Fix GHSA-6fmv-xxpf-w3cw: pin plexus-utils 3.6.1 and suppress false positive

[timtebeek]

Summary

Addresses GHSA-6fmv-xxpf-w3cw (Zip Slip in plexus-utils Expand class).

• Move plexus-utils from a direct compile dependency to <dependencyManagement>, pinned at 3.6.1 which contains the fix. The only classes used (Xpp3Dom, MXSerializer) are already provided by the existing plexus-xml:4.1.1 dependency.
• Add a temporary OWASP dependency-check suppression (expires 2026-05-08) for CVE-2025-67030, since the advisory currently lists all versions below 4.0.3 as affected — a false positive for 3.6.1. A correction has been submitted to the advisory.

Test plan

• mvn compile passes
• All 15 tests pass

[Jenson3210]

Are we confident about this change? Shannon added this back. 3.6.1 is a backpatch which is not vulnerable but just not known by the vulnerability database.

Kevin mentioned maven3 is not compatible with 4.x

[timtebeek]

Was that not for a different vulnerability? Since this lists anything below 4.0.3 as vulnerable:

• GHSA-6fmv-xxpf-w3cw

My plan was to merge this and run the scan again to verify we don't pull in this version anymore transitively.

[Jenson3210]

AFAICS,

• Fix Zip Slip vulnerability in archive extraction codehaus-plexus/plexus-utils#296 was merged to resolve this one and is the reason that https://github.com/codehaus-plexus/plexus-utils/releases/tag/plexus-utils-3.6.1 was released

[timtebeek]

Hmm; thanks! So then the issue appears to be slightly different: 3.6.1 already contains the fix, and we should continue to have that here to override the 3.6.0 coming in transitively.

I've proposed an upstream fix as well then

• [GHSA-6fmv-xxpf-w3cw] Plexus-Utils has a Directory Traversal vulnerability in its extractFile method  github/advisory-database#7333

[timtebeek]

mvn dependency:tree now shows 3.6.1 as provided, instead of as bundled previously:

[INFO] +- org.apache.maven:maven-plugin-api:jar:3.9.14:provided
[INFO] |  +- org.apache.maven:maven-artifact:jar:3.9.14:provided
[INFO] |  +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:1.0.0:provided
[INFO] |  +- org.codehaus.plexus:plexus-utils:jar:3.6.1:provided
[INFO] |  \- org.codehaus.plexus:plexus-classworlds:jar:2.9.0:provided