[7.67.x-blue] RHPAM-3709: upgrade maven dependencies to address CVE-2…

…021-26291 (#3824)

* RHPAM-3709: upgrade maven dependencies to address CVE-2021-26291

* Fix duplicate classes problem in kie-wb-common-server-ui-backend.

* Fix duplicate classes problem in kie-wb-common-compiler-distribution.

* Fix duplicate classes problem in kie-wb-common-ala-wildfly-provider.

* Update maven-dependency-plugin.

* load kie version for plugin reference string from properties

---------

Co-authored-by: Alex Porcelli <[email protected]>
Co-authored-by: jstastny-cz <[email protected]>

kie-wb-common-ala/kie-wb-common-ala-build-maven/pom.xml

@@ -99,16 +99,16 @@
 
     <!-- dependencies to enable maven downloads -->
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-api</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-api</artifactId>
     </dependency>
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-connector-basic</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-connector-basic</artifactId>
     </dependency>
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-transport-wagon</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-transport-wagon</artifactId>
     </dependency>
     <dependency>
       <groupId>org.apache.maven.wagon</groupId>

kie-wb-common-ala/kie-wb-common-ala-wildfly/kie-wb-common-ala-wildfly-provider/pom.xml

@@ -127,6 +127,14 @@
           <groupId>io.netty</groupId>
           <artifactId>netty-transport-native-epoll</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>org.sonatype.plexus</groupId>
+          <artifactId>plexus-cipher</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.sonatype.plexus</groupId>
+          <artifactId>plexus-sec-dispatcher</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>

kie-wb-common-screens/kie-wb-common-datasource-mgmt/kie-wb-common-datasource-mgmt-backend/pom.xml

@@ -188,41 +188,41 @@
 
     <dependency>
       <groupId>org.apache.maven</groupId>
-      <artifactId>maven-aether-provider</artifactId>
+      <artifactId>maven-resolver-provider</artifactId>
     </dependency>
 
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-api</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-api</artifactId>
     </dependency>
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-util</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-util</artifactId>
     </dependency>
 
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-connector-basic</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-connector-basic</artifactId>
     </dependency>
 
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-transport-file</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-transport-file</artifactId>
     </dependency>
 
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-transport-http</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-transport-http</artifactId>
     </dependency>
 
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-spi</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-spi</artifactId>
     </dependency>
 
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-impl</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-impl</artifactId>
     </dependency>
 
     <dependency>

kie-wb-common-screens/kie-wb-common-server-ui/kie-wb-common-server-ui-backend/pom.xml

@@ -189,6 +189,14 @@
           <groupId>javax.inject</groupId>
           <artifactId>javax.inject</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>org.sonatype.plexus</groupId>
+          <artifactId>plexus-cipher</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.sonatype.plexus</groupId>
+          <artifactId>plexus-sec-dispatcher</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 

kie-wb-common-services/kie-wb-common-compiler/kie-wb-common-compiler-core/pom.xml

@@ -260,8 +260,8 @@
           <artifactId>kie-soup-maven-integration</artifactId>
         </exclusion>
         <exclusion>
-          <groupId>org.eclipse.aether</groupId>
-          <artifactId>aether-util</artifactId>
+          <groupId>org.apache.maven.resolver</groupId>
+          <artifactId>maven-resolver-util</artifactId>
         </exclusion>
       </exclusions>
     </dependency>
@@ -395,8 +395,8 @@
       <artifactId>maven-core</artifactId>
       <exclusions>
         <exclusion>
-          <groupId>org.eclipse.aether</groupId>
-          <artifactId>aether-util</artifactId>
+          <groupId>org.apache.maven.resolver</groupId>
+          <artifactId>maven-resolver-util</artifactId>
         </exclusion>
       </exclusions>
     </dependency>
@@ -457,7 +457,7 @@
     </dependency>
 
     <dependency>
-      <groupId>org.sonatype.plexus</groupId>
+      <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-sec-dispatcher</artifactId>
     </dependency>
 
@@ -494,13 +494,13 @@
     </dependency>
 
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-api</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-api</artifactId>
     </dependency>
 
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-impl</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-impl</artifactId>
       <scope>runtime</scope>
     </dependency>
 

kie-wb-common-services/kie-wb-common-compiler/kie-wb-common-compiler-core/src/main/java/org/kie/workbench/common/services/backend/compiler/configuration/MavenConfig.java

@@ -20,7 +20,8 @@
  */
 public class MavenConfig {
 
-    public static final String DEPS_IN_MEMORY_BUILD_CLASSPATH = "org.kie.workbench.services:kie-wb-common-compiler-maven-plugins:build-classpath";
+    public static final String DEPS_IN_MEMORY_BUILD_CLASSPATH = "org.kie.workbench.services:kie-wb-common-compiler-maven-plugins:"
+            + new ConfigurationUtil().loadKieVersionProperties().getProperty("KIE_VERSION") + ":build-classpath";
 
     public static final String MAVEN_DEP_PLUGING_LOCAL_REPOSITORY = "-Dmdep.localRepoProperty=";
 

kie-wb-common-services/kie-wb-common-compiler/kie-wb-common-compiler-core/src/main/java/org/kie/workbench/common/services/backend/compiler/impl/external339/AFMavenCli.java

