Security vulnerabilities in old jars

[stuzart]

Hi @binfalse , hope you are well.
As you may remember, we make use of Bives in https://github.com/seek4science/seek . We've recently been reviewing our docker containers for security issues with trivy, and some critical issues were shown related to BiVeS; with com.fasterxml.jackson.core:jackson-databind:jar:2.3.3, and log4j:log4j:jar:1.2.17:compile.

Trivy is easy to install, and you can try yourself within the BiVeS directory with

trivy fs --severity CRITICAL .

I've found it is appears easy to fix, and stems back to the jCOMODI jar, and it's dependency on and old version of jena. It's difficult to submit as a pull request, as the fix is spread across several repositories, but I found once I updated jena for that package, it built fine and the tests pass. my change was

-        <dependency>
-            <groupId>org.apache.jena</groupId>
-            <artifactId>apache-jena-libs</artifactId>
-            <type>pom</type>
-            <version>3.0.0</version>
-        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.apache.jena/apache-jena-libs -->
+<dependency>
+    <groupId>org.apache.jena</groupId>
+    <artifactId>apache-jena-libs</artifactId>
+    <version>4.8.0</version>
+    <type>pom</type>
+</dependency>
+

You would then need to update BiVeS-Core to use the new version of jCOMODI, and then next the packages that rely on BiVeS-Core (which is why it's difficult to provide a PR).

The final step was to update BiVeS itself to use logj4 2, which is easy with a little log4j wrapper library. I also found I needed to include log4j-slf4j-impl for the tests to pass - which I didn't entirely understand so you might want to double check. The changes I made to that pom.xml was

-         <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
-            <version>1.2.17</version>
-        </dependency>
+                   <groupId>org.apache.logging.log4j</groupId>
+                   <artifactId>log4j-1.2-api</artifactId>
+                   <version>2.20.0</version>
+               </dependency>
+               <dependency>
+                   <groupId>org.apache.logging.log4j</groupId>
+                   <artifactId>log4j-core</artifactId>
+                   <version>2.20.0</version>
+               </dependency>
+        <!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-slf4j-impl -->
+               <dependency>
+                   <groupId>org.apache.logging.log4j</groupId>
+                   <artifactId>log4j-slf4j-impl</artifactId>
+                   <version>2.20.0</version>
+                   <scope>test</scope>
+               </dependency>