From 195398a7d99642d43cd23312c5f1347bbc722e03 Mon Sep 17 00:00:00 2001
From: Alex Porcelli <alex@porcelli.me>
Date: Tue, 12 Mar 2024 14:23:16 -0400
Subject: [PATCH 1/2] RHPAM-3709: upgrade maven dependencies to address
 CVE-2021-26291

---
 mavenembedder-workitem/pom.xml | 21 ++++++++-----------
 pom.xml                        | 37 ----------------------------------
 2 files changed, 8 insertions(+), 50 deletions(-)

diff --git a/mavenembedder-workitem/pom.xml b/mavenembedder-workitem/pom.xml
index a661cc854..01ae8c82a 100644
--- a/mavenembedder-workitem/pom.xml
+++ b/mavenembedder-workitem/pom.xml
@@ -59,11 +59,11 @@
           <artifactId>org.eclipse.sisu.plexus</artifactId>
         </exclusion>
         <exclusion>
-          <groupId>org.sonatype.plexus</groupId>
+          <groupId>org.codehaus.plexus</groupId>
           <artifactId>plexus-sec-dispatcher</artifactId>
         </exclusion>
         <exclusion>
-          <groupId>org.sonatype.plexus</groupId>
+          <groupId>org.codehaus.plexus</groupId>
           <artifactId>plexus-cipher</artifactId>
         </exclusion>
       </exclusions>
@@ -114,23 +114,23 @@
       <scope>provided</scope>
     </dependency>
     <dependency>
-      <groupId>org.sonatype.plexus</groupId>
+      <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-sec-dispatcher</artifactId>
       <scope>provided</scope>
     </dependency>
     <dependency>
-      <groupId>org.sonatype.plexus</groupId>
+      <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-cipher</artifactId>
       <scope>provided</scope>
     </dependency>
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-connector-basic</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-connector-basic</artifactId>
       <scope>provided</scope>
     </dependency>
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-transport-wagon</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-transport-wagon</artifactId>
       <scope>provided</scope>
     </dependency>
     <dependency>
@@ -143,11 +143,6 @@
       <artifactId>wagon-provider-api</artifactId>
       <scope>provided</scope>
     </dependency>
-    <dependency>
-      <groupId>org.apache.maven.wagon</groupId>
-      <artifactId>wagon-http-lightweight</artifactId>
-      <scope>provided</scope>
-    </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
diff --git a/pom.xml b/pom.xml
index c6cc7bfd9..7cbd54fff 100644
--- a/pom.xml
+++ b/pom.xml
@@ -56,11 +56,9 @@
     <version.rxjava>1.2.4</version.rxjava>
     <version.owm>2.5.2.2</version.owm>
     <version.commons.net>3.6</version.commons.net>
-    <version.maven.embedder>3.3.3</version.maven.embedder>
     <version.wildfly.maven.plugin>1.2.1.Final</version.wildfly.maven.plugin>
     <version.war.plugin>3.2.2</version.war.plugin>
     <version.apache.commons.io>2.5</version.apache.commons.io>
-    <version.maven.model>3.3.9</version.maven.model>
     <version.jslack>1.1.4</version.jslack>
     <version.org.xhtmlrenderer>9.1.15</version.org.xhtmlrenderer>
     <version.bouncycastle>1.67</version.bouncycastle>
@@ -472,41 +470,6 @@
         <artifactId>commons-net</artifactId>
         <version>${version.commons.net}</version>
       </dependency>
-      <dependency>
-        <groupId>org.apache.maven</groupId>
-        <artifactId>maven-embedder</artifactId>
-        <version>${version.maven.embedder}</version>
-      </dependency>
-      <dependency>
-        <groupId>org.eclipse.aether</groupId>
-        <artifactId>aether-connector-basic</artifactId>
-        <version>${version.org.eclipse.aether}</version>
-      </dependency>
-      <dependency>
-        <groupId>org.eclipse.aether</groupId>
-        <artifactId>aether-transport-wagon</artifactId>
-        <version>${version.org.eclipse.aether}</version>
-      </dependency>
-      <dependency>
-        <groupId>org.apache.maven.wagon</groupId>
-        <artifactId>wagon-http</artifactId>
-        <version>${version.org.apache.maven.wagon}</version>
-      </dependency>
-      <dependency>
-        <groupId>org.apache.maven.wagon</groupId>
-        <artifactId>wagon-provider-api</artifactId>
-        <version>${version.org.apache.maven.wagon}</version>
-      </dependency>
-      <dependency>
-        <groupId>org.apache.maven.wagon</groupId>
-        <artifactId>wagon-http-lightweight</artifactId>
-        <version>${version.org.apache.maven.wagon}</version>
-      </dependency>
-      <dependency>
-        <groupId>org.apache.maven</groupId>
-        <artifactId>maven-model</artifactId>
-        <version>${version.maven.model}</version>
-      </dependency>
       <dependency>
         <groupId>com.github.taycaldwell</groupId>
         <artifactId>riot-api-java</artifactId>

From 205dbb22cdd0f40c0f4a49d1707c26ba2916c52e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tibor=20Zim=C3=A1nyi?= <tiborzimanyi@ibm.com>
Date: Wed, 27 Mar 2024 10:00:57 +0100
Subject: [PATCH 2/2] Remove one unneeded dependency exclusion.

---
 jbpm-workitem-itests/pom.xml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/jbpm-workitem-itests/pom.xml b/jbpm-workitem-itests/pom.xml
index bd8f60c7d..245476a3d 100644
--- a/jbpm-workitem-itests/pom.xml
+++ b/jbpm-workitem-itests/pom.xml
@@ -116,10 +116,6 @@
           <groupId>org.hamcrest</groupId>
           <artifactId>hamcrest</artifactId>
         </exclusion>
-        <exclusion>
-          <groupId>org.springframework</groupId>
-          <artifactId>spring-jcl</artifactId>
-        </exclusion>
         <exclusion>
           <groupId>org.junit.jupiter</groupId>
           <artifactId>junit-jupiter</artifactId>