Vulnerable dependency maven:commons-collections:commons-collections:3.2.2

[gronono]

Describe the bug
IntelliJ reports a transitive vulnerability for commons-collections:commons-collections:3.2.2

To Reproduce
Create a new Maven project and add the following dependency:

<dependency>
    <groupId>org.mnode.ical4j</groupId>
    <artifactId>ical4j</artifactId>
    <version>3.2.9</version>
</dependency>

Expected behavior
No vulnerability

Environment (please complete the following information):

• OS: Linux
• Java Version : temurin-17.0.6
• iCal4j Version: 3.2.9
• IntelliJ IDEA 2022.3.2 (Ultimate Edition)

Additional context
Artifact commons-collections:commons-collections has been replaced by org.apache.commons:commons-collections4

[benfortuna]

Thanks for the report, I had a look at the dependency tree and it appears to be a transitive dependency of commons-validator (we use v4.4 currently in iCal4j):

+--- commons-validator:commons-validator:1.7
|    +--- commons-beanutils:commons-beanutils:1.9.4
|    |    +--- commons-logging:commons-logging:1.2
|    |    \--- commons-collections:commons-collections:3.2.2
|    +--- commons-digester:commons-digester:2.1
|    +--- commons-logging:commons-logging:1.2
|    \--- commons-collections:commons-collections:3.2.2

I'll monitor if they are updating the project, but in the meantime you can try to exclude the transitive dependency at coordinates: commons-collections:commons-collections:3.2.2

You can follow the project here also if you want to submit a bug report:

https://github.com/apache/commons-validator