From 7b32065ca04f9a281c25bd136ca2e4dc8b4d1f79 Mon Sep 17 00:00:00 2001
From: Tunahan Cicek <tunahan.cicek@de.bosch.com>
Date: Thu, 10 Oct 2024 15:53:58 +0200
Subject: [PATCH] Exclude exlcude com.google.protobuf lib  because of CVE
 https://avd.aquasec.com/nvd/2024/cve-2024-7254

---
 CHANGELOG.md |  3 ++-
 pom.xml      | 26 ++++++++++++++++++++------
 2 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 732d902..56b1799 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,12 +4,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## 0.5.0-RC1
+## 0.5.0-RC2
 ### Added
 ### fixed
 - Update spring framework to version 6.1.6
 - Update commons-io to version 2.17.0
 - Update lombock to version 1.18.34
+- exlcude com.google.protobuf lib because of CVE https://avd.aquasec.com/nvd/2024/cve-2024-7254
 
 ## 0.4.0
 ### Added
diff --git a/pom.xml b/pom.xml
index 398e229..68e93d0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -155,11 +155,6 @@
 				<artifactId>vavr</artifactId>
 				<version>${vavr.version}</version>
 			</dependency>
-			<dependency>
-				<groupId>commons-io</groupId>
-				<artifactId>commons-io</artifactId>
-				<version>${commons-io.version}</version>
-			</dependency>
 			<dependency>
 				<groupId>com.google.code.findbugs</groupId>
 				<artifactId>jsr305</artifactId>
@@ -341,6 +336,18 @@
 				<groupId>org.eclipse.esmf</groupId>
 				<artifactId>esmf-aspect-model-aas-generator</artifactId>
 				<version>${samm.sdk.version}</version>
+				<exclusions>
+					<!-- excluded because of CVE https://avd.aquasec.com/nvd/2024/cve-2024-47554/-->
+					<exclusion>
+						<groupId>commons-io</groupId>
+						<artifactId>commons-io</artifactId>
+					</exclusion>
+				</exclusions>
+			</dependency>
+			<dependency>
+				<groupId>commons-io</groupId>
+				<artifactId>commons-io</artifactId>
+				<version>${commons-io.version}</version>
 			</dependency>
          <dependency>
             <groupId>org.apache.commons</groupId>
@@ -356,13 +363,20 @@
 				<groupId>org.apache.jena</groupId>
 				<artifactId>jena-arq</artifactId>
 				<version>${jena.version}</version>
+				<exclusions>
+					<!-- Exclusion of commons-fileupload is required because of CVE https://avd.aquasec.com/nvd/2024/cve-2024-7254-->
+					<exclusion>
+						<groupId>com.google.protobuf</groupId>
+						<artifactId>protobuf-java</artifactId>
+					</exclusion>
+				</exclusions>
 			</dependency>
 			<dependency>
 				<groupId>org.apache.jena</groupId>
 				<artifactId>jena-fuseki-main</artifactId>
 				<version>${jena.version}</version>
 				<exclusions>
-					<!-- Exclusion of commons-fileupload is required because of CV https://avd.aquasec.com/nvd/2023/cve-2023-24998-->
+					<!-- Exclusion of commons-fileupload is required because of CVE https://avd.aquasec.com/nvd/2023/cve-2023-24998-->
 					<exclusion>
 						<groupId>commons-fileupload</groupId>
 						<artifactId>commons-fileupload</artifactId>