Updated dependencies, excluded some transitive dependencies with security issues

JohannesJander · JohannesJander · commit da0cdf495aab · 2025-03-04T09:49:39.000+01:00
diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>io.frictionlessdata</groupId>
     <artifactId>tableschema-java</artifactId>
-    <version>0.6.16-SNAPSHOT</version>
+    <version>0.6.17-SNAPSHOT</version>
     <packaging>jar</packaging>
     <issueManagement>
         <url>https://github.com/frictionlessdata/tableschema-java/issues</url>
@@ -20,13 +20,14 @@
         <java.version>8</java.version>
         <maven.compiler.source>${java.version}</maven.compiler.source>
         <maven.compiler.target>${java.version}</maven.compiler.target>
-        <google-guava.version>31.1-jre</google-guava.version>
-        <apache-commons-lang3.version>3.12.0</apache-commons-lang3.version>
-        <apache-commons-csv.version>1.10.0</apache-commons-csv.version>
-        <apache-commons-validator.version>1.7</apache-commons-validator.version>
-        <geotools.version>24.6</geotools.version>
-        <jackson.version>2.15.1</jackson.version>
-        <junit.version>5.9.1</junit.version>
+        <maven.compiler.release>${java.version}</maven.compiler.release>
+        <google-guava.version>33.4.0-jre</google-guava.version>
+        <apache-commons-lang3.version>3.17.0</apache-commons-lang3.version>
+        <apache-commons-csv.version>1.13.0</apache-commons-csv.version>
+        <apache-commons-validator.version>1.9.0</apache-commons-validator.version>
+        <geotools.version>32.2</geotools.version>
+        <jackson.version>2.18.3</jackson.version>
+        <junit.version>5.12.0</junit.version>
         <locationtech-jts.version>1.19.0</locationtech-jts.version>
         <networknt-validator-version>1.0.76</networknt-validator-version>
         <maven-compiler-plugin.version>3.10.1</maven-compiler-plugin.version>
@@ -39,8 +40,8 @@
         <maven-release-plugin.version>3.0.0-M7</maven-release-plugin.version>
         <nexus-staging-maven-plugin.version>1.6.8</nexus-staging-maven-plugin.version>
         <coveralls-maven-plugin.version>4.3.0</coveralls-maven-plugin.version>
-        <dependency-check-maven.version>7.4.4</dependency-check-maven.version>
-        <jacoco-maven-plugin.version>0.8.8</jacoco-maven-plugin.version>
+        <dependency-check-maven.version>12.1.0</dependency-check-maven.version>
+        <jacoco-maven-plugin.version>0.8.12</jacoco-maven-plugin.version>
     </properties>
     <repositories>
         <repository>
@@ -69,26 +70,7 @@
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-resources-plugin</artifactId>
                 <version>${maven-resources-plugin.version}</version>
-                <!--
-                <executions>
-                    <execution>
-                        <id>copy-javadoc</id>
-                        <phase>package</phase>
-                        <goals>
-                            <goal>testResources</goal>
-                        </goals>
-                        <configuration>
-                            <outputDirectory>${basedir}/docs/javadoc</outputDirectory>
-                            <resources>
-                                <resource>
-                                    <directory>${basedir}/target/apidocs</directory>
-                                    <filtering>false</filtering>
-                                </resource>
-                            </resources>
-                        </configuration>
-                    </execution>
-                </executions>
-                -->
+
                 <configuration>
                     <encoding>UTF-8</encoding>
                 </configuration>
@@ -135,21 +117,21 @@
                     </execution>
                 </executions>
             </plugin>
-<!--
-            <plugin>
-                <artifactId>maven-deploy-plugin</artifactId>
-                <version>${maven-deploy-plugin.version}</version>
-                <executions>
-                    <execution>
-                        <id>default-deploy</id>
-                        <phase>deploy</phase>
-                        <goals>
-                            <goal>deploy</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
--->
+            <!--
+                        <plugin>
+                            <artifactId>maven-deploy-plugin</artifactId>
+                            <version>${maven-deploy-plugin.version}</version>
+                            <executions>
+                                <execution>
+                                    <id>default-deploy</id>
+                                    <phase>deploy</phase>
+                                    <goals>
+                                        <goal>deploy</goal>
+                                    </goals>
+                                </execution>
+                            </executions>
+                        </plugin>
+            -->
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-gpg-plugin</artifactId>
@@ -232,8 +214,8 @@
 
