[MNG-7513] Address commons-io_commons-io vulnerability found in maven…

… latest version

We can safely remove Commons IO altogether because in no direct or transtive
usecase it is used at compile time or runtime.

This closes apache#771

maven-core/pom.xml

@@ -160,6 +160,11 @@ under the License.
       <artifactId>commons-jxpath</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.mockito</groupId>
       <artifactId>mockito-core</artifactId>
@@ -175,6 +180,11 @@ under the License.
       <artifactId>xmlunit-assertj</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.junit.jupiter</groupId>
       <artifactId>junit-jupiter-params</artifactId>

maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java

@@ -20,23 +20,23 @@
  */
 
 import java.io.File;
-import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Properties;
 import java.util.concurrent.atomic.AtomicInteger;
 
+import org.apache.commons.io.FileUtils;
 import org.apache.maven.AbstractCoreMavenComponentTestCase;
 import org.apache.maven.execution.MavenSession;
 import org.apache.maven.model.Plugin;
 import org.apache.maven.model.building.FileModelSource;
 import org.apache.maven.model.building.ModelBuildingRequest;
 import org.apache.maven.model.building.ModelProblem;
 import org.apache.maven.model.building.ModelSource;
-import org.apache.maven.shared.utils.io.FileUtils;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
 
 import static org.apache.maven.project.ProjectBuildingResultWithLocationMatcher.projectBuildingResultWithLocation;
 import static org.apache.maven.project.ProjectBuildingResultWithProblemMessageMatcher.projectBuildingResultWithProblemMessage;
@@ -166,35 +166,27 @@ public void testDontResolveDependencies()
     }
 
     @Test
-    public void testReadModifiedPoms() throws Exception {
+    public void testReadModifiedPoms( @TempDir Path tempDir ) throws Exception {
         // TODO a similar test should be created to test the dependency management (basically all usages
         // of DefaultModelBuilder.getCache() are affected by MNG-6530
 
-        Path tempDir = Files.createTempDirectory( null );
-        FileUtils.copyDirectoryStructure ( new File( "src/test/resources/projects/grandchild-check" ), tempDir.toFile() );
-        try
-        {
-            MavenSession mavenSession = createMavenSession( null );
-            ProjectBuildingRequest configuration = new DefaultProjectBuildingRequest();
-            configuration.setRepositorySession( mavenSession.getRepositorySession() );
-            org.apache.maven.project.ProjectBuilder projectBuilder = getContainer().lookup( org.apache.maven.project.ProjectBuilder.class );
-            File child = new File( tempDir.toFile(), "child/pom.xml" );
-            // build project once
-            projectBuilder.build( child, configuration );
-            // modify parent
-            File parent = new File( tempDir.toFile(), "pom.xml" );
-            String parentContent = FileUtils.fileRead( parent );
-            parentContent = parentContent.replaceAll( "<packaging>pom</packaging>",
-                     "<packaging>pom</packaging><properties><addedProperty>addedValue</addedProperty></properties>" );
-            FileUtils.fileWrite( parent, "UTF-8", parentContent );
-            // re-build pom with modified parent
-            ProjectBuildingResult result = projectBuilder.build( child, configuration );
-            assertThat( result.getProject().getProperties(), hasKey( (Object) "addedProperty" ) );
-        }
-        finally
-        {
-            FileUtils.deleteDirectory( tempDir.toFile() );
-        }
+        FileUtils.copyDirectory( new File( "src/test/resources/projects/grandchild-check" ), tempDir.toFile() );
+        MavenSession mavenSession = createMavenSession( null );
+        ProjectBuildingRequest configuration = new DefaultProjectBuildingRequest();
+        configuration.setRepositorySession( mavenSession.getRepositorySession() );
+        org.apache.maven.project.ProjectBuilder projectBuilder = getContainer().lookup( org.apache.maven.project.ProjectBuilder.class );
+        File child = new File( tempDir.toFile(), "child/pom.xml" );
+        // build project once
+        projectBuilder.build( child, configuration );
+        // modify parent
+        File parent = new File( tempDir.toFile(), "pom.xml" );
+        String parentContent = FileUtils.readFileToString( parent, "UTF-8" );
+        parentContent = parentContent.replaceAll( "<packaging>pom</packaging>",
+                 "<packaging>pom</packaging><properties><addedProperty>addedValue</addedProperty></properties>" );
+        FileUtils.write( parent, parentContent, "UTF-8" );
+        // re-build pom with modified parent
+        ProjectBuildingResult result = projectBuilder.build( child, configuration );
+        assertThat( result.getProject().getProperties(), hasKey( (Object) "addedProperty" ) );
     }
 
     @Test

maven-embedder/pom.xml

@@ -149,6 +149,11 @@ under the License.
       <groupId>commons-cli</groupId>
       <artifactId>commons-cli</artifactId>
     </dependency>
+    <dependency>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>

pom.xml

@@ -49,6 +49,7 @@ under the License.
     <javaVersion>8</javaVersion>
     <classWorldsVersion>2.6.0</classWorldsVersion>
     <commonsCliVersion>1.5.0</commonsCliVersion>
+    <commonsIoVersion>2.11.0</commonsIoVersion>
     <commonsLangVersion>3.12.0</commonsLangVersion>
     <junitVersion>5.8.1</junitVersion>
     <mockitoVersion>3.2.0</mockitoVersion>
@@ -300,6 +301,13 @@ under the License.
         <groupId>org.apache.maven.shared</groupId>
         <artifactId>maven-shared-utils</artifactId>
         <version>3.3.4</version>
+        <exclusions>
+          <!-- We use org.apache.maven.shared.utils.logging only in Maven Core -->
+          <exclusion>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
       <dependency>
         <groupId>org.fusesource.jansi</groupId>
@@ -338,6 +346,13 @@ under the License.
         <groupId>org.apache.maven.wagon</groupId>
         <artifactId>wagon-http</artifactId>
         <version>${wagonVersion}</version>
+        <exclusions>
+          <!-- Not used at all -->
+          <exclusion>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
       <!--  Repository -->
       <dependency>
@@ -386,6 +401,11 @@ under the License.
         <artifactId>commons-cli</artifactId>
         <version>${commonsCliVersion}</version>
       </dependency>
+      <dependency>
+        <groupId>commons-io</groupId>
+        <artifactId>commons-io</artifactId>
+        <version>${commonsIoVersion}</version>
+      </dependency>
       <dependency>
         <groupId>commons-jxpath</groupId>
         <artifactId>commons-jxpath</artifactId>