commons-validator pulls in vulnerable dependency

[chriswininger]

The dependency

        <dependency>
            <groupId></groupId>
            <artifactId>commons-validator</artifactId>
            <version>1.6</version>
            <scope>test</scope>
        </dependency>

pulls in what seems to be a vulnerable version of commons-beanutils as referenced here

Given that most folks use this library in tests only the risk probably low, but figured I'd submit an official bug report. Also I'll submit a pr request patch it :-)

A minor version rev appears to be all that's in order. I hope this is helpful. Thx much for all your hardwork!

To Reproduce Tack in a scanner such as this and you'll see the report.

<plugin>
<groupId>org.sonatype.ossindex.maven</groupId>
<artifactId>ossindex-maven-plugin</artifactId>
<version>3.1.0</version>
<executions>
    <execution>
        <id>audit-dependencies</id>
        <phase>validate</phase>
        <goals>
            <goal>audit</goal>
        </goals>
    </execution>
</executions>
</plugin>

This certainly could be a false positive. I didn't go so far as to verify the exploit, that's above my pay grade, but if not fixed it might show up in the build systems of other tools that consume this :-)

Expected behavior Their could be an attack vector hear, but again I'm more just concerned with keeping peoples build systems clear than verifying that.

Versions:

• OS: Linux (or any)
• JDK: openjdk 11.0.11 (in my case though should apply to all)
• Faker Version: current master (1a6aa61a95fc19e8bb8ddbca1ed97cac48696ccb)

Additional context

I noticed a different vuln get flagged by my build system; so pulled down master to patch it. I discovered someone had kindly already patched the issue I was aiming to fix which was with the version of snakeyaml, but found this in the process and figured I'd get out ahead of it :-)

[chriswininger]

Here is a pr bumping the version https://github.com/DiUS/java-faker/pull/649