Update payload xsd dependency due to vulnerabilities

thburnett · thburnett · commit dcda6004d74d · 2025-12-09T15:16:45.000+01:00
diff --git a/ebms-payload/build.gradle.kts b/ebms-payload/build.gradle.kts
@@ -48,7 +48,6 @@ dependencies {
     implementation(libs.hoplite.core)
     implementation(libs.hoplite.hocon)
     implementation(libs.ebxml.protokoll)
-    implementation(libs.emottak.payload.xsd)
     implementation(libs.jakarta.xml.bind.api)
     implementation(libs.jaxb.runtime)
     implementation(libs.bundles.logging)
diff --git a/ebms-provider/build.gradle.kts b/ebms-provider/build.gradle.kts
@@ -69,7 +69,6 @@ dependencies {
     implementation("com.sun.xml.messaging.saaj:saaj-impl:3.0.2")
     implementation(libs.emottak.payload.xsd)
     implementation(libs.emottak.utils)
-    // implementation("org.glassfish.jaxb:jaxb-runtime:4.0.3") // TODO: Latest. Krever at protokoll oppdateres
     implementation(libs.ebxml.protokoll)
     implementation(libs.token.validation.ktor.v3)
 
diff --git a/settings.gradle.kts b/settings.gradle.kts
@@ -70,7 +70,7 @@ dependencyResolutionManagement {
             library("jackson-dataformat-yaml", "com.fasterxml.jackson.dataformat", "jackson-dataformat-yaml").versionRef("fasterxml-jackson")
 
             library("ebxml-protokoll", "no.nav.emottak:ebxml-protokoll:0.0.7")
-            library("emottak-payload-xsd", "no.nav.emottak:emottak-payload-xsd:0.0.10")
+            library("emottak-payload-xsd", "no.nav.emottak:emottak-payload-xsd:0.0.11")
             library("emottak-utils", "no.nav.emottak", "emottak-utils").versionRef("emottak-utils")
             library("hikari", "com.zaxxer:HikariCP:5.0.1")
             library("labai-jsr305x-annotations", "com.github.labai:labai-jsr305x-annotations:0.0.2")
@@ -124,6 +124,22 @@ dependencyResolutionManagement {
 
     repositories {
         mavenCentral()
+        exclusiveContent {
+            // emottak-payload-xsd depends on org.apache.cxf:cxf-rt-ws-security:4.1.4 which depends on opensaml-saml-impl:5.1.6
+            // This is not available in maven central
+            forRepository {
+                maven {
+                    name = "Shibboleth"
+                    url = uri("https://build.shibboleth.net/maven/releases/")
+                }
+            }
+            filter {
+                // Only allow specific group/artifact from Shibboleth
+                includeGroup("org.opensaml")
+                includeGroup("net.shibboleth")
+                // Add more includeGroup or includeModule as needed
+            }
+        }
         maven {
             name = "Ebxml protokoll"
             url = uri("https://maven.pkg.github.com/navikt/ebxml-protokoll")
