Update Maven resources plugin & Apache Commons CLI to address CVE-2024-47554

[Flern]

Expected Behavior

Security scans pass when including dapr 1.13.1 SDK in Java CI builds.

Actual Behavior

CVE-2024-47554 vulnerability is reported due to inclusion of commons-io version 2.11.0 in the maven-resources-plugin 3.3.0 and commons-cli 1.4 libraries.

Steps to Reproduce the Problem

Build with dapr 1.13.1 and scan for CVE vulnerabilities.

Required update

Update maven-resources-plugin to version 3.3.1 and commons-cli to 1.9.0. I found the issue in sdk/pom.xml but the plugin and commons-cli reference could be in other pom.xml files as well. I did not perform an exhaustive search.

Release Note

RELEASE NOTE: UPDATE Resolves CVE-2024-47554 in Apache dependencies

[salaboy]

As mentioned here, the CVE comes as part of the org.apache.maven.plugins:maven-resources-plugin:maven-plugin:3.3.1 artifact. This maven plugin is used to filter resources to build and construct the SDK packages, but not as part of the SDK itself.

[salaboy]

Ok, after more investigation we are doing this -> https://github.com/dapr/java-sdk/blob/master/sdk/pom.xml#L35C7-L35C32
I need to find the reason behind this to define if we really need this dependency here or if we can upgrade it.

[salaboy]

I couldn't make it fail by removing that dependency locally so testing with integration tests: #1193

[salaboy]

@artursouza @cicoyle this should be closed as we did this already