Dependency changes and vulnerability check

archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml

     <cpe>cpe:/a:jquery_file_upload_project:jquery_file_upload</cpe>
   </suppress>
 
+  <suppress>
+    <notes><![CDATA[
+   file name: jdom2-2.0.6.jar
+   This is a dependency of rometools/rome (RSS library), they addressed the issue (see https://github.com/rometools/rome/issues/469)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jdom/jdom2@.*$</packageUrl>
+    <cpe>cpe:/a:jdom:jdom</cpe>
+    <vulnerabilityName>CVE-2021-33813</vulnerabilityName>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+   file name: native-protocol-1.5.0.jar
+   This is a vulnerability of cassandra server. We will ignore it for the client driver.
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.datastax\.oss/native\-protocol@.*$</packageUrl>
+    <cpe>cpe:/a:apache:cassandra</cpe>
+    <vulnerabilityName>CVE-2020-13946</vulnerabilityName>
+  </suppress>
 </suppressions>

archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml

 
   <properties>
     <site.staging.base>${project.parent.parent.basedir}</site.staging.base>
-    <cassandraVersion>4.0.0</cassandraVersion>
+    <cassandraVersion>3.11.10</cassandraVersion>
     <datastax.driver.version>4.13.0</datastax.driver.version>
   </properties>
 
       <artifactId>modelmapper</artifactId>
     </dependency>
 
-    <!--
-    <dependency>
-      <groupId>org.yaml</groupId>
-      <artifactId>snakeyaml</artifactId>
-      <version>1.27</version>
-    </dependency>
--->
-    <dependency>
-      <groupId>org.apache.cassandra</groupId>
-      <artifactId>cassandra-all</artifactId>
-      <version>${cassandraVersion}</version>
-      <scope>test</scope>
-      <exclusions>
-        <exclusion>
-          <groupId>log4j</groupId>
-          <artifactId>log4j</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.slf4j</groupId>
-          <artifactId>slf4j-log4j12</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.slf4j</groupId>
-          <artifactId>jcl-over-slf4j</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>ch.qos.logback</groupId>
-          <artifactId>logback-core</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.mortbay.jetty</groupId>
-          <artifactId>jetty</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>javax.servlet</groupId>
-          <artifactId>servlet-api</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.slf4j</groupId>
-          <artifactId>log4j-over-slf4j</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>ch.qos.logback</groupId>
-          <artifactId>logback-classic</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.jboss.logging</groupId>
-          <artifactId>jboss-logging</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>javax.inject</groupId>
-          <artifactId>javax.inject</artifactId>
-        </exclusion>
-          <exclusion>
-            <groupId>javax.validation</groupId>
-            <artifactId>validation-api</artifactId>
-          </exclusion>
-        <exclusion>
-          <groupId>com.fasterxml.jackson.core</groupId>
-          <artifactId>jackson-core</artifactId>
-        </exclusion>
-        <!-- Brings hibernate-validator dependency with ancient version, which is vulnerable. Not necessary for archiva. -->
-        <exclusion>
-          <groupId>com.addthis.metrics</groupId>
-          <artifactId>reporter-config3</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>net.openhft</groupId>
-          <artifactId>chronicle-wire</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
-    <dependency>
-      <groupId>net.openhft</groupId>
-      <artifactId>chronicle-wire</artifactId>
-      <version>2.21.89</version>
-      <scope>test</scope>
-    </dependency>
-
     <dependency>
       <groupId>com.datastax.oss</groupId>
       <artifactId>java-driver-core</artifactId>
       <version>${datastax.driver.version}</version>
     </dependency>
 
