From e0d71bb74647e5d87b14ede07c30d07c3fb0f5fe Mon Sep 17 00:00:00 2001
From: Pamela Dragosh <pdragosh@research.att.com>
Date: Thu, 22 Feb 2018 11:58:47 -0500
Subject: Force dependency upgrade and exclusions

LCM security issues are identified with plexus-utils and xstream. There
is no clear upgrade to the org.kie.* dependencies with a fix for both of
these. We will determine via testing as to whether these exclusions will
result in failure.

Issue-ID: POLICY-506
Change-Id: I9cefb814bb11a9babc4e4a2e47071ab74a46c011
Signed-off-by: Pamela Dragosh <pdragosh@research.att.com>
---
 policy-core/pom.xml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

(limited to 'policy-core/pom.xml')

diff --git a/policy-core/pom.xml b/policy-core/pom.xml
index 4bfd23ad..8cecd362 100644
--- a/policy-core/pom.xml
+++ b/policy-core/pom.xml
@@ -31,6 +31,23 @@
   </parent>
 
   <dependencies>
+    <!--
+    Issue: 1 of 2
+    These 2 dependencies are trying to upgrade security fixes
+    identified. If they are removed or manipulated then please
+    fix the 2nd change as noted below. 
+    -->
+    <dependency>
+        <groupId>org.codehaus.plexus</groupId>
+        <artifactId>plexus-utils</artifactId>
+        <version>3.0.24</version>
+    </dependency>
+    <dependency>
+        <groupId>com.thoughtworks.xstream</groupId>
+        <artifactId>xstream</artifactId>
+        <version>1.4.10</version>
+    </dependency>
+
     <dependency>
       <groupId>org.kie</groupId>
       <artifactId>kie-api</artifactId>
@@ -40,6 +57,22 @@
       <groupId>org.kie</groupId>
       <artifactId>kie-ci</artifactId>
       <version>6.5.0.Final</version>
+      <!--
+      Issue: 2 of 2
+      Excluding these 2 dependencies in order to force upgrade security fixes
+      identified. As declared above. Any changes here should be reflected above
+      and vice versa.
+      -->
+      <exclusions>
+        <exclusion>
+            <groupId>org.codehaus.plexus</groupId>
+            <artifactId>plexus-utils</artifactId>
+        </exclusion>
+        <exclusion>
+            <groupId>com.thoughtworks.xstream</groupId>
+            <artifactId>xstream</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.drools</groupId>
-- 
cgit 1.2.3-korg