Check if we can get rid of some components with vulnerabilities

[dhuebner]

When releasing to maven central a security report is created. I will post a report link here, but I do not know how long it will remain available.

https://sbom.sonatype.com/report/T1-118f0f57da8c6b3097cc-7c5cd3c324b3e8-1709210263-9c8c29739af94ba6940236bcf4b9429f

Here are the top two candidates, both transitive (probably Xtext): pkg:maven/log4j/log4j@1.2.17

• [CVE-2019-17571] CWE-502: Deserialization of Untrusted Data
• [CVE-2022-23305] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
• [CVE-2022-23302] CWE-502: Deserialization of Untrusted Data
• [CVE-2022-23307] CWE-502: Deserialization of Untrusted Data
• [CVE-2021-4104] CWE-502: Deserialization of Untrusted Data
• [CVE-2023-26464] CWE-502: Deserialization of Untrusted Data

pkg:maven/com.google.guava/guava@31.0.1-jre

• [CVE-2023-2976] CWE-552: Files or Directories Accessible to External Parties
• [CVE-2020-8908] CWE-379: Creation of Temporary File in Directory with Incorrect Permissions