From 4101f7e39cbdcc508a936faf8b519e68258b9639 Mon Sep 17 00:00:00 2001
From: Naomi Dushay <ndushay@stanford.edu>
Date: Tue, 8 Aug 2017 16:08:43 -0700
Subject: [PATCH] use commons-collections v3.2.2 to avoid v3.2.1 vulnerability

---
 pom.xml | 29 +++++++++++++++++++++--------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/pom.xml b/pom.xml
index 23953c06..8373cdad 100644
--- a/pom.xml
+++ b/pom.xml
@@ -72,7 +72,7 @@
       <artifactId>guava</artifactId>
       <version>17.0</version>
     </dependency>
-    
+
     <dependency>
       <groupId>org.json</groupId>
       <artifactId>json</artifactId>
@@ -89,12 +89,12 @@
       <artifactId>juniversalchardet</artifactId>
       <version>1.0.3</version>
     </dependency>
-    
+
     <dependency>
       <groupId>commons-httpclient</groupId>
       <artifactId>commons-httpclient</artifactId>
       <version>3.1</version>
-    </dependency>    
+    </dependency>
 
     <dependency>
       <groupId>org.apache.hadoop</groupId>
@@ -128,12 +128,12 @@
         <exclusion>
           <groupId>tomcat</groupId>
           <artifactId>jasper-compiler</artifactId>
-        </exclusion>                
+        </exclusion>
         <exclusion>
           <groupId>hsqldb</groupId>
           <artifactId>hsqldb</artifactId>
-        </exclusion>                
-      </exclusions> 
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
@@ -160,7 +160,7 @@
       <artifactId>libidn</artifactId>
       <version>1.15</version>
     </dependency>
-    <dependency>                        
+    <dependency>
       <groupId>it.unimi.dsi</groupId>
       <artifactId>dsiutils</artifactId>
       <version>2.0.12</version>
@@ -170,13 +170,26 @@
           <groupId>ch.qos.logback</groupId>
           <artifactId>logback-classic</artifactId>
         </exclusion>
+        <!-- exclude the vulnerable commons-collections v3.2.1 -->
+        <exclusion>
+          <groupId>commons-collections</groupId>
+          <artifactId>commons-collections</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
+
+    <!-- explicitly require a patched commons-collections to avoid vulnerable v3.2.1 -->
+    <dependency>
+      <groupId>commons-collections</groupId>
+      <artifactId>commons-collections</artifactId>
+      <version>3.2.2</version>
+    </dependency>
+
     <dependency>
         <groupId>org.apache.httpcomponents</groupId>
         <artifactId>httpcore</artifactId>
         <version>4.3</version>
-    </dependency>                       
+    </dependency>
     <dependency>
       <groupId>joda-time</groupId>
       <artifactId>joda-time</artifactId>