Dependency org.apache.httpcomponents:httpclient, leading to CVE problem

Hi, In /systemtests，there is a dependency org.apache.httpcomponents:httpclient:4.5.4 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

CVE Bug Invocation Path : 
io.enmasse.systemtest.utils.TestUtils: runUntilPass(int,java.util.concurrent.Callable)Ljava.lang.Object; /.m2/repository/org/jboss/resteasy/resteasy-jackson2-provider/3.6.1.SP2/resteasy-jackson2-provider-3.6.1.SP2.jar
org.apache.http.impl.client.HttpRequestTaskCallable: call()Ljava.lang.Object; /.m2/repository/org/jboss/resteasy/resteasy-jackson2-provider/3.6.1.SP2/resteasy-jackson2-provider-3.6.1.SP2.jar
org.apache.http.impl.client.DecompressingHttpClient: execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.client.ResponseHandler,org.apache.http.protocol.HttpContext)Ljava.lang.Object; /.m2/repository/org/jboss/resteasy/resteasy-jackson2-provider/3.6.1.SP2/resteasy-jackson2-provider-3.6.1.SP2.jar
org.apache.http.impl.client.DecompressingHttpClient: getHttpHost(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; /.m2/repository/org/jboss/resteasy/resteasy-jackson2-provider/3.6.1.SP2/resteasy-jackson2-provider-3.6.1.SP2.jar
org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;

