
+      <artifactId>hibernate-validator</artifactId>
+      <version>4.3.2.Final</version>
+    </dependency>
 
 
     <!-- TEST Scope -->
 
 
   </dependencies>
+
   <build>
     <testResources>
       <testResource>

archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/pom.xml

     <dependency>
       <groupId>org.apache.jackrabbit</groupId>
       <artifactId>oak-segment-tar</artifactId>
+      <exclusions>
+        <exclusion>
+          <groupId>io.netty</groupId>
+          <artifactId>netty-transport</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>io.netty</groupId>
+          <artifactId>netty-resolver</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>io.netty</groupId>
+          <artifactId>netty-handler</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>io.netty</groupId>
+          <artifactId>netty-common</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>io.netty</groupId>
+          <artifactId>netty-codec</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>io.netty</groupId>
+          <artifactId>netty-buffer</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.apache.jackrabbit</groupId>
       <groupId>org.apache.jackrabbit</groupId>
       <artifactId>oak-core</artifactId>
     </dependency>
+    <!-- netty is a transitive dependencies of oak-segment-tar
+     increasing version -->
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-transport</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-resolver</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-handler</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-common</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-codec</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-buffer</artifactId>
+    </dependency>
+
+
 
     <dependency>
       <groupId>javax.inject</groupId>

archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java

 import org.apache.jackrabbit.oak.plugins.index.lucene.hybrid.NRTIndexFactory;
 import org.apache.jackrabbit.oak.plugins.index.lucene.property.PropertyIndexCleaner;
 import org.apache.jackrabbit.oak.plugins.index.lucene.reader.DefaultIndexReaderFactory;
-import org.apache.jackrabbit.oak.plugins.index.lucene.score.ScorerProviderFactory;
-import org.apache.jackrabbit.oak.plugins.index.lucene.score.impl.ScorerProviderFactoryImpl;
 import org.apache.jackrabbit.oak.plugins.index.lucene.util.IndexDefinitionBuilder;
 import org.apache.jackrabbit.oak.plugins.index.search.ExtractedTextCache;
 import org.apache.jackrabbit.oak.plugins.index.search.FulltextIndexConstants;
 
     private LuceneIndexProvider indexProvider;
 
-    private ScorerProviderFactory scorerFactory = new ScorerProviderFactoryImpl( );
     private IndexAugmentorFactory augmentorFactory = new IndexAugmentorFactory( );
 
     private ActiveDeletedBlobCollectorFactory.ActiveDeletedBlobCollector activeDeletedBlobCollector = ActiveDeletedBlobCollectorFactory.NOOP;
 
         tracker = createTracker();
 
-        indexProvider = new LuceneIndexProvider(tracker, scorerFactory, augmentorFactory);
+        indexProvider = new LuceneIndexProvider(tracker, augmentorFactory);
 
         initialize();
         registerObserver();

archiva-modules/pom.xml

         </reportSets>
       </plugin>
 
-
-
     </plugins>
   </reporting>
 

pom.xml

     <javax.jcr.version>2.0</javax.jcr.version>
     <!-- If you change the JCR OAK version, you may have to update the pom.xml in the module oak-jcr-lucene
          to adapt to dependency changes -->
-    <jcr-oak.version>1.22.3</jcr-oak.version>
+    <jcr-oak.version>1.30.0</jcr-oak.version>
+    <netty.version>4.1.50.Final</netty.version>
 
 
     <!-- Jackrabbit classes are still used for webdav -->
         <groupId>org.apache.jackrabbit</groupId>
         <artifactId>oak-segment-tar</artifactId>
         <version>${jcr-oak.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-transport</artifactId>
+          </exclusion>
+          <exclusion>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-resolver</artifactId>
+          </exclusion>
+          <exclusion>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-handler</artifactId>
+          </exclusion>
+          <exclusion>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-common</artifactId>
+          </exclusion>
+          <exclusion>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-codec</artifactId>
+          </exclusion>
+          <exclusion>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-buffer</artifactId>
+          </exclusion>
+        </exclusions>
+      </dependency>
+      <!-- netty is a transitive dependencies of oak-segment-tar
+           increasing version -->
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-transport</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-resolver</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-handler</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-common</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-codec</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-buffer</artifactId>
+        <version>${netty.version}</version>
       </dependency>
       <dependency>
         <groupId>org.apache.jackrabbit</groupId>
       </dependency>
 
 
+      <!-- Transitive dependency - fixing version -->
+      <dependency>
+        <groupId>com.google.guava</groupId>
+        <artifactId>guava</artifactId>
+        <version>29.0-jre</version>
+      </dependency>
+
+
       <dependency>
         <groupId>org.xmlunit</groupId>
         <artifactId>xmlunit-core</artifactId>
           </execution>
         </executions>
       </plugin>
+
+
+
+
    </plugins>
     <pluginManagement>
       <plugins>