From eb66bd0e23b1abc91454d0a4d4210b775d5dbe5d Mon Sep 17 00:00:00 2001
From: Mohammad Arshad <arshad@apache.org>
Date: Tue, 3 Sep 2024 09:11:45 +0530
Subject: [PATCH] [Improvement] [Seatunnel-web] velocity-1.7.jar have multiple
 CVEs, upgrade all maven plugins which depend on this. (#202)

---
 pom.xml                                   | 17 ++++++++++++++---
 tools/dependencies/known-dependencies.txt |  4 ++--
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/pom.xml b/pom.xml
index df7621ed5..e0df3bf20 100644
--- a/pom.xml
+++ b/pom.xml
@@ -51,7 +51,7 @@
         <maven-source-plugin.version>3.0.1</maven-source-plugin.version>
         <maven-surefire-plugin.version>2.22.2</maven-surefire-plugin.version>
         <maven-failsafe-plugin.version>2.22.2</maven-failsafe-plugin.version>
-        <maven-javadoc-plugin.version>2.9.1</maven-javadoc-plugin.version>
+        <maven-javadoc-plugin.version>3.10.0</maven-javadoc-plugin.version>
         <maven-compiler-plugin.version>3.10.1</maven-compiler-plugin.version>
         <maven-assembly-plugin.version>3.3.0</maven-assembly-plugin.version>
         <maven-helper-plugin.version>3.2.0</maven-helper-plugin.version>
@@ -84,6 +84,8 @@
         <e2e.dependency.skip>true</e2e.dependency.skip>
         <maven-dependency-plugin.version>3.1.1</maven-dependency-plugin.version>
         <flatten-maven-plugin.version>1.3.0</flatten-maven-plugin.version>
+        <maven-remote-resources-plugin.version>3.2.0</maven-remote-resources-plugin.version>
+        <maven-site-plugin.version>4.0.0-M16</maven-site-plugin.version>
 
         <spring-boot.version>2.6.8</spring-boot.version>
         <spring.version>5.3.20</spring.version>
@@ -103,9 +105,8 @@
         <hadoop-aws.version>3.1.4</hadoop-aws.version>
         <aws-java-sdk-bundle.version>1.11.271</aws-java-sdk-bundle.version>
         <spotless.version>2.29.0</spotless.version>
-        <logback.version>1.2.11</logback.version>
+        <logback.version>1.5.7</logback.version>
         <log4j2.version>2.17.1</log4j2.version>
-        <logback.version>1.2.3</logback.version>
         <commons-logging.version>1.2</commons-logging.version>
         <log4j.version>1.2.17</log4j.version>
         <log4j-core.version>2.17.1</log4j-core.version>
@@ -1546,6 +1547,16 @@
                 <groupId>com.diffplug.spotless</groupId>
                 <artifactId>spotless-maven-plugin</artifactId>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-remote-resources-plugin</artifactId>
+                <version>${maven-remote-resources-plugin.version}</version>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-site-plugin</artifactId>
+                <version>${maven-site-plugin.version}</version>
+            </plugin>
         </plugins>
     </build>
 
diff --git a/tools/dependencies/known-dependencies.txt b/tools/dependencies/known-dependencies.txt
index c6a0d02f9..28e6b0b2b 100644
--- a/tools/dependencies/known-dependencies.txt
+++ b/tools/dependencies/known-dependencies.txt
@@ -106,8 +106,8 @@ jcommander-1.81.jar
 log4j-api-2.17.1.jar
 log4j-over-slf4j-1.7.36.jar
 log4j-to-slf4j-2.17.1.jar
-logback-classic-1.2.3.jar
-logback-core-1.2.3.jar
+logback-classic-1.5.7.jar
+logback-core-1.5.7.jar
 protostuff-api-1.8.0.jar
 protostuff-collectionschema-1.8.0.jar
 protostuff-core-1.8.0.jar