From 444e80c4cb8e8c1f610698e3ab7a30fa6ad74f51 Mon Sep 17 00:00:00 2001
From: Alex Porcelli <alex@porcelli.me>
Date: Mon, 11 Mar 2024 17:08:42 -0400
Subject: [PATCH 1/2] RHPAM-3709: upgrade maven dependencies to address
 CVE-2021-26291

---
 kie-maven-plugin/pom.xml                         | 14 +++++---------
 .../plugin/PackageKjarDependenciesMojo.java      | 16 ++++++++--------
 .../kie-server-integ-tests-all/pom.xml           |  5 +++++
 .../kie-server-integ-tests-controller/pom.xml    |  6 ++++++
 4 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/kie-maven-plugin/pom.xml b/kie-maven-plugin/pom.xml
index 9544f6ba9e..0084674c0a 100644
--- a/kie-maven-plugin/pom.xml
+++ b/kie-maven-plugin/pom.xml
@@ -70,6 +70,10 @@
   </dependencyManagement>
 
   <dependencies>
+    <dependency>
+      <groupId>jakarta.inject</groupId>
+      <artifactId>jakarta.inject-api</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.apache.maven</groupId>
       <artifactId>maven-artifact</artifactId>
@@ -80,15 +84,7 @@
       <exclusions>
         <exclusion>
           <groupId>org.sonatype.sisu</groupId>
-          <artifactId>sisu-guice</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>javax.inject</groupId>
-          <artifactId>javax.inject</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>aopalliance</groupId>
-          <artifactId>aopalliance</artifactId>
+          <artifactId>sisu-inject-plexus</artifactId>
         </exclusion>
       </exclusions>
     </dependency>
diff --git a/kie-maven-plugin/src/main/java/org/kie/maven/plugin/PackageKjarDependenciesMojo.java b/kie-maven-plugin/src/main/java/org/kie/maven/plugin/PackageKjarDependenciesMojo.java
index 8a7227e7b1..9268a19016 100644
--- a/kie-maven-plugin/src/main/java/org/kie/maven/plugin/PackageKjarDependenciesMojo.java
+++ b/kie-maven-plugin/src/main/java/org/kie/maven/plugin/PackageKjarDependenciesMojo.java
@@ -50,14 +50,14 @@
 import org.apache.maven.project.ProjectBuildingRequest;
 import org.apache.maven.repository.RepositorySystem;
 import org.apache.maven.settings.Settings;
-import org.apache.maven.shared.artifact.ArtifactCoordinate;
-import org.apache.maven.shared.artifact.DefaultArtifactCoordinate;
-import org.apache.maven.shared.artifact.resolve.ArtifactResolver;
-import org.apache.maven.shared.artifact.resolve.ArtifactResolverException;
-import org.apache.maven.shared.artifact.resolve.ArtifactResult;
-import org.apache.maven.shared.dependencies.DefaultDependableCoordinate;
-import org.apache.maven.shared.dependencies.resolve.DependencyResolver;
-import org.apache.maven.shared.dependencies.resolve.DependencyResolverException;
+import org.apache.maven.shared.transfer.artifact.ArtifactCoordinate;
+import org.apache.maven.shared.transfer.artifact.DefaultArtifactCoordinate;
+import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolver;
+import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolverException;
+import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResult;
+import org.apache.maven.shared.transfer.dependencies.DefaultDependableCoordinate;
+import org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolver;
+import org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolverException;
 import org.apache.maven.shared.utils.StringUtils;
 import org.apache.maven.shared.utils.WriterFactory;
 import org.apache.maven.shared.utils.io.IOUtil;
diff --git a/kie-server-parent/kie-server-tests/kie-server-integ-tests-all/pom.xml b/kie-server-parent/kie-server-tests/kie-server-integ-tests-all/pom.xml
index 4b9b523fd8..344f02117f 100644
--- a/kie-server-parent/kie-server-tests/kie-server-integ-tests-all/pom.xml
+++ b/kie-server-parent/kie-server-tests/kie-server-integ-tests-all/pom.xml
@@ -114,6 +114,11 @@
       <scope>test</scope>
     </dependency>
     
+    <dependency>
+      <groupId>org.jsoup</groupId>
+      <artifactId>jsoup</artifactId>
+      <scope>test</scope>
+    </dependency>
     
   </dependencies>
 
diff --git a/kie-server-parent/kie-server-tests/kie-server-integ-tests-controller/pom.xml b/kie-server-parent/kie-server-tests/kie-server-integ-tests-controller/pom.xml
index 254ed90563..78d80ddf39 100644
--- a/kie-server-parent/kie-server-tests/kie-server-integ-tests-controller/pom.xml
+++ b/kie-server-parent/kie-server-tests/kie-server-integ-tests-controller/pom.xml
@@ -94,6 +94,12 @@
       <scope>test</scope>
     </dependency>
 
+    <dependency>
+      <groupId>org.jsoup</groupId>
+      <artifactId>jsoup</artifactId>
+      <scope>test</scope>
+    </dependency>
+
     <!-- This is an artificial dependency to make sure the kie-server-tests modules are executed one at a time during
          parallel build (otherwise the tests fail because of conflicting port binding) -->
     <dependency>

From 191d0c4748efabbcd2efabd4e56b3f8e1dfaf1d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Novotn=C3=BD?= <hotmana76@gmail.com>
Date: Thu, 21 Mar 2024 15:25:19 +0100
Subject: [PATCH 2/2] adding exclusions for jcl-over-slf4j in
 jbpm-spring-boot-autoconfiguration

      <exclusions>
        <exclusion>
          <groupId>org.slf4j</groupId>
          <artifactId>jcl-over-slf4j</artifactId>
        </exclusion>
      </exclusions>
---
 .../jbpm-spring-boot-autoconfiguration/pom.xml     | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/kie-spring-boot/kie-spring-boot-autoconfiguration/jbpm-spring-boot-autoconfiguration/pom.xml b/kie-spring-boot/kie-spring-boot-autoconfiguration/jbpm-spring-boot-autoconfiguration/pom.xml
index 6a8b789123..3eb6e6424f 100644
--- a/kie-spring-boot/kie-spring-boot-autoconfiguration/jbpm-spring-boot-autoconfiguration/pom.xml
+++ b/kie-spring-boot/kie-spring-boot-autoconfiguration/jbpm-spring-boot-autoconfiguration/pom.xml
@@ -59,6 +59,12 @@
     <dependency>
       <groupId>org.jbpm</groupId>
       <artifactId>jbpm-workitems-rest</artifactId>
+      <exclusions>
+        <exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>jcl-over-slf4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.jbpm</groupId>
@@ -95,6 +101,12 @@
     <dependency>
       <groupId>org.jbpm</groupId>
       <artifactId>jbpm-human-task-audit</artifactId>
+      <exclusions>
+        <exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>jcl-over-slf4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.jbpm</groupId>
@@ -249,4 +261,4 @@
       </exclusions>
     </dependency>
   </dependencies>
-</project>
\ No newline at end of file
+</project>