From 89c40cd00d935eedc756010fa22f0e9d45b53a52 Mon Sep 17 00:00:00 2001
From: sriadapa <srinivasarao.adapa@publicissapient.com>
Date: Fri, 2 May 2025 17:20:47 +0100
Subject: [PATCH] fix: Trivy Security Vulnerability issues

---
 mockserver-client-java/pom.xml         |  6 +++
 mockserver-core/pom.xml                | 38 ++++++++++++++
 mockserver-examples/pom.xml            | 35 ++++++++++++-
 mockserver-integration-testing/pom.xml | 14 +++++
 mockserver-netty/pom.xml               | 71 +++++++++++++++++++++++++-
 pom.xml                                | 20 +++++---
 6 files changed, 174 insertions(+), 10 deletions(-)

diff --git a/mockserver-client-java/pom.xml b/mockserver-client-java/pom.xml
index 6f0ee8065..8046af4db 100644
--- a/mockserver-client-java/pom.xml
+++ b/mockserver-client-java/pom.xml
@@ -14,6 +14,11 @@
     <description>A java client for the MockServer</description>
     <url>https://www.mock-server.com</url>
 
+    <properties>
+        <guava.version>32.0.0-android</guava.version>
+        <guava.version>31.1-jre</guava.version>
+    </properties>
+
     <dependencies>
         <!-- mockserver -->
         <dependency>
@@ -34,6 +39,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
+            <version>${guava.version}</version>
         </dependency>
 
         <!-- logging -->
diff --git a/mockserver-core/pom.xml b/mockserver-core/pom.xml
index 1faf0f434..b379929bc 100644
--- a/mockserver-core/pom.xml
+++ b/mockserver-core/pom.xml
@@ -14,6 +14,14 @@
     <description>Functionality used by all MockServer modules for matching and expectations</description>
     <url>https://www.mock-server.com</url>
 
+    <properties>
+        <netty.version>4.1.118.Final</netty.version>
+        <guava.version>31.1-jre</guava.version>
+        <nimbus-jose-jwt.version>9.37.2</nimbus-jose-jwt.version>
+        <commons-io.version>2.14.0</commons-io.version>
+        <velocity.version>2.4</velocity.version>
+    </properties>
+
     <dependencies>
         <!-- mockserver -->
         <dependency>
@@ -38,34 +46,42 @@
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-buffer</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec-http</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec-http2</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec-socks</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-handler</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-handler-proxy</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-transport</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
@@ -98,21 +114,28 @@
         <dependency>
             <groupId>com.nimbusds</groupId>
             <artifactId>nimbus-jose-jwt</artifactId>
+            <version>${nimbus-jose-jwt.version}</version>
         </dependency>
 
         <!-- templating -->
         <dependency>
             <groupId>org.apache.velocity</groupId>
             <artifactId>velocity-engine-scripting</artifactId>
+            <version>${velocity.version}</version>
         </dependency>
         <dependency>
             <groupId>org.apache.velocity</groupId>
             <artifactId>velocity-engine-core</artifactId>
+            <version>${velocity.version}</version>
             <exclusions>
                 <exclusion>
                     <groupId>org.apache.commons</groupId>
                     <artifactId>commons-lang3</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-io</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
@@ -163,12 +186,25 @@
         <dependency>
             <groupId>com.jayway.jsonpath</groupId>
             <artifactId>json-path</artifactId>
+            <version>2.9.0</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>net.minidev</groupId>
+                    <artifactId>json-smart</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>net.minidev</groupId>
+            <artifactId>json-smart</artifactId>
+            <version>2.5.2</version>
         </dependency>
 
         <!-- open api -->
         <dependency>
             <groupId>io.swagger.parser.v3</groupId>
             <artifactId>swagger-parser</artifactId>
+            <version>2.1.12</version>
         </dependency>
 
         <!-- xml -->
@@ -198,6 +234,7 @@
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
+            <version>${commons-io.version}</version>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
@@ -216,6 +253,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
+            <version>${guava.version}</version>
         </dependency>
 
         <!-- classpath scanning -->
diff --git a/mockserver-examples/pom.xml b/mockserver-examples/pom.xml
index 9b969191a..59eb4f6b0 100644
--- a/mockserver-examples/pom.xml
+++ b/mockserver-examples/pom.xml
@@ -21,6 +21,9 @@
         <!-- highest jetty version is 9.4 due to Java 1.8 version -->
         <jetty.version>9.4.50.v20221201</jetty.version>
         <google-http-client.version>1.42.3</google-http-client.version>
+        <netty.version>4.1.118.Final</netty.version>
+        <guava.version>32.0.0-android</guava.version>
+        <snakeyaml.version>2.0</snakeyaml.version>
     </properties>
 
