NCL-6658 Update to JDOM2 and resolve CVE

cli/src/test/java/org/commonjava/maven/ext/cli/CliTest.java

@@ -335,8 +335,8 @@ public void checkDependencies()
                 + "org.apache.maven.plugins:maven-resources-plugin:2.6                             maven-plugin                                                \n"
                 + "org.apache.maven.plugins:maven-shade-plugin:3.[.\\d+]+\\s+                      maven-plugin                                                \n"
                 + "org.apache.maven.plugins:maven-surefire-plugin:2.12.4                           maven-plugin                                                \n"
-                + "org.apache.maven.release:maven-release-api:3.0.0-M1                             jar                                     compile             \n"
-                + "org.apache.maven.release:maven-release-manager:3.0.0-M1                         jar                                     compile             \n"
+                + "org.apache.maven.release:maven-release-api:3.0.0-M4                             jar                                     compile             \n"
+                + "org.apache.maven.release:maven-release-manager:3.0.0-M4                         jar                                     compile             \n"
                 + "org.bsc.maven:maven-processor-plugin:3.3.3                                      maven-plugin                                                \n"
                 + "org.codehaus.groovy:groovy:[.\\d+]+\\s+                                         jar                                     compile             \n"
                 + "org.codehaus.groovy:groovy-json:[.\\d+]+\\s+                                    jar                                     compile             \n"
@@ -358,7 +358,7 @@ public void checkDependencies()
                 + "org.jacoco:jacoco-maven-plugin:0.8[.\\d+]+\\s+                                  maven-plugin                                                \n"
                 + "org.jboss.byteman:byteman-bmunit:4[.\\d+]+\\s+                                  jar                                     test                \n"
                 + "org.jboss.da:reports-model:2.[.\\d+]+\\s+                                       jar                                     compile             \n"
-                + "org.jdom:jdom:1.1.3                                                             jar                                     compile             \n"
+                + "org.jdom:jdom2:2.[.\\d+]+\\s+                                                   jar                                     compile             \n"
                 + "org.projectlombok:lombok:1.[.\\d+]+\\s+                                         jar                                     provided            \n"
                 + "org.projectlombok:lombok-maven-plugin:1.[.\\d+]+\\s+                            maven-plugin                                                \n"
                 + "org.slf4j:slf4j-api:1.[.\\d+]+\\s+                                              jar                                     compile             \n"

common/pom.xml

@@ -119,7 +119,7 @@
 
     <dependency>
       <groupId>org.jdom</groupId>
-      <artifactId>jdom</artifactId>
+      <artifactId>jdom2</artifactId>
     </dependency>
     <dependency>
       <groupId>org.codehaus.plexus</groupId>

common/src/main/java/org/commonjava/maven/ext/common/jdom/JDOMModelConverter.java

@@ -18,10 +18,10 @@
 
 import org.apache.maven.model.*;
 import org.codehaus.plexus.util.xml.Xpp3Dom;
-import org.jdom.Document;
-import org.jdom.Element;
-import org.jdom.JDOMFactory;
-import org.jdom.UncheckedJDOMFactory;
+import org.jdom2.Document;
+import org.jdom2.Element;
+import org.jdom2.JDOMFactory;
+import org.jdom2.UncheckedJDOMFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 

common/src/main/java/org/commonjava/maven/ext/common/jdom/JDOMSettingsConverter.java

@@ -30,14 +30,14 @@
 import org.apache.maven.settings.Settings;
 import org.codehaus.plexus.util.WriterFactory;
 import org.codehaus.plexus.util.xml.Xpp3Dom;
-import org.jdom.Document;
-import org.jdom.Element;
-import org.jdom.JDOMException;
-import org.jdom.JDOMFactory;
-import org.jdom.UncheckedJDOMFactory;
-import org.jdom.input.SAXBuilder;
-import org.jdom.output.Format;
-import org.jdom.output.XMLOutputter;
+import org.jdom2.Document;
+import org.jdom2.Element;
+import org.jdom2.JDOMException;
+import org.jdom2.JDOMFactory;
+import org.jdom2.UncheckedJDOMFactory;
+import org.jdom2.input.SAXBuilder;
+import org.jdom2.output.Format;
+import org.jdom2.output.XMLOutputter;
 
 import java.io.File;
 import java.io.IOException;
@@ -88,6 +88,9 @@ public final void write( final Settings source, final File target, final String
         final SAXBuilder builder = new SAXBuilder();
         final Document document;
 