@@ -1184,7 +1184,7 @@ protected MavenExecutionRequest populateRequest(AFCliRequest cliRequest,
         final String threadConfiguration = commandLine.hasOption(CLIManager.THREADS)
                 ? commandLine.getOptionValue(CLIManager.THREADS)
                 : request.getSystemProperties().getProperty(
-                MavenCli.THREADS_DEPRECATED); // TODO: Remove this setting. Note that the int-tests use it
+                "maven.threads.experimental"); // TODO: Remove this setting. Note that the int-tests use it
 
         if (threadConfiguration != null) {
             //
@@ -1216,7 +1216,7 @@ protected int calculateDegreeOfConcurrencyWithCoreMultiplier(String threadConfig
     }
 
     protected TransferListener getConsoleTransferListener() {
-        return new ConsoleMavenTransferListener(output);
+        return new ConsoleMavenTransferListener(output, true);
     }
 
     //

kie-wb-common-services/kie-wb-common-compiler/kie-wb-common-compiler-core/src/main/java/org/kie/workbench/common/services/backend/compiler/impl/external339/ReusableAFMavenCli.java

@@ -1227,7 +1227,7 @@ protected MavenExecutionRequest populateRequest(AFCliRequest cliRequest,
         final String threadConfiguration = commandLine.hasOption(CLIManager.THREADS)
                 ? commandLine.getOptionValue(CLIManager.THREADS)
                 : request.getSystemProperties().getProperty(
-                MavenCli.THREADS_DEPRECATED); // TODO: Remove this setting. Note that the int-tests use it
+                "maven.threads.experimental"); // TODO: Remove this setting. Note that the int-tests use it
 
         if (threadConfiguration != null) {
             //
@@ -1259,7 +1259,7 @@ protected int calculateDegreeOfConcurrencyWithCoreMultiplier(String threadConfig
     }
 
     protected TransferListener getConsoleTransferListener() {
-        return new ConsoleMavenTransferListener(output);
+        return new ConsoleMavenTransferListener(output, true);
     }
 
     //

kie-wb-common-services/kie-wb-common-compiler/kie-wb-common-compiler-distribution/pom.xml

@@ -209,6 +209,14 @@
           <groupId>javax.enterprise</groupId>
           <artifactId>cdi-api</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>org.sonatype.plexus</groupId>
+          <artifactId>plexus-cipher</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.sonatype.plexus</groupId>
+          <artifactId>plexus-sec-dispatcher</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>

kie-wb-common-services/kie-wb-common-compiler/kie-wb-common-compiler-maven-plugins-testing/pom.xml

@@ -116,8 +116,8 @@
     </dependency>
 
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-impl</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-impl</artifactId>
       <scope>test</scope>
     </dependency>
 

kie-wb-common-services/kie-wb-common-compiler/kie-wb-common-compiler-maven-plugins/pom.xml

@@ -16,6 +16,7 @@
 
   <properties>
     <java.module.name>org.kie.wb.common.services.backend.compiler.maven.plugins</java.module.name>
+    <version.org.apache.maven.plugins.dependency>3.6.1</version.org.apache.maven.plugins.dependency>
   </properties>
 
   <build>
@@ -134,6 +135,10 @@
           <groupId>org.apache.maven.reporting</groupId>
           <artifactId>maven-reporting-impl</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>javax.inject</groupId>
+          <artifactId>javax.inject</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 

kie-wb-common-services/kie-wb-common-compiler/kie-wb-common-compiler-offprocess-classpath/pom.xml

@@ -87,8 +87,8 @@
     </dependency>
 
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-api</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-api</artifactId>
     </dependency>
 
     <dependency>
@@ -471,7 +471,7 @@
     </dependency>
 
     <dependency>
-      <groupId>org.sonatype.plexus</groupId>
+      <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-sec-dispatcher</artifactId>
     </dependency>
 

kie-wb-common-services/kie-wb-common-compiler/kie-wb-common-compiler-offprocess-core/pom.xml

@@ -78,8 +78,8 @@
       <artifactId>slf4j-api</artifactId>
     </dependency>
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-api</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-api</artifactId>
     </dependency>
     <dependency>
       <groupId>org.uberfire</groupId>
@@ -215,7 +215,7 @@
       <artifactId>plexus-utils</artifactId>
     </dependency>
     <dependency>
-      <groupId>org.sonatype.plexus</groupId>
+      <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-sec-dispatcher</artifactId>
     </dependency>
     <dependency>

kie-wb-common-services/kie-wb-common-compiler/kie-wb-common-compiler-offprocess-service/pom.xml

@@ -87,8 +87,8 @@
       <artifactId>slf4j-api</artifactId>
     </dependency>
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-api</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-api</artifactId>
     </dependency>
     <dependency>
       <groupId>org.uberfire</groupId>
@@ -224,7 +224,7 @@
       <artifactId>plexus-utils</artifactId>
     </dependency>
     <dependency>
-      <groupId>org.sonatype.plexus</groupId>
+      <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-sec-dispatcher</artifactId>
     </dependency>
     <dependency>

kie-wb-common-services/kie-wb-common-services-backend/pom.xml

@@ -256,8 +256,8 @@
       <artifactId>slf4j-api</artifactId>
     </dependency>
     <dependency>
-      <groupId>org.eclipse.aether</groupId>
-      <artifactId>aether-api</artifactId>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-api</artifactId>
     </dependency>
 
     <dependency>
@@ -390,7 +390,7 @@
     </dependency>
 
     <dependency>
-      <groupId>org.sonatype.plexus</groupId>
+      <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-sec-dispatcher</artifactId>
     </dependency>