From 0fa58f4cfbc598a81873f160854a0e4add541dc0 Mon Sep 17 00:00:00 2001
From: Niels Erik <nielserik@indexdata.com>
Date: Wed, 23 Oct 2024 11:20:51 +0200
Subject: [PATCH] MODHAADM-37 exclude commons-beanutils, remove
 commons-digester (#107)

- common-beanutils dependency brought in by masterkey-common and commons-digester, it has arbitrary code execution vulnerability CVE-2014-0114. It appears to be unused.
---
 harvester-admin/pom.xml | 5 -----
 pom.xml                 | 4 ++++
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/harvester-admin/pom.xml b/harvester-admin/pom.xml
index 32eaa87e..5fff39fb 100644
--- a/harvester-admin/pom.xml
+++ b/harvester-admin/pom.xml
@@ -65,11 +65,6 @@
       <version>1.0</version>
       <scope>provided</scope>
     </dependency>
-    <dependency>
-      <groupId>commons-digester</groupId>
-      <artifactId>commons-digester</artifactId>
-      <version>1.5</version>
-    </dependency>
     <dependency>
       <groupId>javax.el</groupId>
       <artifactId>el-api</artifactId>
diff --git a/pom.xml b/pom.xml
index 8d852000..dc0218be 100644
--- a/pom.xml
+++ b/pom.xml
@@ -133,6 +133,10 @@
           <groupId>log4j</groupId>
           <artifactId>log4j</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>commons-beanutils</groupId>
+          <artifactId>commons-beanutils</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <!-- bump the version of the masterkey-common dependency -->