build(deps): Sanitize dependencies based on dependency:analyze-report results (#7294)

Co-authored-by: Jeremy Long <[email protected]>

Author: aikebah

ant/pom.xml

@@ -214,8 +214,13 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
             <version>${project.parent.version}</version>
         </dependency>
         <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-jcs3-core</artifactId>
+            <!-- not visible in imports due to method chaining, but Check code uses classes from this library -->
+            <groupId>io.github.jeremylong</groupId>
+            <artifactId>open-vulnerability-clients</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
         </dependency>
         <dependency>
             <groupId>io.github.jeremylong</groupId>

cli/pom.xml

@@ -152,6 +152,15 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.github.jeremylong</groupId>
+            <artifactId>jcs3-slf4j</artifactId>
+        </dependency>
+        <dependency>
+            <!-- not visible in imports due to method chaining, but App code uses classes from this library -->
+            <groupId>io.github.jeremylong</groupId>
+            <artifactId>open-vulnerability-clients</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.apache.ant</groupId>
             <artifactId>ant</artifactId>

core/pom.xml

@@ -204,6 +204,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <dependency>
             <groupId>io.github.jeremylong</groupId>
             <artifactId>jcs3-slf4j</artifactId>
+            <scope>runtime</scope>
         </dependency>
         <dependency>
             <groupId>com.github.package-url</groupId>
@@ -340,14 +341,57 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <groupId>commons-validator</groupId>
             <artifactId>commons-validator</artifactId>
         </dependency>
-        <dependency><!--upgrade transitive dependency of commons-validator due to reported vulns-->
-            <groupId>commons-beanutils</groupId>
-            <artifactId>commons-beanutils</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.eclipse.packager</groupId>
             <artifactId>packager-rpm</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents.core5</groupId>
+            <artifactId>httpcore5</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents.client5</groupId>
+            <artifactId>httpclient5</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-annotations</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.sonatype.goodies</groupId>
+            <artifactId>package-url-java</artifactId>
+            <version>1.1.1</version>
+        </dependency>
+        <dependency>
+            <groupId>joda-time</groupId>
+            <artifactId>joda-time</artifactId>
+            <version>2.10.4</version>
+        </dependency>
+        <dependency>
+            <groupId>org.sonatype.ossindex</groupId>
+            <artifactId>ossindex-service-api</artifactId>
+            <version>1.8.2</version>
+        </dependency>
+        <dependency>
+            <groupId>com.esotericsoftware</groupId>
+            <artifactId>minlog</artifactId>
+            <version>1.3.1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.vaadin.external.google</groupId>
+            <artifactId>android-json</artifactId>
+            <version>0.0.20131108.vaadin1</version>
+        </dependency>
+        <dependency>
+            <groupId>xml-apis</groupId>
+            <artifactId>xml-apis</artifactId>
+            <version>1.3.03</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
     <profiles>
         <profile>
@@ -457,6 +501,48 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <activation>
                 <activeByDefault>true</activeByDefault>
             </activation>
+            <build>
+                <pluginManagement>
+                    <plugins>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-dependency-plugin</artifactId>
+                            <version>${maven-dependency-plugin.version}</version>
+                            <configuration>
+                                <usedDependencies combine.children="append">
+                                    <!-- logback is our logging implementation during test and is test-scoped due to a lack of a
+                                    test-runtime scope - it should be considered 'used' in the context of dependency:analyze-report -->
+                                    <usedDependency>ch.qos.logback:logback-classic</usedDependency>
+                                    <!-- dependencies to be copied for use in unit/integration testcases are, due to
+                                    lack of a test-runtime scope, configured as test-scoped / optional and should be
+                                    considered used for dependency:analyze-report -->
+                                    <usedDependency>org.springframework:spring-webmvc</usedDependency>
+                                    <usedDependency>org.mortbay.jetty:jetty</usedDependency>
+                                    <usedDependency>net.sf.ehcache:ehcache-core</usedDependency>
+                                    <usedDependency>com.google.inject:guice</usedDependency>
+                                    <usedDependency>org.apache.struts:struts2-core</usedDependency>
+                                    <usedDependency>xalan:xalan</usedDependency>
+                                    <usedDependency>com.hazelcast:hazelcast</usedDependency>
+                                    <usedDependency>commons-fileupload:commons-fileupload</usedDependency>
+                                    <usedDependency>org.jslipc:jslipc</usedDependency>
+                                    <usedDependency>com.thoughtworks.xstream:xstream</usedDependency>
+                                    <usedDependency>org.dojotoolkit:dojo-war</usedDependency>
+                                    <usedDependency>org.apache.openjpa:openjpa</usedDependency>
+                                    <usedDependency>uk.ltd.getahead:dwr</usedDependency>
+                                    <usedDependency>org.glassfish.main.admingui:war</usedDependency>
+                                    <usedDependency>org.springframework.retry:spring-retry</usedDependency>
+                                    <usedDependency>io.github.faob-dev:aar</usedDependency>
+                                    <usedDependency>org.apache.maven.scm:maven-scm-provider-cvsexe</usedDependency>
+                                    <usedDependency>org.apache.axis2:axis2-spring</usedDependency>
+                                    <usedDependency>org.apache.geronimo.daytrader:daytrader-ear</usedDependency>
+                                    <usedDependency>org.springframework.security:spring-security-web</usedDependency>
+                                    <usedDependency>org.apache.axis2:axis2-adb</usedDependency>
+                                </usedDependencies>
+                            </configuration>
+                        </plugin>
+                    </plugins>
+                </pluginManagement>
+            </build>
             <dependencies>
                 <!-- The following dependencies are only used during testing
                 and must not be converted to a properties based version number -->

