From 55ab9d33fefe936973b9118d594e63df49f64196 Mon Sep 17 00:00:00 2001
From: Alex Brackx <abrackx@liquibase.com>
Date: Tue, 18 Oct 2022 09:42:52 -0400
Subject: [PATCH 1/6] [commons-text-upgrade] Excludes vulnerable transitive
 dependency, adds upgraded dependency and includes upgraded dependency in lib.

---
 liquibase-core/pom.xml                               | 12 ++++++++++++
 .../src/main/assembly/assembly-bin-common.xml        |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/liquibase-core/pom.xml b/liquibase-core/pom.xml
index 733a1ac09fe..9fb400ed8de 100644
--- a/liquibase-core/pom.xml
+++ b/liquibase-core/pom.xml
@@ -112,6 +112,18 @@
             <groupId>com.opencsv</groupId>
             <artifactId>opencsv</artifactId>
             <version>5.7.0</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-text</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>1.10.0</version>
         </dependency>
     </dependencies>
 
diff --git a/liquibase-dist/src/main/assembly/assembly-bin-common.xml b/liquibase-dist/src/main/assembly/assembly-bin-common.xml
index 482d0a401e2..89e928f23e0 100644
--- a/liquibase-dist/src/main/assembly/assembly-bin-common.xml
+++ b/liquibase-dist/src/main/assembly/assembly-bin-common.xml
@@ -110,7 +110,7 @@
 				<include>com.ibm.db2:jcc:jar:</include>
 				<include>org.firebirdsql.jdbc:jaybird:</include>
                 <include>net.snowflake:snowflake-jdbc:</include>
-
+				<include>org.apache.commons:commons-text:</include>
                 <include>javax.resource:connector-api:</include>
 
 				<!-- CANNOT SHIP FOR LICENSE REASONS -->

From c246cb3109bbe2a20f55f06deb7412d26cb79a8b Mon Sep 17 00:00:00 2001
From: Alex Brackx <abrackx@liquibase.com>
Date: Tue, 18 Oct 2022 10:11:45 -0400
Subject: [PATCH 2/6] [commons-text-upgrade] Updates release.pom with
 commons-text exclusion/upgrade.

---
 liquibase-dist/src/main/maven/release.pom.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/liquibase-dist/src/main/maven/release.pom.xml b/liquibase-dist/src/main/maven/release.pom.xml
index 2152949acec..c8b244029f4 100644
--- a/liquibase-dist/src/main/maven/release.pom.xml
+++ b/liquibase-dist/src/main/maven/release.pom.xml
@@ -54,7 +54,16 @@
                     <groupId>commons-beanutils</groupId>
                     <artifactId>commons-beanutils</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-text</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>1.10.0</version>
+        </dependency>
     </dependencies>
 </project>

From 2f7745396ff51a54cbd01d463befe8d1ec2d5a0a Mon Sep 17 00:00:00 2001
From: Alex Brackx <abrackx@liquibase.com>
Date: Wed, 19 Oct 2022 12:29:47 -0400
Subject: [PATCH 3/6] [commons-text-upgrade] Uses dependency management to
 override transitive dependency.

---
 liquibase-core/pom.xml                        | 23 +++++++++----------
 liquibase-dist/src/main/maven/release.pom.xml | 19 +++++++--------
 2 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/liquibase-core/pom.xml b/liquibase-core/pom.xml
index 9fb400ed8de..8d7e56031c4 100644
--- a/liquibase-core/pom.xml
+++ b/liquibase-core/pom.xml
@@ -112,21 +112,20 @@
             <groupId>com.opencsv</groupId>
             <artifactId>opencsv</artifactId>
             <version>5.7.0</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.apache.commons</groupId>
-                    <artifactId>commons-text</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-text</artifactId>
-            <version>1.10.0</version>
         </dependency>
     </dependencies>
 
+    <dependencyManagement>
+        <dependencies>
+            <!--TODO: This is overriding the commons-text dependency in opencsv. Once opencsv 5.7.1 is released we can remove this entry. See: https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-3043138-->
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-text</artifactId>
+                <version>1.10.0</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <build>
         <resources>
             <resource>
diff --git a/liquibase-dist/src/main/maven/release.pom.xml b/liquibase-dist/src/main/maven/release.pom.xml
index eda65e57981..4a25d897622 100644
--- a/liquibase-dist/src/main/maven/release.pom.xml
+++ b/liquibase-dist/src/main/maven/release.pom.xml
@@ -54,16 +54,17 @@
                     <groupId>commons-beanutils</groupId>
                     <artifactId>commons-beanutils</artifactId>
                 </exclusion>
-                <exclusion>
-                    <groupId>org.apache.commons</groupId>
-                    <artifactId>commons-text</artifactId>
-                </exclusion>
             </exclusions>
         </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-text</artifactId>
-            <version>1.10.0</version>
-        </dependency>
     </dependencies>
+    <dependencyManagement>
+        <dependencies>
+            <!--TODO: This is overriding the commons-text dependency in opencsv. Once opencsv 5.7.1 is released we can remove this entry. See: https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-3043138-->
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-text</artifactId>
+                <version>1.10.0</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
 </project>

From 6e26f2d76b20621dbfbcee84d30c61e8a99afc47 Mon Sep 17 00:00:00 2001
From: Alex Brackx <abrackx@liquibase.com>
Date: Wed, 19 Oct 2022 12:59:26 -0400
Subject: [PATCH 4/6] Revert "[commons-text-upgrade] Uses dependency management
 to override transitive dependency."