+        // CVE-2021-33813  https://github.com/hunterhacker/jdom/issues/189
+        builder.setExpandEntities( false );
+
         // TODO: Improve this.
         // If we are building from an existing file then use that as a base otherwise we need to construct the Document
         // and root Element.

common/src/main/java/org/commonjava/maven/ext/common/jdom/Utils.java

@@ -32,13 +32,13 @@
 
 import lombok.experimental.UtilityClass;
 import org.codehaus.plexus.util.xml.Xpp3Dom;
-import org.jdom.Attribute;
-import org.jdom.CDATA;
-import org.jdom.Content;
-import org.jdom.DefaultJDOMFactory;
-import org.jdom.Element;
-import org.jdom.Namespace;
-import org.jdom.Text;
+import org.jdom2.Attribute;
+import org.jdom2.CDATA;
+import org.jdom2.Content;
+import org.jdom2.DefaultJDOMFactory;
+import org.jdom2.Element;
+import org.jdom2.Namespace;
+import org.jdom2.Text;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -70,7 +70,7 @@ public final class Utils
 
     /**
      * Method updateElement.
-     * 
+     *
      * @param counter
      * @param shouldExist
      * @param name
@@ -112,7 +112,7 @@ else if ( element != null )
 
     /**
      * Method findAndReplaceXpp3DOM.
-     * 
+     *
      * @param counter
      * @param dom
      * @param name
@@ -133,7 +133,7 @@ public static Element findAndReplaceXpp3DOM( final IndentationCounter counter, f
 
     /**
      * Method replaceXpp3DOM.
-     * 
+     *
      * @param parent
      * @param counter
      * @param parentDom
@@ -245,7 +245,7 @@ else if ( parentDom.getValue() != null )
 
     /**
      * Method insertAtPreferredLocation.
-     * 
+     *
      * @param parent
      * @param counter
      * @param child
@@ -301,7 +301,7 @@ public static void insertAtPreferredLocation( final Element parent, final Elemen
 
     /**
      * Method findAndReplaceProperties.
-     * 
+     *
      * @param counter
      * @param props
      * @param name
@@ -339,7 +339,7 @@ public static Element findAndReplaceProperties( final IndentationCounter counter
 
     /**
      * Method findAndReplaceSimpleElement.
-     * 
+     *
      * @param counter
      * @param defaultValue
      * @param text
@@ -378,7 +378,7 @@ public static Element findAndReplaceSimpleElement( final IndentationCounter coun
 
     /**
      * Method findAndReplaceSimpleLists.
-     * 
+     *
      * @param counter
      * @param childName
      * @param parentName

core/src/main/java/org/commonjava/maven/ext/core/state/RelocationState.java

@@ -57,7 +57,7 @@ public class RelocationState
     @ConfigValue( docIndex = "dep-manip.html#dependency-relocations" )
     public static final String DEPENDENCY_RELOCATIONS = "dependencyRelocations.";
 
-    @ConfigValue( docIndex = "plugin-manip.html#dependency-relocations" )
+    @ConfigValue( docIndex = "plugin-manip.html#plugin-relocations" )
     public static final String PLUGIN_RELOCATIONS = "pluginRelocations.";
 
 

ext/pom.xml

@@ -128,7 +128,7 @@
     </dependency>
     <dependency>
       <groupId>org.jdom</groupId>
-      <artifactId>jdom</artifactId>
+      <artifactId>jdom2</artifactId>
     </dependency>
 
