review dependencies

[bigerl]

We should look for replacements for the following libraries:

• com.googlecode.json-simple:
  • not updated since 2012, see https://mvnrepository.com/artifact/com.googlecode.json-simple/json-simple
  • CVE-2020-15250 5.5 Transitive Incorrect Permission Assignment for Critical Resource vulnerability with Medium severity found

Upgrade the following:

• org.codehaus.mojo:exec-maven-plugin 1.6.0
  • not updated since 2017, migrate to recent 3.4.1
• jena 4.2 -> 5.1
• com.fasterxml.jackson.* 2.12.5 -> 2.17.2

update as soon as patches are available:

• org.apache.hbase 2.6.0
  • CVE-2023-2976 7.1 Transitive Files or Directories Accessible to External Parties vulnerability with High severity found
  • CVE-2018-10237 5.9 Transitive Allocation of Resources Without Limits or Throttling vulnerability with Medium severity found
  • CVE-2020-8908 3.3 Transitive Incorrect Permission Assignment for Critical Resource vulnerability with Low severity found
• com.opencsv 5.9
  • Cx78f40514-81ff 7.5 Transitive Uncontrolled Recursion vulnerability with High severity found
• org.apache.jena:jena-core (through transitive dependencies)
  • CVE-2024-26308 7.5 Transitive Allocation of Resources Without Limits or Throttling vulnerability with High severity found
  • CVE-2024-25710 5.5 Transitive Loop with Unreachable Exit Condition ("Infinite Loop") vulnerability with Medium severity found

[bigerl]

please continue here: https://github.com/dice-group/IGUANA/tree/fix/update-dependencies

[nck-mlcnv]

We're not using apache hbase I think, we're only using their implementation of the ByteArrayInputStream

[nck-mlcnv]

The transitive vulnerability of opencsv isn't relevant either: https://sourceforge.net/p/opencsv/patches/65/