CVE-2023-44487: Replace com.github.tomakehurst:wiremock* with org.wiremock:wiremock*

[yeikel]

What problem are you trying to solve?

Starting with wiremock 3.x, the coordinates of the dependency changed

From

<dependency>
            <groupId>com.github.tomakehurst</groupId>
            <artifactId>wiremock-jre8</artifactId>
        </dependency>

To :

 <dependency>
 <groupId>org.wiremock</groupId>
  <artifactId>wiremock</artifactId>
 </dependency>

Using 2.x versions puts teams at risk such as CVE-2023-44487

Sample diff :

diff --git a/pom.xml b/pom.xml
         <!--Testing framework to allow for mocking external service calls-->
         <dependency>
-            <groupId>com.github.tomakehurst</groupId>
-            <artifactId>wiremock-jre8</artifactId>
-            <version>2.35.1</version>
+            <groupId>org.wiremock</groupId>
+            <artifactId>wiremock</artifactId>
+            <version>3.3.1</version>
             <scope>test</scope>
         </dependency>
     </dependencies>

In my case, changing the coordinates was enough but there are some breaking changes we need to be aware of as well. See the release notes for more details

Describe the solution you'd like

1. Replace the coordinates
2. Migrate deprecated APIs

Additional context

• v3 no longer supports Java 8 so this recipe should not be applied for Java 8 projects

Relevant :

https://www.cve.org/CVERecord?id=CVE-2023-44487 https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/

https://github.com/openrewrite/rewrite-java-dependencies/issues/58

[timtebeek]

@oleg-nenashev would you want to take this on together? I think we can reuse quite some existing components to help folks migrate, and would be good to have you involved.

[timtebeek]

Can at least be surfaced with the recipe introduced in this PR

• https://github.com/openrewrite/rewrite-java-dependencies/pull/59