[CVEs] Critical and High CEVs reported on PMD dependencies

[shenqinb-star]

Affects PMD Version:
7.0.0-rc3

Description:

Hi PMD team, We scanned PMD source code with Mend - https://www.mend.io/, it reported 2 critical and 1 high CVEs:
Vulnerable Library: scala-library-2.13.3.jar (/pmd-apex/pom.xml)
Dependency Hierarchy:

Severity: Critical
CVE Link: https://www.mend.io/vulnerability-database/CVE-2022-36944

Fixed Version
org.scala-lang:scala-library:2.13.9

---

Vulnerable Library: snakeyaml-1.33.jar (/pmd-doc/pom.xml)
Dependency Hierarchy:

Severity: Critical
CVE Link: https://www.mend.io/vulnerability-database/CVE-2022-1471

Fixed Version
2.0

---

Vulnerable Library: jcommander-1.48.jar (/pmd-doc/pom.xml)
Dependency Hierarchy:

Severity: High
CVE Link: Inclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.

Fixed Version
1.75

[jsotuyod]

scala-library was upgraded to 2.13.9 back in #4138 and then to 2.13.12 in #4696
jcommander has not been used in PMD 7, and is no longer shipped transitively either as the designer was updated in #4695
snakeyaml is not shipped with PMD, and is only used during local builds to load and update https://github.com/pmd/pmd/blob/master/docs/_data/sidebars/pmd_sidebar.yml based on existing languages and rulesets. Such usage is completely safe.