-    <!--
-    <dependency>
-      <groupId>org.hectorclient</groupId>
-      <artifactId>hector-core</artifactId>
-      <version>1.1-4</version>
-      <exclusions>
-        <exclusion>
-          <groupId>javax.servlet</groupId>
-          <artifactId>servlet-api</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>com.ecyrd.speed4j</groupId>
-          <artifactId>speed4j</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>com.yammer.metrics</groupId>
-          <artifactId>metrics-core</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.slf4j</groupId>
-          <artifactId>log4j-over-slf4j</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
-    -->
-    <!--
-    <dependency>
-      <groupId>org.apache.cassandra</groupId>
-      <artifactId>cassandra-thrift</artifactId>
-      <version>${cassandraVersion}</version>
-      <exclusions>
-        <exclusion>
-          <groupId>javax.servlet</groupId>
-          <artifactId>servlet-api</artifactId>
-        </exclusion>
-          <exclusion>
-            <groupId>org.apache.ant</groupId>
-            <artifactId>ant</artifactId>
-          </exclusion>
-      </exclusions>
-    </dependency>
-    -->
-    <!-- Transient dependencies of cassandra that are selected to use a higher version -->
-    <!--
-    <dependency>
-      <groupId>org.apache.thrift</groupId>
-      <artifactId>libthrift</artifactId>
-      <version>0.13.0</version>
-      <exclusions>
-        <exclusion>
-          <groupId>javax.annotation</groupId>
-          <artifactId>javax.annotation-api</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
-    <dependency>
-      <groupId>org.mindrot</groupId>
-      <artifactId>jbcrypt</artifactId>
-      <version>0.4</version>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.tika</groupId>
-      <artifactId>tika-core</artifactId>
-      <version>1.26</version>
-    </dependency>
--->
-    <!-- Transitive dependency. Declared here to increase the version. -->
-    <!--
-    <dependency>
-      <groupId>io.netty</groupId>
-      <artifactId>netty-all</artifactId>
-      <version>${netty.version}</version>
-    </dependency>
-    -->
-    <!--
-    <dependency>
-      <groupId>com.fasterxml.jackson.core</groupId>
-      <artifactId>jackson-core</artifactId>
-    </dependency>
--->
-    <!-- Is a dependency of cassandra -> hibernate-validator and replaced by new version -->
-    <!--
-    <dependency>
-      <groupId>org.jboss.logging</groupId>
-      <artifactId>jboss-logging</artifactId>
-    </dependency>
-    -->
 
     <!-- TEST Scope -->
     <dependency>
         <filtering>true</filtering>
       </testResource>
     </testResources>
+
     <plugins>
       <plugin>
         <groupId>org.codehaus.mojo</groupId>
             <dependency>
               <groupId>org.apache.cassandra</groupId>
               <artifactId>cassandra-all</artifactId>
-              <version>3.11.10</version>
+              <version>${cassandraVersion}</version>
             </dependency>
         </dependencies>
       </plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-surefire-plugin</artifactId>
           <executions>
-
           </executions>
           <configuration>
             <skip>true</skip>
           <configuration>
             <excludes>
               <exclude>src/cassandra/**</exclude>
+              <exclude>src/test/resources/cassandra-test.yaml</exclude>
             </excludes>
           </configuration>
         </plugin>

archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java

     int cacheSizeInMB = 20;
     int cacheExpiryInSecs = 300;
     int threadPoolSize = 5;
+    long queueTimeOutMs = 60000;
 
     private StatisticsProvider statisticsProvider;
 
             log.info("Hybrid indexing feature disabled");
             return;
         }
-        documentQueue = new DocumentQueue( queueSize, tracker, getExecutorService(), statisticsProvider);
+        documentQueue = new DocumentQueue( queueSize, queueTimeOutMs, tracker, getExecutorService(), statisticsProvider);
         LocalIndexObserver localIndexObserver = new LocalIndexObserver(documentQueue, statisticsProvider);
 
         int observerQueueSize = 1000;

archiva-modules/metadata/metadata-store-provider/oak-jcr/oak-jcr-lucene/pom.xml

           <groupId>org.apache.lucene</groupId>
           <artifactId>lucene-suggest</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>org.apache.tika</groupId>
+          <artifactId>tika-core</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <!-- We reapply the original transitive dependencies -->
       <groupId>org.apache.jackrabbit</groupId>
       <artifactId>oak-search</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.apache.tika</groupId>
+      <artifactId>tika-core</artifactId>
+      <version>1.27</version>
+    </dependency>
   </dependencies>
 
 

pom.xml

 
 
     <!-- dependencies of maven modules -->
-    <jsoup.version>1.12.1</jsoup.version>
-    <rome.version>1.13.1</rome.version>
+    <jsoup.version>1.14.2</jsoup.version>
+    <rome.version>1.16.0</rome.version>
     <cronutils.version>9.1.3</cronutils.version>
 
     <lucene.version>4.10.4</lucene.version>
     <javax.jcr.version>2.0</javax.jcr.version>
     <!-- If you change the JCR OAK version, you may have to update the pom.xml in the module oak-jcr-lucene
          to adapt to dependency changes -->
-    <jcr-oak.version>1.30.0</jcr-oak.version>
+    <jcr-oak.version>1.40.0</jcr-oak.version>
     <netty.version>4.1.50.Final</netty.version>