Updating some components to fixe identified vulnerable dependencies detected using grype.

[fbacchella]

Not all possible update are applied as some of them required API changes.

When running grype 0.71.0, it now returns:

NAME              INSTALLED              FIXED-IN              TYPE          VULNERABILITY        SEVERITY
httpclient        4.5.2                  4.5.13                java-archive  GHSA-7r82-7xv7-xcpj  Medium
jdom              1.0                                          java-archive  GHSA-2363-cqg2-863c  High
jsoup             1.14.2                 1.15.3                java-archive  GHSA-gp7f-rwcx-9369  Medium
org.eclipse.jgit  4.11.9.201909030838-r  6.6.1.202309021850-r  java-archive  GHSA-3p86-9955-h393  High
sshd-core         1.7.0                  2.9.2                 java-archive  GHSA-fhw8-8j55-vwgq  Critical
sshd-core         1.7.0                  2.10.0                java-archive  GHSA-mjmq-gwgm-5qhm  Medium

[flaix]

Ah, I see you had the same idea and also updated some dependencies. I have now merged my changes, as they went a little bit further. I did not update BouncyCastle since this is a case where there is an issue listed, but it exists in a component that is not in use in Gitblit, so it is not affected.

If you would like to still have BouncyCastle updated so it doesn't show up in a list, maybe you could rebase this PR on the current master. That should reduce the change to the BC update. If you have tested this to work well on your server, I am happy to merge it.

[fbacchella]

I didn’t knew that there is an issue, it should be handled before the version update if you think so.

After your fix:

NAME              INSTALLED              FIXED-IN              TYPE          VULNERABILITY        SEVERITY 
bcprov-jdk15on    1.69                                         java-archive  GHSA-hr8g-6v94-x4m9  Medium    
httpclient        4.5.2                  4.5.13                java-archive  GHSA-7r82-7xv7-xcpj  Medium    
jdom              1.0                                          java-archive  GHSA-2363-cqg2-863c  High      
org.eclipse.jgit  4.11.9.201909030838-r  6.6.1.202309021850-r  java-archive  GHSA-3p86-9955-h393  High      
sshd-core         1.7.0                  2.9.2                 java-archive  GHSA-fhw8-8j55-vwgq  Critical  
sshd-core         1.7.0                  2.10.0                java-archive  GHSA-mjmq-gwgm-5qhm  Medium

There is only one critical vulnerability, and I’m afraid this one will be difficult to fix. I hope gitblit is not exposed. So my PR can be dropped.

[flaix]

No, I meant there is a CVE for BouncyCastle, but that is about a vulnerability. But that is only when you use BC with certificates stored in LDAP. Which Gitblit does not do, so this plays no role for Gitblit. Since BC is a vital component, updating it involves thorough testing. So I decided t skip this update.