Assorted dependency updates, cleanups, and dependency checker

aaime · aaime · commit ba7ae2c5ba2a · 2026-04-15T18:24:04.000+02:00
diff --git a/dependency-check-suppression.xml b/dependency-check-suppression.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+   <suppress>
+      <notes><![CDATA[file name: opentelemetry-gcp-resources-1.37.0-alpha.jar taken for a Go implementation of the same library]]></notes>
+      <packageUrl regex="true">^pkg:maven/io\.opentelemetry\.contrib/opentelemetry-gcp-resources@.*$</packageUrl>
+      <cpe>cpe:/a:opentelemetry:opentelemetry</cpe>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[file name: opentelemetry-semconv-1.29.0-alpha.jar taken for a Go implementation of the same library]]></notes>
+      <packageUrl regex="true">^pkg:maven/io\.opentelemetry\.semconv/opentelemetry-semconv@.*$</packageUrl>
+      <cpe>cpe:/a:opentelemetry:opentelemetry</cpe>
+   </suppress>
+</suppressions>
diff --git a/plugin/cog/cog-reader/pom.xml b/plugin/cog/cog-reader/pom.xml
@@ -56,12 +56,6 @@
       <artifactId>testcontainers-fake-gcs-server</artifactId>
       <scope>test</scope>
     </dependency>
-    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-log4j12</artifactId>
-      <version>1.7.33</version>
-      <scope>runtime</scope>
-    </dependency>
   </dependencies>
 
   <build>
diff --git a/plugin/cog/cog-reader/src/test/resources/log4j.properties b/plugin/cog/cog-reader/src/test/resources/log4j.properties
diff --git a/plugin/cog/pom.xml b/plugin/cog/pom.xml
@@ -22,7 +22,7 @@
   </modules>
 
   <properties>
-    <cloud-dependencies-bom.version>1.0.1</cloud-dependencies-bom.version>
+    <cloud-dependencies-bom.version>1.0.2</cloud-dependencies-bom.version>
     <okhttp.version>5.3.2</okhttp.version>
     <ehcache.version>3.4.0</ehcache.version>
     <online.skip.pattern>**/*OnlineTest.java</online.skip.pattern>
diff --git a/pom.xml b/pom.xml
@@ -780,5 +780,33 @@
         </plugins>
       </build>
     </profile>
+    <!--
+       Dependency vulnerability checks. Run with:
+       mvnd initialize dependency-check:aggregate -Dall -Pdependencycheck -nsu -fae -DnvdApiKey=<your nvd api key>
+    -->
+    <profile>
+      <id>dependencycheck</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <version>12.2.0</version>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>aggregate</goal>
+                </goals>
+              </execution>
+            </executions>
+            <configuration>
+              <failBuildOnCVSS>7</failBuildOnCVSS>
+              <suppressionFile>dependency-check-suppression.xml</suppressionFile>
+              <format>ALL</format>
+            </configuration>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
   </profiles>
 </project>
diff --git a/release/pom.xml b/release/pom.xml
@@ -134,16 +134,6 @@
       <artifactId>imageio-ext-kakadu</artifactId>
       <version>${project.version}</version>
     </dependency>
-    <dependency>
-      <groupId>it.geosolutions.imageio-ext</groupId>
-      <artifactId>imageio-ext-grib1</artifactId>
-      <version>${project.version}</version>
-    </dependency>
-    <dependency>
-      <groupId>it.geosolutions.imageio-ext</groupId>
-      <artifactId>imageio-ext-hdf4</artifactId>
-      <version>${project.version}</version>
-    </dependency>
     <dependency>
       <groupId>it.geosolutions.imageio-ext</groupId>
       <artifactId>imageio-ext-turbojpeg</artifactId>
