SHIBUI-2264

Closed vulnerability from common-collections v3.x by upgrading to v4.3

backend/build.gradle

@@ -205,7 +205,11 @@ dependencies {
     integrationTestCompile 'org.springframework.security:spring-security-test:5.6.3'
 
     // CSV file support
-    compile 'com.opencsv:opencsv:4.4'
+    compile 'com.opencsv:opencsv:4.4', {
+        exclude group: 'commons-collections'
+    }
+
+    compile 'org.apache.commons:commons-collections4:4.3'
 
     // Envers for persistent entities versioning
     compile 'org.hibernate:hibernate-envers'

backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy

@@ -32,7 +32,7 @@ import groovy.util.logging.Slf4j
 import groovy.xml.DOMBuilder
 import groovy.xml.MarkupBuilder
 import net.shibboleth.utilities.java.support.scripting.EvaluableScript
-import org.apache.commons.collections.CollectionUtils
+import org.apache.commons.collections4.CollectionUtils
 import org.opensaml.saml.common.profile.logic.EntityIdPredicate
 import org.opensaml.saml.metadata.resolver.MetadataResolver
 import org.opensaml.saml.metadata.resolver.filter.MetadataFilter

pac4j-module/build.gradle

@@ -40,7 +40,9 @@ dependencies {
     compile 'org.pac4j:pac4j-saml:5.4.3', {
         // opensaml libraries are provided
         exclude group: 'org.opensaml'
+        exclude group: 'commons-collections'
     }
+    compile 'org.apache.commons:commons-collections4:4.3'
 
     testCompile project(':backend')
     testCompile 'org.springframework.boot:spring-boot-starter-test:2.6.7'