From f7a1fda9f24c1265487f381655063544bbf75dfd Mon Sep 17 00:00:00 2001
From: Yeser Amer <yamer@redhat.com>
Date: Wed, 20 Nov 2024 20:02:07 +0100
Subject: [PATCH] Explicitly declaring xstream to override a transitively
 imported version affected by CVE  (#3785)

* exclude_xstream

* Updated comment

* change

* change

* change

* change
---
 kogito-build/kogito-dependencies-bom/pom.xml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/kogito-build/kogito-dependencies-bom/pom.xml b/kogito-build/kogito-dependencies-bom/pom.xml
index 6e3de9522a3..9d4c812444c 100644
--- a/kogito-build/kogito-dependencies-bom/pom.xml
+++ b/kogito-build/kogito-dependencies-bom/pom.xml
@@ -155,6 +155,9 @@
     <version.com.google.collections>1.0</version.com.google.collections>
     <version.com.google.guava>33.0.0-jre</version.com.google.guava>
     <version.apache.commons.commons-compress>1.26.1</version.apache.commons.commons-compress>
+    <!-- Temporary declaring xstream dependency, a version (1.4.20) is transitively imported by Quarkus 3.8 affected by CVE
+     When upgrading Quarkus (> 3.15.x) to a new version, please evaluate if this exclusion can be removed   -->
+    <version.com.thoughtworks.xstream>1.4.21</version.com.thoughtworks.xstream>
   </properties>
 
   <dependencyManagement>
@@ -451,6 +454,14 @@
         <version>${version.jakarta.persistence-api}</version>
       </dependency>
 
+      <!-- Temporary declaring xstream dependency, a version (1.4.20) is transitively imported by Quarkus 3.8 affected by CVE
+           When upgrading Quarkus (> 3.15.x) to a new version, please evaluate if this exclusion can be removed   -->
+      <dependency>
+        <groupId>com.thoughtworks.xstream</groupId>
+        <artifactId>xstream</artifactId>
+        <version>${version.com.thoughtworks.xstream}</version>
+      </dependency>
+
       <dependency>
         <groupId>org.junit.jupiter</groupId>
         <artifactId>junit-jupiter-api</artifactId>