Update Mend: high confidence minor and patch dependency updates

[mend-for-github.aaakk.us.kg]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.xmlunit:xmlunit-matchers (source)	2.9.0 -> 2.10.0
org.xmlunit:xmlunit-core (source)	2.9.0 -> 2.10.0
com.github.tomakehurst:wiremock-jre8 (source)	2.32.0 -> 2.35.2
commons-io:commons-io (source)	2.11.0 -> 2.12.0
org.projectlombok:lombok (source)	1.18.22 -> 1.18.36
org.apache.maven.plugins:maven-site-plugin	3.10.0 -> 3.21.0
org.apache.maven.plugins:maven-resources-plugin	3.2.0 -> 3.3.1
org.apache.maven.plugins:maven-jar-plugin	3.2.2 -> 3.4.2
org.apache.maven.plugins:maven-install-plugin	3.0.0-M1 -> 3.1.3
org.apache.maven.plugins:maven-deploy-plugin	3.0.0-M1 -> 3.1.3
org.apache.maven.plugins:maven-clean-plugin	3.1.0 -> 3.4.0
org.sonatype.plugins:nexus-staging-maven-plugin (source)	1.6.8 -> 1.7.0
org.apache.maven.plugins:maven-javadoc-plugin	3.3.1 -> 3.11.2
org.apache.maven.plugins:maven-source-plugin	3.2.1 -> 3.3.1
org.apache.maven.plugins:maven-gpg-plugin	3.0.1 -> 3.2.7
com.github.spotbugs:spotbugs-maven-plugin (source)	4.5.3.0 -> 4.8.6.6
org.apache.maven.plugins:maven-compiler-plugin	3.9.0 -> 3.13.0
org.apache.maven.plugins:maven-enforcer-plugin	3.0.0 -> 3.5.0
org.slf4j:slf4j-simple (source, changelog)	1.7.35 -> 1.7.36
org.slf4j:slf4j-api (source, changelog)	1.7.35 -> 1.7.36
org.codehaus.mojo:license-maven-plugin (source)	2.0.0 -> 2.5.0

By merging this PR, the issue #31 will be automatically resolved and closed:

Severity	CVSS Score	CVE	Reachability
Medium	4.3	CVE-2024-47554

---

Release Notes

xmlunit/xmlunit (org.xmlunit:xmlunit-matchers)

v2.10.0

Compare Source

• add a new ElementSelectors.byNameAndAllAttributes variant that filters attributes before deciding whether elements can
  be compared.
  Inspired by Issue #​259

• By default the TransformerFactorys created will now try to disable extension functions. If you need extension
  functions for your transformations you may want to pass in your own instance of TransformerFactory and
  TransformerFactoryConfigurer may help with that.
  Inspired by Issue #​264
  This is tracked as CVE-2024-31573.

• JAXPXPathEngine will now try to disable the execution of extension functions by default but uses
  XPathFactory#setProperty which is not available prior to Java 18. You may want to enable secure processing on an
  XPathFactory instance you pass to JAXPXPathEngine instead - and XPathFactoryConfigurer may help with that.

v2.9.1

Compare Source

• fixed some AssertJ tests that didn't work on Windows.
  Issue #​252 and PR
  #​253 by
  @​Boiarshinov

• added overloads to ElementSelectors.byXPath that accept a XPathEngine
  argument.
  Issue #​255

• added Cyclone DX SBOMs to release artifacts

wiremock/wiremock (com.github.tomakehurst:wiremock-jre8)

v2.35.2

Compare Source

v2.35.1: - Security Release

Compare Source

🔒 This is a security release that addresses the following issues

• CVE-2023-41327 - Controlled SSRF through URL in the WireMock Webhooks Extension and WireMock Studio
  • Overall CVSS Score: 4.6 (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C)
• CVE-2023-41329 - Domain restrictions bypass via DNS
  Rebinding in WireMock and WireMock Studio webhooks, proxy and recorder modes
  • Overall CVSS Score: 3.9 (AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C)

NOTE: WireMock Studio, a proprietary distribution discontinued in 2022, is also affected by those issues and also affected by CVE-2023-39967 - Overall CVSS Score 8.6 - “Controlled and full-read SSRF through URL parameter when testing a request, webhooks and proxy mode”. The fixes will not be provided. The vendor recommends migrating to WireMock Cloud which is available as SaaS and private beta for on-premises deployments

Credits: @​W0rty, @​numacanedo, @​Mahoney, @​tomakehurst, @​oleg-nenashev

v2.35.0

Compare Source

Enhancements

• Add a negative contains matcher - thanks Damian Orzepowski
• Expose a Java API method for removing stubs by ID - thanks Patryk Fraczek
• Document the import API in the OpenAPI doc - thanks to user i-whammy
• Added the ability to restrict the addresses WireMock can proxy/record to, as a security measure.