     <dependency>
@@ -208,7 +208,7 @@
                   <include>org.codehaus.groovy:groovy-xml</include>
                   <include>org.codehaus.groovy:groovy</include>
                   <include>org.jboss.da:reports-model</include>
-                  <include>org.jdom:jdom</include>
+                  <include>org.jdom:jdom2</include>
                   <include>org.ow2.asm:asm</include>
                   <include>org.yaml:snakeyaml</include>
                 </includes>

io/pom.xml

@@ -178,7 +178,7 @@
 
     <dependency>
       <groupId>org.jdom</groupId>
-      <artifactId>jdom</artifactId>
+      <artifactId>jdom2</artifactId>
     </dependency>
 
     <dependency>

io/src/main/java/org/commonjava/maven/ext/io/PomIO.java

@@ -43,8 +43,8 @@
 import org.apache.maven.shared.release.config.ReleaseUtils;
 import org.apache.maven.shared.release.transform.ModelETL;
 import org.apache.maven.shared.release.transform.ModelETLRequest;
-import org.apache.maven.shared.release.transform.jdom.JDomModelETL;
-import org.apache.maven.shared.release.transform.jdom.JDomModelETLFactory;
+import org.apache.maven.shared.release.transform.jdom2.JDomModelETL;
+import org.apache.maven.shared.release.transform.jdom2.JDomModelETLFactory;
 import org.codehaus.plexus.util.xml.pull.XmlPullParserException;
 import org.commonjava.maven.atlas.ident.ref.ProjectVersionRef;
 import org.commonjava.maven.ext.common.ManipulationException;
@@ -54,7 +54,7 @@
 import org.commonjava.maven.ext.common.util.LineSeparator;
 import org.commonjava.maven.ext.common.util.ManifestUtils;
 import org.commonjava.maven.galley.maven.parse.PomPeek;
-import org.jdom.Document;
+import org.jdom2.Document;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 

io/src/main/java/org/commonjava/maven/ext/io/SettingsIO.java

@@ -27,12 +27,12 @@
 import org.apache.maven.shared.release.ReleaseExecutionException;
 import org.apache.maven.shared.release.transform.ModelETL;
 import org.apache.maven.shared.release.transform.ModelETLRequest;
-import org.apache.maven.shared.release.transform.jdom.JDomModelETL;
-import org.apache.maven.shared.release.transform.jdom.JDomModelETLFactory;
+import org.apache.maven.shared.release.transform.jdom2.JDomModelETL;
+import org.apache.maven.shared.release.transform.jdom2.JDomModelETLFactory;
 import org.commonjava.maven.ext.common.ManipulationException;
 import org.commonjava.maven.ext.common.jdom.JDOMSettingsConverter;
 import org.commonjava.maven.ext.common.util.LineSeparator;
-import org.jdom.JDOMException;
+import org.jdom2.JDOMException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 

pom.xml

@@ -323,13 +323,13 @@
       </dependency>
       <dependency>
         <groupId>org.jdom</groupId>
-        <artifactId>jdom</artifactId>
-        <version>1.1.3</version>
+        <artifactId>jdom2</artifactId>
+        <version>2.0.6</version>
       </dependency>
       <dependency>
         <groupId>org.apache.maven.release</groupId>
         <artifactId>maven-release-manager</artifactId>
-        <version>3.0.0-M1</version>
+        <version>3.0.0-M4</version>
         <!-- As we only want the immediate dependency and some of the transitives cause -->
         <!-- clashes then exclude everything for simplicity -->
         <exclusions>
@@ -342,7 +342,7 @@
       <dependency>
         <groupId>org.apache.maven.release</groupId>
         <artifactId>maven-release-api</artifactId>
-        <version>3.0.0-M1</version>
+        <version>3.0.0-M4</version>
         <!-- As we only want the immediate dependency and some of the transitives cause -->
         <!-- clashes then exclude everything for simplicity -->
         <exclusions>