Dependency tree--

[INFO] io.enmasse:systemtests:jar:0.34-SNAPSHOT
[INFO] +- org.keycloak:keycloak-admin-client:jar:4.8.3.Final:compile
[INFO] |  \- org.keycloak:keycloak-core:jar:4.8.3.Final:compile
[INFO] |     \- org.keycloak:keycloak-common:jar:4.8.3.Final:compile
[INFO] +- org.jboss.resteasy:resteasy-client:jar:3.6.1.SP2:compile
[INFO] |  +- org.jboss.spec.javax.ws.rs:jboss-jaxrs-api_2.1_spec:jar:1.0.1.Final:compile
[INFO] |  +- org.jboss.resteasy:resteasy-jaxrs:jar:3.6.1.SP2:compile
[INFO] |  |  +- org.jboss.spec.javax.xml.bind:jboss-jaxb-api_2.3_spec:jar:1.0.0.Final:compile
[INFO] |  |  +- org.reactivestreams:reactive-streams:jar:1.0.2:compile
[INFO] |  |  +- org.jboss.spec.javax.annotation:jboss-annotations-api_1.2_spec:jar:1.0.0.Final:compile
[INFO] |  |  +- javax.activation:activation:jar:1.1.1:compile
[INFO] |  |  +- commons-io:commons-io:jar:2.5:compile
[INFO] |  |  \- javax.json.bind:javax.json.bind-api:jar:1.0:compile
[INFO] |  +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] |  \- org.apache.httpcomponents:httpclient:jar:4.5.4:compile
[INFO] |     +- org.apache.httpcomponents:httpcore:jar:4.4.7:compile
[INFO] |     +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |     \- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- org.jboss.resteasy:resteasy-jackson2-provider:jar:3.6.1.SP2:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.11.3:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.3:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.10.0:compile
[INFO] |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.11.3:compile
[INFO] |  |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.11.3:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.11.3:compile
[INFO] |  |     +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.2:compile
[INFO] |  |     \- jakarta.activation:jakarta.activation-api:jar:1.2.1:compile
[INFO] |  \- com.github.fge:json-patch:jar:1.9:compile
[INFO] |     \- com.github.fge:jackson-coreutils:jar:1.6:compile
[INFO] |        \- com.github.fge:msg-simple:jar:1.1:compile
[INFO] |           \- com.github.fge:btf:jar:1.2:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.21:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.2.3:runtime
[INFO] |  \- ch.qos.logback:logback-core:jar:1.2.3:runtime
[INFO] +- io.fabric8:openshift-client:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-client:jar:5.0.2:compile
[INFO] |  |  +- io.fabric8:kubernetes-model-node:jar:5.0.2:compile
[INFO] |  |  +- com.squareup.okhttp3:okhttp:jar:3.12.12:compile
[INFO] |  |  +- com.squareup.okhttp3:logging-interceptor:jar:3.12.12:compile
[INFO] |  |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.10.2:compile
[INFO] |  |  |  \- org.yaml:snakeyaml:jar:1.26:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.11.3:compile
[INFO] |  |  +- io.fabric8:zjsonpatch:jar:0.3.0:compile
[INFO] |  |  \- com.github.mifmif:generex:jar:1.0.2:compile
[INFO] |  |     \- dk.brics.automaton:automaton:jar:1.11-8:compile
[INFO] |  +- io.fabric8:openshift-model:jar:5.0.2:compile
[INFO] |  |  \- io.fabric8:kubernetes-model-common:jar:5.0.2:compile
[INFO] |  +- io.fabric8:openshift-model-operator:jar:5.0.2:compile
[INFO] |  +- io.fabric8:openshift-model-operatorhub:jar:5.0.2:compile
[INFO] |  +- io.fabric8:openshift-model-monitoring:jar:5.0.2:compile
[INFO] |  \- io.fabric8:openshift-model-console:jar:5.0.2:compile
[INFO] +- io.fabric8:kubernetes-model:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-core:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-rbac:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-admissionregistration:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-apps:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-autoscaling:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-apiextensions:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-batch:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-certificates:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-coordination:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-discovery:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-events:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-extensions:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-networking:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-metrics:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-policy:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-scheduling:jar:5.0.2:compile
[INFO] |  +- io.fabric8:kubernetes-model-settings:jar:5.0.2:compile