     <dependencyManagement>
@@ -53,7 +56,7 @@
                 <!-- Conflicting versions in swagger-parser and spring-boot-starter-webflux -->
                 <groupId>org.yaml</groupId>
                 <artifactId>snakeyaml</artifactId>
-                <version>1.33</version>
+                <version>${snakeyaml.version}</version>
             </dependency>
             <dependency>
                 <!-- Conflicting versions in spring-boot-starter-webflux and spring-context / spring-webmvc -->
@@ -159,34 +162,42 @@
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-buffer</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec-http</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec-socks</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-common</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-handler</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-handler-proxy</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-transport</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
@@ -195,6 +206,7 @@
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-resolver</artifactId>
+            <version>${netty.version}</version>
         </dependency>
 
         <!-- Jersey HTTP Client -->
@@ -229,11 +241,31 @@
             <groupId>com.google.http-client</groupId>
             <artifactId>google-http-client</artifactId>
             <version>${google-http-client.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>com.google.j2objc</groupId>
+                    <artifactId>j2objc-annotations</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>commons-io</groupId>
+                    <artifactId>commons-io</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>com.google.http-client</groupId>
             <artifactId>google-http-client-jackson2</artifactId>
             <version>${google-http-client.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>com.google.j2objc</groupId>
+                    <artifactId>j2objc-annotations</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>commons-io</groupId>
+                    <artifactId>commons-io</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
 
         <!-- OK HTTP Client -->
@@ -270,6 +302,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
+            <version>${guava.version}</version>
         </dependency>
 
         <!-- Spring -->
diff --git a/mockserver-integration-testing/pom.xml b/mockserver-integration-testing/pom.xml
index d0eb72322..e99ea9e86 100644
--- a/mockserver-integration-testing/pom.xml
+++ b/mockserver-integration-testing/pom.xml
@@ -14,6 +14,12 @@
     <description>A module used to simplify integration testing of all MockServer versions by sharing commons integration testing components</description>
     <url>https://www.mock-server.com</url>
 
+    <properties>
+        <netty.version>4.1.118.Final</netty.version>
+        <guava.version>32.0.0-android</guava.version>
+        <commons-io.version>2.14.0</commons-io.version>
+    </properties>
+
     <dependencies>
         <!-- MockServer -->
         <dependency>
@@ -34,26 +40,32 @@
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-buffer</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec-http</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-common</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-handler</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-transport</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
@@ -70,11 +82,13 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
+            <version>${guava.version}</version>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
             <scope>compile</scope>
+            <version>${commons-io.version}</version>
         </dependency>
 
         <!-- logging -->
diff --git a/mockserver-netty/pom.xml b/mockserver-netty/pom.xml
index fea035a21..986306b29 100644
--- a/mockserver-netty/pom.xml
+++ b/mockserver-netty/pom.xml
@@ -14,10 +14,36 @@
 
     <properties>
         <maven-invoker-parallel-threads>2</maven-invoker-parallel-threads>
+        <!-- Updated dependency versions to fix vulnerabilities -->
+        <netty.version>4.1.118.Final</netty.version>
+        <commons-io.version>2.14.0</commons-io.version>
+        <guava.version>32.0.0-android</guava.version>
+        <json-smart.version>2.5.2</json-smart.version>
+        <snakeyaml.version>2.0</snakeyaml.version>
+        <nimbus-jose-jwt.version>9.37.2</nimbus-jose-jwt.version>
+        <xmlunit.version>2.10.0</xmlunit.version>
     </properties>
-
+    <repositories>
+        <repository>
+            <id>sonatype-nexus-snapshots</id>
+            <name>sonatype-nexus-snapshots</name>
+            <url>https://oss.sonatype.org/content/repositories/snapshots</url>
+            <releases>
+            <enabled>true</enabled>
+            </releases>
+            <snapshots>
+            <enabled>true</enabled>
+            </snapshots>
+        </repository>
+        </repositories>
     <dependencies>
         <!-- mockserver -->
+        <!-- <dependency>
+            <groupId>org.openjdk.nashorn</groupId>
+            <artifactId>nashorn-core</artifactId>
+            <version>15.3</version>
+        </dependency> -->
+
         <dependency>
             <groupId>${project.groupId}</groupId>
             <artifactId>mockserver-client-java</artifactId>
@@ -41,30 +67,37 @@
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-buffer</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec-http</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec-http2</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-common</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-handler</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-transport</artifactId>
+            <version>${netty.version}</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
@@ -75,10 +108,34 @@
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
+            <version>${commons-io.version}</version>
         </dependency>
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
+            <version>${guava.version}</version>
+        </dependency>
+
+        <!-- Additional dependency updates to fix vulnerabilities -->
+        <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+            <version>${nimbus-jose-jwt.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>net.minidev</groupId>
+            <artifactId>json-smart</artifactId>
+            <version>${json-smart.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+            <version>${snakeyaml.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.xmlunit</groupId>
+            <artifactId>xmlunit-core</artifactId>
+            <version>${xmlunit.version}</version>
         </dependency>
 