Fixes

• Strip Maven directories from the standalone JAR as some were appearing that weren't related to dependencies actually present, confusing scanning tools - thanks to user krageon
• Dropped back to slf4j 1.7.36 and relocate it in the standalone JAR (ensuring 2.x users won't experience conflicts).

v2.34.0

Compare Source

This will be the final 2.x.x release and also the last to support Java 8.

Fixes

• Fixed #​1689 - incorrect HTTP version header - thanks to user Poojitha
• Fixed #​1882 - bug preventing matching of date/time query params/headers with custom format - thanks Klaas Dellschaft
• #​1930 - Fixed a partial path traversal vulnerability in the file source code - thanks Jonathan Leitschuh
• Fixed #​1783 - proxyUrlPrefixToRemove ignored when using a response definition transformer - thanks to user Ross-H-Projects
• Fixed #​1872 - create a request entity for POST, PUT etc. proxied requests when a content-length header is present, regardless of whether the size is 0.
• Fixed #​1946 - maths helper now supports epoch dates as inputs.

Enhancements

• Added a public, non-static getScenarios() method allowing access to all scenarios.

All dependencies brought up to date including Jetty to 9.4.48.v20220622.

v2.33.2

Compare Source

WireMock 2.33.1 was accidentally released using Java 11 rather than 8, resulting in class incompatibilities in places.

This release is functionally identical but built using Java 8.

v2.33.1

Compare Source

Fixes

• Put name field back on scenario API object having accidentally removed it.
• Improved validation of scenario set and reset so that reasonable errors are returned when attempting to use non-existent scenario names or states.

v2.33.0

Compare Source

This is primarily a maintenance release that brings all dependency versions up to date including a version of Jackson containing the fix for CVE-2020-36518.

Enhancements

• Added the ability to set and reset a single scenario's state
• Proxy will now send a request body for any request method.
• CORS response headers are now passed back from proxy responses when stub CORS is disabled.

Performance

• Improved performance of Request.getHeaders() - thanks Doug Roper.
• Improved performance of response body JSON parsing - thanks also Doug Roper.

projectlombok/lombok (org.projectlombok:lombok)

v1.18.36

Compare Source

v1.18.34

Compare Source

v1.18.32

Compare Source

v1.18.30

Compare Source

v1.18.28

Compare Source

v1.18.26

Compare Source

v1.18.24

Compare Source

sonatype/nexus-maven-plugins (org.sonatype.plugins:nexus-staging-maven-plugin)

v1.7.0

Compare Source

v1.6.14

Compare Source

v1.6.13

Compare Source

v1.6.12

Compare Source

v1.6.11

Compare Source

v1.6.10

Compare Source

mojohaus/license-maven-plugin (org.codehaus.mojo:license-maven-plugin)

v2.5.0

Compare Source

❗ NOTICE

Due to Doxia 2.x stack maven-site-plugin 3.20+ is required.
https://cwiki.apache.org/confluence/display/MAVEN/Towards+Doxia+2.0.0+Stack

🚀 New features and improvements

• Update Doxia to 2.x stack (#​603) @​slawekjaranowski
• Added an option to control if output directory is added as resource directory (#​580) @​AB-xdev
• Enhance exception handling for license execution when the URL tag of the license is empty. (#​588) @​djjeon
• Parallel processing of files (#​568) @​mkarg

🐛 Bug Fixes

• Manage open streams in correct way (#​609) @​slawekjaranowski
• licenseName is required (#​607) @​vitalijr2
• Fix issue #​560: fail to download license file because license name contains invalid characters (#​561) @​nhuongmh
• Generate latest version of mvnw with no additional resources (#​551) @​VonUniGE

