Merge pull request #11 from rundeck-plugins/cve-updates

CVE Fixes

Author: fdevans

build.gradle

@@ -20,6 +20,16 @@ repositories {
     maven { url "https://repo.grails.org/grails/core" }
 }
 
+configurations.all {
+    resolutionStrategy {
+        // Force secure versions to override vulnerable transitive dependencies
+        force libs.commonsIo.get()
+        force libs.commonsText.get()
+        force libs.commonsLang3.get()
+        force libs.junitOverride.get()
+    }
+}
+
 sourceCompatibility = 11
 targetCompatibility = 11
 
@@ -133,7 +143,11 @@ project.pluginZip.dependsOn assetCompile
 project.pluginZip.mustRunAfter assetCompile
 
 dependencies {
-    implementation libs.sassAssetPipeline
+    implementation(libs.sassAssetPipeline) {
+        // Exclude problematic dependencies that cannot be safely upgraded
+        exclude group: 'org.sharegov', module: 'mjson'
+        exclude group: 'org.mozilla', module: 'rhino'
+    }
 }
 
 artifacts {

gradle/libs.versions.toml

@@ -3,9 +3,21 @@ asset-pipeline = "3.4.0"
 sass-asset-pipeline = "3.4.0"
 axion-release = "1.18.12"
 
+# Security override versions
+commons-io = "2.15.0"
+commons-text = "1.12.0"
+commons-lang3 = "3.18.0"
+junit = "4.13.2"
+
 [libraries]
 assetPipeline = { module = "com.bertramlabs.plugins:asset-pipeline-gradle", version.ref = "asset-pipeline" }
 sassAssetPipeline = { module = "com.bertramlabs.plugins:sass-asset-pipeline", version.ref = "sass-asset-pipeline" }
 
+# Security override libraries
+commonsIo = { module = "commons-io:commons-io", version.ref = "commons-io" }
+commonsText = { module = "org.apache.commons:commons-text", version.ref = "commons-text" }
+commonsLang3 = { module = "org.apache.commons:commons-lang3", version.ref = "commons-lang3" }
+junitOverride = { module = "junit:junit", version.ref = "junit" }
+
 [plugins]
 axionRelease = { id = "pl.allegro.tech.build.axion-release", version.ref = "axion-release" }