#15 Removing Doxia Site Renderer to address CVE-2020-13936

Removing Doxia Site Renderer to address CVE-2020-13936.  Plugin code isn't very pretty right now, but it works.

Author: jimbethancourt

pom.xml

@@ -73,11 +73,6 @@
         <sonar.organization>jimbethancourt-github</sonar.organization>
         <sonar.host.url>https://sonarcloud.io</sonar.host.url>
 
-        <!-- Transitive dependency version overrides -->
-        <!-- Needed to address Struts 1.3.8 vulnerabilities brought in by maven-reporting-impl -->
-        <doxiaVersion>1.9.1</doxiaVersion>
-        <doxiaSitetoolsVersion>1.9.2</doxiaSitetoolsVersion>
-
         <maven.core.version>3.8.1</maven.core.version>
     </properties>
 

refactor-first-maven-plugin/pom.xml

@@ -18,78 +18,13 @@
             <artifactId>graph-data-generator</artifactId>
         </dependency>
 
-        <!--
-        Added to address https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078
-        Commons collections is used in maven-reporting-impl
-        -->
-        <dependency>
-            <groupId>commons-collections</groupId>
-            <artifactId>commons-collections</artifactId>
-            <version>3.2.2</version>
-        </dependency>
-
-        <!-- Needed since Doxia 1.9.2 and httpclient use     an insecure version -->
-        <dependency>
-            <groupId>commons-codec</groupId>
-            <artifactId>commons-codec</artifactId>
-            <version>1.15</version>
-        </dependency>
-
-        <!-- Needed since Doxia 1.9.2 uses an insecure version -->
-        <dependency>
-            <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>httpclient</artifactId>
-            <version>4.5.13</version>
-        </dependency>
-
-        <!-- Needed since Doxia 1.9.2 uses an insecure version -->
-        <dependency>
-            <groupId>org.codehaus.plexus</groupId>
-            <artifactId>plexus-utils</artifactId>
-            <version>3.3.0</version>
-        </dependency>
-
-        <!-- Doxia -->
-        <!-- Needed since maven-reporting-impl brings in Struts 1.3.8 jars that have CVSS > 8 -->
-        <dependency>
-            <groupId>org.apache.maven.doxia</groupId>
-            <artifactId>doxia-sink-api</artifactId>
-            <version>${doxiaVersion}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.maven.doxia</groupId>
-            <artifactId>doxia-decoration-model</artifactId>
-            <version>${doxiaSitetoolsVersion}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.maven.doxia</groupId>
-            <artifactId>doxia-core</artifactId>
-            <version>${doxiaVersion}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.maven.doxia</groupId>
-            <artifactId>doxia-site-renderer</artifactId>
-            <version>${doxiaSitetoolsVersion}</version>
-        </dependency>
-
+        <!-- Maven Reporting -->
         <dependency>
             <groupId>org.apache.maven</groupId>
             <artifactId>maven-core</artifactId>
             <version>${maven.core.version}</version>
         </dependency>
 
-        <!-- Maven Reporting -->
-        <dependency>
-            <groupId>org.apache.maven.reporting</groupId>
-            <artifactId>maven-reporting-impl</artifactId>
-            <version>3.0.0</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.maven.reporting</groupId>
-            <artifactId>maven-reporting-api</artifactId>
-            <version>3.0</version>
-        </dependency>
-
         <!-- plugin API and plugin-tools -->
         <dependency>
             <groupId>org.apache.maven</groupId>