         <!-- logging -->
@@ -441,6 +498,18 @@
                                         <exclude>samples/**</exclude>
                                     </excludes>
                                 </filter>
+                                <filter>
+                                    <artifact>org.apache.velocity:velocity-engine-core</artifact>
+                                    <excludes>
+                                        <exclude>org/apache/velocity/util/ExceptionUtils.java</exclude>
+                                    </excludes>
+                                    </filter>
+                                    <filter>
+                                    <artifact>commons-io:commons-io</artifact>
+                                    <includes>
+                                        <include>**</include>
+                                    </includes>
+                                </filter>
                             </filters>
                         </configuration>
                     </execution>
diff --git a/pom.xml b/pom.xml
index 05d663ac9..dd9d61123 100644
--- a/pom.xml
+++ b/pom.xml
@@ -56,8 +56,12 @@
         <project.build.sourceEncoding>UTF8</project.build.sourceEncoding>
         <slf4j.version>2.0.6</slf4j.version>
         <jackson.version>2.14.2</jackson.version>
-        <velocity.version>2.3</velocity.version>
-        <netty.version>4.1.89.Final</netty.version>
+        <velocity.version>2.4</velocity.version>
+        <netty.version>4.1.118.Final</netty.version>
+        <guava.version>31.1-jre</guava.version>
+        <nimbus-jose-jwt.version>9.37.2</nimbus-jose-jwt.version>
+        <commons-io.version>2.14.0</commons-io.version>
+        <snakeyaml.version>2.0</snakeyaml.version>
         <httpcomponents.version>4.4.1</httpcomponents.version>
         <bouncycastle.version>1.72</bouncycastle.version>
         <!-- highest spring version is 5.3 due to Java 1.8 version -->
@@ -284,7 +288,7 @@
             <dependency>
                 <groupId>com.nimbusds</groupId>
                 <artifactId>nimbus-jose-jwt</artifactId>
-                <version>9.30.2</version>
+                <version>${nimbus-jose-jwt.version}</version>
             </dependency>
 
             <!-- templating -->
@@ -347,14 +351,14 @@
             <dependency>
                 <groupId>com.jayway.jsonpath</groupId>
                 <artifactId>json-path</artifactId>
-                <version>2.7.0</version>
+                <version>2.9.0</version>
             </dependency>
 
             <!-- open api -->
             <dependency>
                 <groupId>io.swagger.parser.v3</groupId>
                 <artifactId>swagger-parser</artifactId>
-                <version>2.1.12</version>
+                <version>2.1.22</version>
                 <exclusions>
                     <exclusion>
                         <groupId>com.github.fge</groupId>
@@ -414,12 +418,12 @@
             <dependency>
                 <groupId>commons-io</groupId>
                 <artifactId>commons-io</artifactId>
-                <version>2.11.0</version>
+                <version>${commons-io.version}</version>
             </dependency>
             <dependency>
                 <groupId>com.google.guava</groupId>
                 <artifactId>guava</artifactId>
-                <version>31.1-jre</version>
+                <version>${guava.version}</version>
             </dependency>
 
             <!-- classpath scanning -->
@@ -563,7 +567,7 @@
                 <!-- Conflicting versions in swagger-parser -->
                 <groupId>org.yaml</groupId>
                 <artifactId>snakeyaml</artifactId>
-                <version>1.33</version>
+                <version>${snakeyaml.version}</version>
             </dependency>
         </dependencies>
     </dependencyManagement>