Force velocity-engine-core to 2.4 in dptManagement to not bring a version depending on commons-io with CVE, even if not reachable at least this will make scanner to stop reporting non existing problem...

[olamy]

Some dependency scanning tool are complaining about this plugin affected by https://nvd.nist.gov/vuln/detail/CVE-2024-47554
Because there is a transitive dependency to commons-io via velocity-core-engine 2.3 and even if commons-io is shaded and the affected class is not in the shaded jar...
So to make those "smart" scanner stop complaining an upgrade to velocity 2.4 will prevent to see transitive dependency to commons-io.

[olamy]

@kuisathaverat Hi by chance would you be able to merge and release this very simple PR?

[kuisathaverat]

@kuisathaverat Hi by chance would you be able to merge and release this very simple PR?

It is not the simplicity of the PR; it is its convenience. The plugin is not affected by any security issues. The "smart" scanners are not doing their work well, so we have to enforce a dependency that, at some point, I have to remember to remove. That means you and I are wasting our precious time because something is broken by design.
If you need to caml some thick minds, you could use the incremental version on this PR to pass that "smart" scanner, I think I will wait for the transitive dependency to be updated in the origin.

https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/plugins/saml/4.509.v0a_24a_922da_05/