Merge pull request #320 from groovy/cve-fixes

CVE fixes
groovy · Dec 31, 2024 · 8f6f1f8 · 8f6f1f8
2 parents 1d09b7b + ffcc1f5
commit 8f6f1f8
Showing 1 changed file with 15 additions and 9 deletions.
diff --git a/pom.xml b/pom.xml
@@ -74,22 +74,28 @@
       <!-- fix CVE-2020-8908 and CVE-2023-2976 from org.apache.maven:maven-core -->
       <groupId>com.google.guava</groupId>
       <artifactId>guava</artifactId>
-      <version>33.4.0-jre</version>
-      <scope>runtime</scope>
+      <version>32.0.1-android</version>
+      <scope>provided</scope>
     </dependency>
     <dependency>
-      <!-- fix CVE-2022-29599 from org.apache.maven:maven-core -->
+      <!-- fix CVE-2022-29599 and CVE-2020-15250 from org.apache.maven:maven-core -->
       <groupId>org.apache.maven.shared</groupId>
       <artifactId>maven-shared-utils</artifactId>
       <version>3.4.2</version>
-      <scope>runtime</scope>
+      <scope>provided</scope>
     </dependency>
     <dependency>
-      <!-- fix CVE-2024-36124 from org.apache.maven:maven-archiver -->
-      <groupId>org.iq80.snappy</groupId>
-      <artifactId>snappy</artifactId>
-      <version>0.5</version>
-      <scope>runtime</scope>
+      <!-- fix CVE-2017-1000487 and CVE-2022-4244, and CVE-2022-4245 from org.apache.maven:maven-core -->
+      <groupId>org.codehaus.plexus</groupId>
+      <artifactId>plexus-utils</artifactId>
+      <version>3.0.24</version>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <!-- fix CVE-2024-47554 from org.apache.maven.shared:file-management -->
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+      <version>2.14.0</version>
     </dependency>
     <!-- main groovy support -->
     <dependency>