Some vulnerabilities were addressed

wicketstuff · Sep 26, 2024 · 1b28b30 · 1b28b30
1 parent 5a32259
commit 1b28b30
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 63 deletions.
diff --git a/datatables-parent/datatables/pom.xml b/datatables-parent/datatables/pom.xml
@@ -31,6 +31,12 @@
 			<groupId>org.webjars</groupId>
 			<artifactId>datatables</artifactId>
 			<version>2.1.0</version>
+			<exclusions>
+				<exclusion>
+					<groupId>org.webjars</groupId>
+					<artifactId>jquery</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>org.webjars</groupId>

diff --git a/pom.xml b/pom.xml
@@ -299,6 +299,7 @@
 		<commons-lang3.version>3.17.0</commons-lang3.version>
 		<commons-logging.version>1.3.4</commons-logging.version>
 		<commons-dbcp2.version>2.12.0</commons-dbcp2.version>
+		<commons-compress.version>1.27.1</commons-compress.version>
 		<validation-api.version>3.1.0</validation-api.version>
 		<jta.version>2.0.1</jta.version>
 		<htmlcompressor.version>1.5.2</htmlcompressor.version>
@@ -659,6 +660,11 @@
 				<artifactId>commons-dbcp2</artifactId>
 				<version>${commons-dbcp2.version}</version>
 			</dependency>
+			<dependency>
+				<groupId>org.apache.commons</groupId>
+				<artifactId>commons-compress</artifactId>
+				<version>${commons-compress.version}</version>
+			</dependency>
 
 			<!-- SPRING -->
 			<dependency>
@@ -972,6 +978,12 @@
 				<groupId>org.webjars</groupId>
 				<artifactId>jquery-ui</artifactId>
 				<version>${jquery-ui.version}</version>
+				<exclusions>
+					<exclusion>
+						<groupId>org.webjars</groupId>
+						<artifactId>jquery</artifactId>
+					</exclusion>
+				</exclusions>
 			</dependency>
 			<dependency>
 				<groupId>org.webjars.npm</groupId>

diff --git a/serializer-fast2/pom.xml b/serializer-fast2/pom.xml
@@ -1,19 +1,29 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-  <modelVersion>4.0.0</modelVersion>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
 
-  <parent>
-    <groupId>org.wicketstuff</groupId>
-    <artifactId>wicketstuff-core</artifactId>
-    <version>10.3.0-SNAPSHOT</version>
-  </parent>
+	<parent>
+		<groupId>org.wicketstuff</groupId>
+		<artifactId>wicketstuff-core</artifactId>
+		<version>10.3.0-SNAPSHOT</version>
+	</parent>
 
-  <artifactId>wicketstuff-serializer-fast2</artifactId>
+	<artifactId>wicketstuff-serializer-fast2</artifactId>
 
-  <name>WicketStuff Fast 2 Serializer</name>
-  <description>ISerializer based on version 2 of Fast https://github.com/RuedigerMoeller/fast-serialization</description>
+	<name>WicketStuff Fast 2 Serializer</name>
+	<description>ISerializer based on version 2 of Fast https://github.com/RuedigerMoeller/fast-serialization</description>
 
-  <dependencies>
+	<dependencies>
+		<dependency>
+			<groupId>de.ruedigermoeller</groupId>
+			<artifactId>fst</artifactId>
+		</dependency>
+		<dependency>
+			<!-- this one is required to override vulnerable commons-compress from de.ruedigermoeller:fst -->
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-compress</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.junit.jupiter</groupId>
 			<artifactId>junit-jupiter-api</artifactId>
@@ -22,19 +32,15 @@
 			<groupId>org.junit.jupiter</groupId>
 			<artifactId>junit-jupiter-engine</artifactId>
 		</dependency>
-    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-reload4j</artifactId>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.wicketstuff</groupId>
-      <artifactId>wicketstuff-serializer-common</artifactId>
-      <version>${project.parent.version}</version>
-    </dependency>
 		<dependency>
-			<groupId>de.ruedigermoeller</groupId>
-			<artifactId>fst</artifactId>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-reload4j</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.wicketstuff</groupId>
+			<artifactId>wicketstuff-serializer-common</artifactId>
+			<version>${project.parent.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>org.eclipse.jetty</groupId>
@@ -56,51 +62,51 @@
 			<groupId>org.eclipse.jetty.websocket</groupId>
 			<artifactId>websocket-jakarta-server</artifactId>
 		</dependency>
-    <dependency>
-      <groupId>jakarta.servlet</groupId>
-      <artifactId>jakarta.servlet-api</artifactId>
-      <scope>test</scope>
-    </dependency>
+		<dependency>
+			<groupId>jakarta.servlet</groupId>
+			<artifactId>jakarta.servlet-api</artifactId>
+			<scope>test</scope>
+		</dependency>
 		<dependency>
 			<groupId>org.apache.wicket</groupId>
 			<artifactId>wicket-tester</artifactId>
 		</dependency>
 	</dependencies>
 
-  <build>
-    <plugins>
-      <plugin>
-        <!-- USAGE: mvn license:check OR mvn license:format -->
-        <groupId>com.mycila.maven-license-plugin</groupId>
-        <artifactId>maven-license-plugin</artifactId>
-        <configuration>
-          <header>${header.location}</header>
-          <excludes>
-            <exclude>src/test/java/**.tree</exclude>
-          </excludes>
-        </configuration>
-      </plugin>
+	<build>
+		<plugins>
+			<plugin>
+				<!-- USAGE: mvn license:check OR mvn license:format -->
+				<groupId>com.mycila.maven-license-plugin</groupId>
+				<artifactId>maven-license-plugin</artifactId>
+				<configuration>
+					<header>${header.location}</header>
+					<excludes>
+						<exclude>src/test/java/**.tree</exclude>
+					</excludes>
+				</configuration>
+			</plugin>
 
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-surefire-plugin</artifactId>
-        <configuration>
-          <argLine>
-            --add-opens java.base/java.lang=ALL-UNNAMED
-            --add-opens java.base/java.math=ALL-UNNAMED
-            --add-opens java.base/java.net=ALL-UNNAMED
-            --add-opens java.base/java.text=ALL-UNNAMED
-            --add-opens java.base/java.util=ALL-UNNAMED
-            --add-opens java.base/java.util.concurrent=ALL-UNNAMED
-            --add-opens java.sql/java.sql=ALL-UNNAMED
-            --add-opens java.base/sun.reflect.annotation=ALL-UNNAMED
-          </argLine>
-        </configuration>
-      </plugin>
-    </plugins>
-  </build>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-surefire-plugin</artifactId>
+				<configuration>
+					<argLine>
+						--add-opens java.base/java.lang=ALL-UNNAMED
+						--add-opens java.base/java.math=ALL-UNNAMED
+						--add-opens java.base/java.net=ALL-UNNAMED
+						--add-opens java.base/java.text=ALL-UNNAMED
+						--add-opens java.base/java.util=ALL-UNNAMED
+						--add-opens java.base/java.util.concurrent=ALL-UNNAMED
+						--add-opens java.sql/java.sql=ALL-UNNAMED
+						--add-opens java.base/sun.reflect.annotation=ALL-UNNAMED
+					</argLine>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
 
-  <properties>
-    <header.location>lic/header.txt</header.location>
-  </properties>
+	<properties>
+		<header.location>lic/header.txt</header.location>
+	</properties>
 </project>