📦 Dependency updates

• Bump org.apache.logging.log4j:log4j-to-slf4j from 2.24.1 to 2.24.2 (#​612) @​dependabot
• Bump commons-io:commons-io from 2.17.0 to 2.18.0 (#​611) @​dependabot
• Update Doxia to 2.x stack (#​603) @​slawekjaranowski
• Bump org.codehaus.mojo:mojo-parent from 85 to 86 (#​590) @​dependabot
• Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2 (#​594) @​dependabot
• Bump commons-io:commons-io from 2.16.1 to 2.17.0 (#​592) @​dependabot
• Bump commons-logging:commons-logging from 1.3.3 to 1.3.4 (#​584) @​dependabot
• Bump org.apache.commons:commons-lang3 from 3.16.0 to 3.17.0 (#​585) @​dependabot
• Bump org.apache.commons:commons-lang3 from 3.15.0 to 3.16.0 (#​582) @​dependabot
• Bump org.codehaus.mojo:mojo-parent from 84 to 85 (#​583) @​dependabot
• Bump org.apache.commons:commons-lang3 from 3.14.0 to 3.15.0 (#​578) @​dependabot
• Bump commons-logging:commons-logging from 1.3.2 to 1.3.3 (#​577) @​dependabot
• Bump org.apache.poi:poi-ooxml from 5.2.5 to 5.3.0 (#​576) @​dependabot
• Bump org.codehaus.mojo:mojo-parent from 80 to 84 (#​573) @​dependabot
• Bump org.freemarker:freemarker from 2.3.32 to 2.3.33 (#​570) @​dependabot
• Bump commons-logging:commons-logging from 1.3.1 to 1.3.2 (#​565) @​dependabot
• Bump org.codehaus.plexus:plexus-xml from 3.0.0 to 3.0.1 (#​566) @​dependabot
• Bump org.codehaus.plexus:plexus-utils from 4.0.0 to 4.0.1 (#​559) @​dependabot
• Bump commons-io:commons-io from 2.16.0 to 2.16.1 (#​558) @​dependabot
• Bump commons-io:commons-io from 2.15.1 to 2.16.0 (#​556) @​dependabot
• Bump commons-logging:commons-logging from 1.3.0 to 1.3.1 (#​555) @​dependabot
• Bump org.codehaus.mojo:mojo-parent from 78 to 80 (#​548) @​dependabot

👻 Maintenance

• Replace deprecated Component annotation (#​613) @​slawekjaranowski
• Use WireMock in integration test (#​610) @​slawekjaranowski
• Move to jUnit5 (#​608) @​vitalijr2
• Add Log4j2 to SLF4J Adapter (#​605) @​slawekjaranowski
• Drop Maven wrapper from project (#​602) @​slawekjaranowski
• Re-enable checkstyle plugin (#​589) @​slawekjaranowski
• Prepare for doxia 2.0 (#​575) @​slawekjaranowski
• Bump apache/maven-gh-actions-shared from 3 to 4 (#​550) @​dependabot

🔧 Build

• Build with Maven 4 (#​574) @​slawekjaranowski

v2.4.0

Compare Source

🚀 New features and improvements

• Require Maven 3.6.3 as minimum (#​543) @​slawekjaranowski
• Get rid usage of MavenSession#lookup (#​541) @​slawekjaranowski
• Deploy snapshot version to oss.sonatype.org (#​539) @​slawekjaranowski
• Write Excel files with extensive License Information (inc. infos from the JARs) (#​527) @​Master-Code-Programmer

🐛 Bug Fixes

• update xsd to match generated xmls (#​528) @​amanica

📦 Dependency updates

• Bump org.codehaus.mojo:mojo-parent from 77 to 78 (#​542) @​dependabot
• Bump org.apache.poi:poi-ooxml from 5.2.4 to 5.2.5 (#​537) @​dependabot
• Bump commons-io:commons-io from 2.13.0 to 2.15.1 (#​535) @​dependabot
• Bump commons-logging:commons-logging from 1.2 to 1.3.0 (#​532) @​dependabot
• Bump org.apache.commons:commons-lang3 from 3.13.0 to 3.14.0 (#​530) @​dependabot
• Bump commons-io:commons-io from 2.15.0 to 2.15.1 (#​531) @​dependabot
• Bump commons-io:commons-io from 2.14.0 to 2.15.0 (#​526) @​dependabot