         </plugins>
     </build>
-    <dependencies>
 
+    <dependencies>
         <!-- Dependencies for Bean-based Schema inferal -->
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
@@ -248,24 +230,64 @@
             <version>${jackson.version}</version>
         </dependency>
 
-		<dependency>
-		    <groupId>com.fasterxml.jackson.core</groupId>
-		    <artifactId>jackson-databind</artifactId>
-		    <version>${jackson.version}</version>
-		</dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>${jackson.version}</version>
+        </dependency>
 
         <!-- Dependencies for Geopoint/Geojson Fields -->
         <dependency>
             <groupId>org.geotools</groupId>
-            <artifactId>gt-opengis</artifactId>
+            <artifactId>gt-main</artifactId>
             <version>${geotools.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.eclipse.emf</groupId>
+                    <artifactId>org.eclipse.emf.common</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.geotools</groupId>
+                    <artifactId>gt-http</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.geotools</groupId>
+            <artifactId>gt-api</artifactId>
+            <version>${geotools.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.eclipse.emf</groupId>
+                    <artifactId>org.eclipse.emf.common</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.geotools</groupId>
+            <artifactId>gt-metadata</artifactId>
+            <version>${geotools.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.eclipse.emf</groupId>
+                    <artifactId>org.eclipse.emf.common</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.geotools.ogc</groupId>
+                    <artifactId>net.opengis.ows</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
-
-        <!-- Dependencies for Geopoint/Geojson Fields -->
         <dependency>
             <groupId>org.geotools</groupId>
-            <artifactId>gt-geometry</artifactId>
+            <artifactId>gt-referencing</artifactId>
             <version>${geotools.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.eclipse.emf</groupId>
+                    <artifactId>org.eclipse.emf.common</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
 
         <!-- https://mvnrepository.com/artifact/org.apache.commons/commons-lang3 -->
@@ -280,6 +302,20 @@
             <groupId>commons-validator</groupId>
             <artifactId>commons-validator</artifactId>
             <version>${apache-commons-validator.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>commons-beanutils</groupId>
+                    <artifactId>commons-beanutils</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>commons-logging</groupId>
+                    <artifactId>commons-logging</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>commons-digester</groupId>
+                    <artifactId>commons-digester</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <!-- https://commons.apache.org/proper/commons-csv/ -->
         <dependency>
@@ -290,9 +326,15 @@
 
         <!-- JSON Schema Validator -->
         <dependency>
-        	<groupId>com.networknt</groupId>
-        	<artifactId>json-schema-validator</artifactId>
-        	<version>${networknt-validator-version}</version>
+            <groupId>com.networknt</groupId>
+            <artifactId>json-schema-validator</artifactId>
+            <version>${networknt-validator-version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>ch.qos.logback</groupId>
+                    <artifactId>logback-classic</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
 
         <dependency>
diff --git a/src/main/java/io/frictionlessdata/tableschema/schema/BeanSchema.java b/src/main/java/io/frictionlessdata/tableschema/schema/BeanSchema.java
@@ -14,7 +14,7 @@
 import io.frictionlessdata.tableschema.field.*;
 import io.frictionlessdata.tableschema.util.ReflectionUtil;
 import org.apache.commons.lang3.StringUtils;
-import org.geotools.geometry.DirectPosition2D;
+import org.geotools.geometry.Position2D;
 import org.locationtech.jts.geom.Coordinate;
 
 import java.math.BigDecimal;
@@ -143,7 +143,7 @@ else if ((declaredClass.equals(LocalTime.class))
                                 || (declaredClass.equals(OffsetTime.class)))
                             field = new TimeField(name);
                         else if ((declaredClass.equals(Coordinate.class))
-                                || (declaredClass.equals(DirectPosition2D.class)))
+                                || (declaredClass.equals(Position2D.class)))
                             field = new GeopointField(name);
                         else if (declaredClass.equals(JsonNode.class))
                             field = new ObjectField(name);
