Upgrade commons-text-1.9.jar

[datenimperator]

Describe the bug
The VScode extension pivotal.vscode-spring-boot-1.40.0 includes the file language-server\BOOT-INF\lib\commons-text-1.9.jar. A critical security issue is reported as CVE-2022-42889 for this release. This error has been fixed in releases 1.10.0 and higher.

Please update the dependency to one not vulnerable.

To Reproduce

• Install the current extension "Pivotal Spring Boot Tools" on VScode.
• Inspect the contents of the path %HOME%\.vscode\extensions\pivotal.vscode-spring-boot-1.40.0\language-server\BOOT-INF\lib to find the vulnerable jar file.

[BoykoAlex]

@datenimperator @martinlippert we have switched to a snapshot of rewrite-maven library which was pulling commons-text-1.9. The snapshot is pulling 1.10 and there are releases since Rewrite 7.30.0 which are likely having commons-text-1.10 as well. If we are okay to wait for the next scheduled release of 1.41 for vscode extensions then I'd keep it opened until the release. Otherwise, if urgent release is required, I could try a later two minor version rewrite release which are very likely to pull commons-text-1.10

[BoykoAlex]

I find it unlikely that we'd be affected by CVE-2022-42889. The lib rewrite-maven only uses commons-text for org.apache.commons.text.StringEscapeUtils namely methods:

• escapeEcmaScript(String)
• escapeJava(String)
  From what I've gathered these methods don't use StringLookup. Therefore, I'd keep this opened until the next release when we switch to Rewrite release dependencies and double-check they use commons-text 1.10 and above

[martinlippert]

@datenimperator Please feel free to report the usage of the CVE-effected dependency to the rewrite-maven project as well. And thanks for reporting this here.

[datenimperator]

@BoykoAlex @martinlippert thx for responding so quickly, really appreciated. Personally, I do not assume that this is so much of an actual issue, given the way how the lib is used. But this warning comes up if your computer is scanned for vulnerabilities, and many organizations (like my employer) will perform such scans. I think its safe to assume that this warning has been seen already by lots of users. Once your PC has been on a "vulnerable computers" list for some days, it doesn't take too long until emails from top-execs come flying in...

So, for the sake of you helping me to get rid of our sec guy telling me to update, I eagerly await the next release :-)

[datenimperator]

Please feel free to report the usage of the CVE-effected dependency to the rewrite-maven project as well.

Done, see openrewrite/rewrite-maven-plugin#438

[martinlippert]

@datenimperator ETA for the next release is the week of Dec 7