👻 Maintenance

• Execute download-licenses-proxy test at the end (#​545) @​slawekjaranowski
• Added extended-info and spreadsheet-report author to the contributor list (#​534) @​Master-Code-Programmer

🔧 Build

• Use Shared ASF Action from Release Drafter (#​544) @​slawekjaranowski

v2.3.0

Compare Source

🚀 New features and improvements

• #​519 minor updates to reduce verbosity of standard execution (#​520) @​d-ryan-ashcraft
• #​517: optionally support copyright values that only contain inception year rather than year range (#​518) @​d-ryan-ashcraft

🐛 Bug Fixes

• Fix #​508 - Avoid NPE in AggregatorAddThirdPartyMojo (#​512) @​slawekjaranowski

📦 Dependency updates

• Downgrade plexus-xml to version 3.0.0 (#​523) @​slawekjaranowski
• Bump org.codehaus.mojo:mojo-parent from 76 to 77 (#​516) @​dependabot
• Bump commons-io:commons-io from 2.13.0 to 2.14.0 (#​515) @​dependabot
• Bump org.apache.commons:commons-lang3 from 3.12.0 to 3.13.0 (#​514) @​dependabot
• Bump plexus-xml from 4.0.1 to 4.0.2 (#​510) @​dependabot

👻 Maintenance

• Build improvements - one profile for ITs (#​525) @​slawekjaranowski
• Cleanups in FileUtil - direct use methods from NIO (#​513) @​slawekjaranowski

v2.2.0

Compare Source

🚀 New features and improvements

• Switch components to JSR-330, Require JDK 1.8 (#​501) @​slawekjaranowski
• Log message about skip due to packaging in info level (#​499) @​slawekjaranowski

🐛 Bug Fixes

• Fix #​358, #​352 NPE on site generation caused by null returned by deprecated MavenProject.getDependencyArtifacts() (#​373) @​tomred-net
• Fix #​413 Use 'GAV' for result keys in LicensedArtifactResolver (#​414) @​attilapuskas
• Fix #​498 add-third-party should not override third-party file with the same content (#​500) @​slawekjaranowski
• Fix #​351 License override does not work for third-party dependencies with multiple licenses (#​374) @​lama0206
• Fixed '[WARNING] There were 0 download errors - check the warnings above to not log warning unless download errors > 0 (#​402) @​blekinge

📦 Dependency updates

• Bump mojo-parent from 75 to 76 (#​504) @​dependabot
• Bump json from 2007082 to 2023022 in /src/it/add-third-party-missing-file (#​460) @​dependabot
• Bump plexus-xml from 4.0.0 to 4.0.1 (#​496) @​dependabot
• Bump commons-io from 2.12.0 to 2.13.0 (#​493) @​dependabot

👻 Maintenance

• Use project.version instead of pom.version in ITs (#​507) @​slawekjaranowski
• Use JDK 1.8 in ITs - allow build on JDK 20 (#​506) @​slawekjaranowski
• Enable spotless for automatic code formatting (#​505) @​slawekjaranowski
• Add LICENSE.txt file (#​503) @​slawekjaranowski
• Fix formatting in example-thirdparty document (#​502) @​slawekjaranowski

v2.1.0

Compare Source

🚀 New features and improvements

• Fix #​379 allow users to customize the copyright string format (#​380) @​davenice
• Update GPL licenses (#​362) @​camlloyd
• Recognize classpath protocol as external (#​486) @​slawekjaranowski

🐛 Bug Fixes

• fix #​361 - sortArtifactByName: artifacts with the same name are lost (#​363) @​lrozenblyum
• Fix #​354 Make artifact cache safe for concurrent access (#​355) @​Stephan202
• Fix cookie header warning (#​472) @​danHayworth