[INFO] |  \- io.fabric8:kubernetes-model-storageclass:jar:5.0.2:compile
[INFO] +- io.vertx:vertx-proton:jar:3.9.0:compile
[INFO] |  \- io.vertx:vertx-core:jar:3.9.0:compile
[INFO] |     +- io.netty:netty-handler-proxy:jar:4.1.60.Final:compile
[INFO] |     |  \- io.netty:netty-codec-socks:jar:4.1.60.Final:compile
[INFO] |     +- io.netty:netty-codec-http2:jar:4.1.60.Final:compile
[INFO] |     +- io.netty:netty-resolver:jar:4.1.60.Final:compile
[INFO] |     \- io.netty:netty-resolver-dns:jar:4.1.60.Final:compile
[INFO] |        \- io.netty:netty-codec-dns:jar:4.1.60.Final:compile
[INFO] +- io.vertx:vertx-web-client:jar:3.9.0:compile
[INFO] |  \- io.vertx:vertx-web-common:jar:3.9.0:compile
[INFO] +- org.eclipse.paho:org.eclipse.paho.client.mqttv3:jar:1.2.1:compile
[INFO] +- org.apache.qpid:proton-j:jar:0.33.8:compile
[INFO] +- org.apache.qpid:qpid-jms-client:jar:0.56.0:compile
[INFO] |  +- org.apache.geronimo.specs:geronimo-jms_2.0_spec:jar:1.0-alpha-2:compile
[INFO] |  +- io.netty:netty-buffer:jar:4.1.60.Final:compile
[INFO] |  +- io.netty:netty-common:jar:4.1.60.Final:compile
[INFO] |  +- io.netty:netty-handler:jar:4.1.60.Final:compile
[INFO] |  |  \- io.netty:netty-codec:jar:4.1.60.Final:compile
[INFO] |  +- io.netty:netty-transport:jar:4.1.60.Final:compile
[INFO] |  +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.60.Final:compile
[INFO] |  |  \- io.netty:netty-transport-native-unix-common:jar:4.1.60.Final:compile
[INFO] |  \- io.netty:netty-codec-http:jar:4.1.60.Final:compile
[INFO] +- org.junit.jupiter:junit-jupiter-api:jar:5.5.2:compile
[INFO] |  +- org.apiguardian:apiguardian-api:jar:1.1.0:compile
[INFO] |  +- org.opentest4j:opentest4j:jar:1.2.0:compile
[INFO] |  \- org.junit.platform:junit-platform-commons:jar:1.5.2:compile
[INFO] +- org.junit.jupiter:junit-jupiter-engine:jar:5.5.2:test
[INFO] |  \- org.junit.platform:junit-platform-engine:jar:1.5.2:compile
[INFO] +- org.junit.platform:junit-platform-launcher:jar:1.5.2:compile
[INFO] +- org.junit.jupiter:junit-jupiter-params:jar:5.5.2:test
[INFO] +- io.github.artsok:rerunner-jupiter:jar:2.1.3:test
[INFO] |  \- org.junit.platform:junit-platform-runner:jar:1.4.2:test
[INFO] |     +- junit:junit:jar:4.12:test
[INFO] |     |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] |     \- org.junit.platform:junit-platform-suite-api:jar:1.4.2:test
[INFO] +- org.hdrhistogram:HdrHistogram:jar:2.1.4:compile
[INFO] +- org.seleniumhq.selenium:selenium-java:jar:3.141.59:compile
[INFO] |  +- org.seleniumhq.selenium:selenium-api:jar:3.141.59:compile
[INFO] |  +- org.seleniumhq.selenium:selenium-chrome-driver:jar:3.141.59:compile
[INFO] |  +- org.seleniumhq.selenium:selenium-edge-driver:jar:3.141.59:compile
[INFO] |  +- org.seleniumhq.selenium:selenium-firefox-driver:jar:3.141.59:compile
[INFO] |  +- org.seleniumhq.selenium:selenium-ie-driver:jar:3.141.59:compile
[INFO] |  +- org.seleniumhq.selenium:selenium-opera-driver:jar:3.141.59:compile
[INFO] |  +- org.seleniumhq.selenium:selenium-remote-driver:jar:3.141.59:compile
[INFO] |  +- org.seleniumhq.selenium:selenium-safari-driver:jar:3.141.59:compile
[INFO] |  +- org.seleniumhq.selenium:selenium-support:jar:3.141.59:compile
[INFO] |  +- net.bytebuddy:byte-buddy:jar:1.8.15:compile
[INFO] |  +- org.apache.commons:commons-exec:jar:1.3:compile
[INFO] |  +- com.google.guava:guava:jar:25.0-jre:compile
[INFO] |  \- com.squareup.okio:okio:jar:1.14.0:compile
[INFO] +- org.hamcrest:hamcrest:jar:2.2:compile
[INFO] +- com.google.code.gson:gson:jar:2.8.2:compile
[INFO] +- io.enmasse:api-model:jar:0.34-SNAPSHOT:compile
[INFO] |  +- javax.validation:validation-api:jar:2.0.1.Final:compile
[INFO] |  +- org.hibernate.validator:hibernate-validator:jar:6.0.20.Final:compile
[INFO] |  |  \- com.fasterxml:classmate:jar:1.3.4:compile
[INFO] |  +- org.hibernate.validator:hibernate-validator-annotation-processor:jar:6.0.20.Final:compile
[INFO] |  +- org.jboss.spec.javax.el:jboss-el-api_3.0_spec:jar:1.0.13.Final:compile
[INFO] |  \- org.glassfish:javax.el:jar:3.0.1-b08:compile
[INFO] +- org.hawkular.agent:prometheus-scraper:jar:0.23.0.Final:compile
[INFO] |  \- io.prometheus.client:model:jar:0.0.2:compile
[INFO] |     \- com.google.protobuf:protobuf-java:jar:2.5.0:compile
[INFO] +- org.apache.commons:commons-math3:jar:3.2:compile
[INFO] \- org.bouncycastle:bcpkix-jdk15on:jar:1.65:compile
[INFO]    \- org.bouncycastle:bcprov-jdk15on:jar:1.65:compile

Suggested solutions:

Update dependency version

Thank you very much.

EnMasseProject / enmasse

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #5333