Dependency org.apache.poi:poi-ooxml, leading to CVE problem

Hi, In czy-study-java-commons-utils-master/java-8，there is a dependency org.apache.poi:poi-ooxml:4.0.1 that calls the risk method.

CVE-2019-12415

The scope of this CVE affected version is [,4.1.0)

After further analysis, in this project, the main Api called is <org.apache.poi.xssf.streaming.SheetDataWriter: void writeCell(int,org.apache.poi.ss.usermodel.Cell)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 8

<org.apache.poi.xssf.streaming.SheetDataWriter: void writeCell(int,org.apache.poi.ss.usermodel.Cell)>
at <org.apache.poi.xssf.streaming.SheetDataWriter: void writeRow(int,org.apache.poi.xssf.streaming.SXSSFRow)> (org.apache.poi.xssf.streaming.SheetDataWriter.java:[207]) in /.m2/repository/org/apache/poi/poi-ooxml/4.0.1/poi-ooxml-4.0.1.jar
at <org.apache.poi.xssf.streaming.SXSSFSheet: void flushOneRow()> (org.apache.poi.xssf.streaming.SXSSFSheet.java:[1876]) in /.m2/repository/org/apache/poi/poi-ooxml/4.0.1/poi-ooxml-4.0.1.jar
at <org.apache.poi.xssf.streaming.SXSSFSheet: void flushRows(int)> (org.apache.poi.xssf.streaming.SXSSFSheet.java:[1851]) in /.m2/repository/org/apache/poi/poi-ooxml/4.0.1/poi-ooxml-4.0.1.jar
at <org.apache.poi.xssf.streaming.SXSSFSheet: org.apache.poi.xssf.streaming.SXSSFRow createRow(int)> (org.apache.poi.xssf.streaming.SXSSFSheet.java:[146]) in /.m2/repository/org/apache/poi/poi-ooxml/4.0.1/poi-ooxml-4.0.1.jar
at <com.github.andyczy.java.excel.CommonsUtils: void setDataList(org.apache.poi.xssf.streaming.SXSSFWorkbook,org.apache.poi.xssf.streaming.SXSSFRow,java.util.List,java.util.HashMap,java.util.HashMap,java.util.HashMap,java.util.HashMap,java.util.HashMap,java.lang.String[],java.lang.String[],java.util.HashMap,java.util.HashMap,java.util.HashMap)> (com.github.andyczy.java.excel.CommonsUtils.java:[70, 104]) in /.m2/repository/com/github/andyczy/java-excel-utils/4.0/java-excel-utils-4.0.jar
at <com.github.andyczy.java.excel.LocalExcelUtils: java.lang.Boolean localNoResponse()> (com.github.andyczy.java.excel.LocalExcelUtils.java:[118]) in /.m2/repository/com/github/andyczy/java-excel-utils/4.0/java-excel-utils-4.0.jar
at <excelUtils.ExcelUtilsTest: void main(java.lang.String[])> (excelUtils.ExcelUtilsTest.java:[59]) in /detect/unzip/czy-study-java-commons-utils-master/java-8/target/classes

Dependency tree--

[INFO] czy.java.cn:java-8:jar:1.0-SNAPSHOT
[INFO] +- com.github.andyczy:java-excel-utils:jar:4.0:compile
[INFO] |  +- org.apache.poi:poi:jar:4.0.1:compile
[INFO] |  |  +- commons-codec:commons-codec:jar:1.11:compile
[INFO] |  |  +- org.apache.commons:commons-collections4:jar:4.2:compile
[INFO] |  |  \- org.apache.commons:commons-math3:jar:3.6.1:compile
[INFO] |  +- org.apache.poi:poi-ooxml:jar:4.0.1:compile
[INFO] |  |  +- org.apache.poi:poi-ooxml-schemas:jar:4.0.1:compile
[INFO] |  |  |  \- org.apache.xmlbeans:xmlbeans:jar:3.0.2:compile
[INFO] |  |  +- org.apache.commons:commons-compress:jar:1.18:compile
[INFO] |  |  \- com.github.virtuald:curvesapi:jar:1.05:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.7:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.7:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-core:jar:2.9.7:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.47:compile
[INFO] \- junit:junit:jar:4.12:compile
[INFO]    \- org.hamcrest:hamcrest-core:jar:1.3:compile

Suggested solutions:

Update dependency version

Thank you very much.

andyczy / czy-study-java-commons-utils

Dependency org.apache.poi:poi-ooxml, leading to CVE problem #18