📦 Dependency updates

• Bump maven-reporting-impl from 3.0.0 to 3.2.0 (#​452) @​dependabot
• Bump maven-reporting-api from 3.0 to 3.1.1 (#​456) @​dependabot
• Bump plexus-utils from 3.5.1 to 4.0.0 (#​481) @​dependabot
• Bump mojo-parent from 74 to 75 (#​488) @​dependabot
• Bump plexus-container-default from 2.0.0 to 2.1.1 (#​487) @​dependabot
• Bump build-helper-maven-plugin from 1.10 to 3.4.0 (#​483) @​dependabot
• Bump slf4j-api from 1.7.26 to 1.7.36 (#​485) @​dependabot
• Bump doxia-site-renderer from 1.8.1 to 1.11.1 (#​482) @​dependabot
• Bump httpclient from 4.5.13 to 4.5.14 (#​478) @​dependabot
• Bump commons-io from 2.6 to 2.12.0 (#​477) @​dependabot
• Bump doxiaVersion from 1.8 to 1.12.0 (#​475) @​dependabot
• Bump commons-lang3 from 3.7 to 3.12.0 (#​467) @​dependabot
• Bump httpcore from 4.4.8 to 4.4.16 (#​473) @​dependabot
• Bump plexus-utils from 3.1.0 to 3.5.1 (#​469) @​dependabot
• Bump plexusComponentVersion from 1.7.1 to 2.1.1 (#​453) @​dependabot

👻 Maintenance

• Update plugins in ITs and cleanups (#​492) @​slawekjaranowski
• Use license plugin version from parent, update THIRD-PARTY.properties (#​491) @​slawekjaranowski
• fix copy&paste issue in property description (#​376) @​CCFenner
• Get rid of plexus-container-default from dependencies (#​490) @​slawekjaranowski
• Get rid of localRepository parameter (#​489) @​slawekjaranowski

🔧 Build

• Add release-drafter (#​484) @​slawekjaranowski

v2.0.1

What's Changed

• Fix #​228 Add .gitattributes by @​kingle in https://github.com/mojohaus/license-maven-plugin/pull/344
• Fix broken OpenJDK installation on TravisCI by @​ppalaga in https://github.com/mojohaus/license-maven-plugin/pull/349
• Fix #​139 - "Can't find license-maven-plugin" by @​AndyGee in https://github.com/mojohaus/license-maven-plugin/pull/348
• Update FreeMarker version to 2.3.31 by @​kyra-ohare in https://github.com/mojohaus/license-maven-plugin/pull/406
• Bump commons-collections from 3.2.1 to 3.2.2 by @​dependabot in https://github.com/mojohaus/license-maven-plugin/pull/377
• Bump junit from 4.8.1 to 4.13.1 in /src/it/aggregate-add-third-party-multimodule-filters/child2 by @​dependabot in https://github.com/mojohaus/license-maven-plugin/pull/394
• Bump junit from 4.8.2 to 4.13.1 in /src/it/MLICENSE-24 by @​dependabot in https://github.com/mojohaus/license-maven-plugin/pull/392
• Bump junit from 4.12 to 4.13.1 in /src/it/ISSUE-40 by @​dependabot in https://github.com/mojohaus/license-maven-plugin/pull/391
• Bump junit from 4.12 to 4.13.1 in /src/it/download-licenses-include-exclude-types by @​dependabot in https://github.com/mojohaus/license-maven-plugin/pull/388
• Bump commons-beanutils from 1.9.3 to 1.9.4 in /src/it/download-licenses-file-names by @​dependabot in https://github.com/mojohaus/license-maven-plugin/pull/422
• Bump junit from 4.8.1 to 4.13.1 in /src/it/aggregate-third-party-report/child2 by @​dependabot in https://github.com/mojohaus/license-maven-plugin/pull/421
• Bump junit from 4.8.1 to 4.13.1 in /src/it/aggregate-add-third-party-exclude-transitive-deps/child2 by @​dependabot in https://github.com/mojohaus/license-maven-plugin/pull/395
• Bump junit from 4.8.1 to 4.13.1 in /src/it/aggregate-add-third-party-simple/child2 by @​dependabot in https://github.com/mojohaus/license-maven-plugin/pull/390
• Bump junit from 4.8.2 to 4.13.1 in /src/it/add-third-party-excluded-included by @​dependabot in https://github.com/mojohaus/license-maven-plugin/pull/389
• Bump junit from 4.12 to 4.13.1 in /src/it/download-licenses-basic by @​dependabot in https://github.com/mojohaus/license-maven-plugin/pull/393
• Bump httpclient from 4.5.4 to 4.5.13 by @​dependabot in https://github.com/mojohaus/license-maven-plugin/pull/420
• Fix #​345 Only log override warning if licenseMerges provided. by @​tpage-alfresco in [htt

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box