From 33a29b5afe3812fa4f79cfcd2f1cff5c7d2f2031 Mon Sep 17 00:00:00 2001
From: Lukas Eder <lukas.eder@gmail.com>
Date: Fri, 17 Sep 2021 14:30:42 +0200
Subject: [PATCH] [jOOQ/jOOQ#12434] CVE-2021-26291 via maven-core-3.6.3
 dependency

---
 jOOQ-codegen-maven/pom.xml | 16 +++++++++++++-
 pom.xml                    | 45 +++++++++++++++++++++++++++++++++++---
 2 files changed, 57 insertions(+), 4 deletions(-)

diff --git a/jOOQ-codegen-maven/pom.xml b/jOOQ-codegen-maven/pom.xml
index 6094074080..34090b036b 100644
--- a/jOOQ-codegen-maven/pom.xml
+++ b/jOOQ-codegen-maven/pom.xml
@@ -30,8 +30,22 @@
 
     <build>
         <plugins>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <configuration>
+                
+                    <!-- [#12434] These two dependencies are outdated transitive dependencies from
+                                  maven-core:3.8.2, which we can't update easily without risking to break
+                                  maven stuff -->
+                    <excludes>
+                        <exclude>commons-io:commons-io:jar:2.6</exclude>
+                        <exclude>com.google.guava:guava:jar:25.1-android</exclude>
+                    </excludes>
+                </configuration>
+            </plugin>
 
-            <!-- More details about this plugin can be found here:
+            <!-- More details about this plugin can be found here:PatternExcludesArtifactFilter
                  http://maven.apache.org/plugin-tools/maven-plugin-plugin/examples/using-annotations.html
               -->
 
diff --git a/pom.xml b/pom.xml
index 75a66f645a..059ead10ba 100644
--- a/pom.xml
+++ b/pom.xml
@@ -60,6 +60,7 @@
         <spring.version>5.3.7</spring.version>
         <spring.boot.version>2.4.0</spring.boot.version>
         <errorprone.version>2.3.4</errorprone.version>
+        <errorprone.version>2.9.0</errorprone.version>
         <testcontainers.version>1.16.0</testcontainers.version>
     </properties>
 
@@ -518,12 +519,12 @@
             <dependency>
                 <groupId>org.apache.maven</groupId>
                 <artifactId>maven-plugin-api</artifactId>
-                <version>3.6.3</version>
+                <version>3.8.2</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.maven</groupId>
                 <artifactId>maven-core</artifactId>
-                <version>3.6.3</version>
+                <version>3.8.2</version>
 
                 <!-- junit 4.8.2 sneaking in here -->
                 <exclusions>
@@ -536,7 +537,7 @@
             <dependency>
                 <groupId>org.apache.maven.plugin-tools</groupId>
                 <artifactId>maven-plugin-annotations</artifactId>
-                <version>3.6.0</version>
+                <version>3.6.1</version>
             </dependency>
         </dependencies>
     </dependencyManagement>
@@ -768,6 +769,16 @@
                     <artifactId>jooq-codegen-maven</artifactId>
                     <version>${project.version}</version>
                 </plugin>
+
+                <plugin>
+                    <groupId>org.owasp</groupId>
+                    <artifactId>dependency-check-maven</artifactId>
+                    <version>6.3.1</version>
+                    <configuration>
+                        <failBuildOnCVSS>0</failBuildOnCVSS>
+                        <skipTestScope>true</skipTestScope>
+                    </configuration>
+                </plugin>
             </plugins>
         </pluginManagement>
 
@@ -844,6 +855,34 @@
     </modules>
 
     <profiles>
+        <profile>
+            <id>owasp-check</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>check</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+
+            <reporting>
+                <plugins>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                    </plugin>
+                </plugins>
+            </reporting>
+        </profile>
+
         <profile>
             <id>default</id>
             <activation>