core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -22,7 +22,7 @@
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import io.github.jeremylong.openvulnerability.client.nvd.Config;
 import io.github.jeremylong.openvulnerability.client.nvd.CpeMatch;
-import org.apache.commons.collections.map.ReferenceMap;
+import org.apache.commons.collections4.map.ReferenceMap;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 import org.owasp.dependencycheck.utils.*;
@@ -44,8 +44,8 @@
 import java.util.stream.Collectors;
 import org.anarres.jdiagnostics.DefaultQuery;
 
-import static org.apache.commons.collections.map.AbstractReferenceMap.HARD;
-import static org.apache.commons.collections.map.AbstractReferenceMap.SOFT;
+import static org.apache.commons.collections4.map.AbstractReferenceMap.ReferenceStrength.HARD;
+import static org.apache.commons.collections4.map.AbstractReferenceMap.ReferenceStrength.SOFT;
 import org.owasp.dependencycheck.analyzer.exception.LambdaExceptionWrapper;
 import org.owasp.dependencycheck.analyzer.exception.UnexpectedAnalysisException;
 import io.github.jeremylong.openvulnerability.client.nvd.DefCveItem;

maven/pom.xml

@@ -92,6 +92,17 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             </plugin>
         </plugins>
     </reporting>
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.apache.maven</groupId>
+                <artifactId>maven-resolver-provider</artifactId>
+                <version>${maven.api.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
     <dependencies>
         <dependency>
             <groupId>org.owasp</groupId>
@@ -103,10 +114,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <artifactId>dependency-check-utils</artifactId>
             <version>${project.parent.version}</version>
         </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-jcs3-core</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-core</artifactId>
@@ -131,6 +138,10 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <artifactId>maven-core</artifactId>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.apache.maven.doxia</groupId>
+            <artifactId>doxia-sink-api</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.apache.maven.shared</groupId>
             <artifactId>file-management</artifactId>
@@ -179,6 +190,27 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <artifactId>maven-artifact</artifactId>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.apache.maven.resolver</groupId>
+            <artifactId>maven-resolver-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.maven.shared</groupId>
+            <artifactId>maven-common-artifact-filters</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.github.jeremylong</groupId>
+            <artifactId>open-vulnerability-clients</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.github.package-url</groupId>
+            <artifactId>packageurl-java</artifactId>
+        </dependency>
     </dependencies>
     <profiles>
         <profile>