This reverts commit 2f7745396ff51a54cbd01d463befe8d1ec2d5a0a.
---
 liquibase-core/pom.xml                        | 23 ++++++++++---------
 liquibase-dist/src/main/maven/release.pom.xml | 19 ++++++++-------
 2 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/liquibase-core/pom.xml b/liquibase-core/pom.xml
index 8d7e56031c4..9fb400ed8de 100644
--- a/liquibase-core/pom.xml
+++ b/liquibase-core/pom.xml
@@ -112,19 +112,20 @@
             <groupId>com.opencsv</groupId>
             <artifactId>opencsv</artifactId>
             <version>5.7.0</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-text</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
-    </dependencies>
 
-    <dependencyManagement>
-        <dependencies>
-            <!--TODO: This is overriding the commons-text dependency in opencsv. Once opencsv 5.7.1 is released we can remove this entry. See: https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-3043138-->
-            <dependency>
-                <groupId>org.apache.commons</groupId>
-                <artifactId>commons-text</artifactId>
-                <version>1.10.0</version>
-            </dependency>
-        </dependencies>
-    </dependencyManagement>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>1.10.0</version>
+        </dependency>
+    </dependencies>
 
     <build>
         <resources>
diff --git a/liquibase-dist/src/main/maven/release.pom.xml b/liquibase-dist/src/main/maven/release.pom.xml
index 4a25d897622..eda65e57981 100644
--- a/liquibase-dist/src/main/maven/release.pom.xml
+++ b/liquibase-dist/src/main/maven/release.pom.xml
@@ -54,17 +54,16 @@
                     <groupId>commons-beanutils</groupId>
                     <artifactId>commons-beanutils</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-text</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>1.10.0</version>
+        </dependency>
     </dependencies>
-    <dependencyManagement>
-        <dependencies>
-            <!--TODO: This is overriding the commons-text dependency in opencsv. Once opencsv 5.7.1 is released we can remove this entry. See: https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-3043138-->
-            <dependency>
-                <groupId>org.apache.commons</groupId>
-                <artifactId>commons-text</artifactId>
-                <version>1.10.0</version>
-            </dependency>
-        </dependencies>
-    </dependencyManagement>
 </project>

From dd3a9724312e99d5bc37a47d1c5e3651fc154e85 Mon Sep 17 00:00:00 2001
From: Alex Brackx <abrackx@liquibase.com>
Date: Wed, 19 Oct 2022 13:00:57 -0400
Subject: [PATCH 5/6] [commons-text-upgrade] Adds comment.

---
 liquibase-core/pom.xml                        | 2 +-
 liquibase-dist/src/main/maven/release.pom.xml | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/liquibase-core/pom.xml b/liquibase-core/pom.xml
index 9fb400ed8de..2790eb62fef 100644
--- a/liquibase-core/pom.xml
+++ b/liquibase-core/pom.xml
@@ -119,7 +119,7 @@
                 </exclusion>
             </exclusions>
         </dependency>
-
+        <!--TODO: This is overriding the commons-text dependency in opencsv. Once opencsv 5.7.1 is released we can remove this entry and the exclusion. See: https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-3043138-->
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-text</artifactId>
diff --git a/liquibase-dist/src/main/maven/release.pom.xml b/liquibase-dist/src/main/maven/release.pom.xml
index eda65e57981..56e52105418 100644
--- a/liquibase-dist/src/main/maven/release.pom.xml
+++ b/liquibase-dist/src/main/maven/release.pom.xml
@@ -60,6 +60,7 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <!--TODO: This is overriding the commons-text dependency in opencsv. Once opencsv 5.7.1 is released we can remove this entry and the exclusion. See: https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-3043138-->
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-text</artifactId>

From a4b91c5ed68fdb5a72ef1d973bffb5bafa70b8c2 Mon Sep 17 00:00:00 2001
From: Alex Brackx <abrackx@liquibase.com>
Date: Wed, 19 Oct 2022 13:33:17 -0400
Subject: [PATCH 6/6] [commons-text-upgrade] Additional comment.

---
 liquibase-dist/src/main/assembly/assembly-bin-common.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/liquibase-dist/src/main/assembly/assembly-bin-common.xml b/liquibase-dist/src/main/assembly/assembly-bin-common.xml
index 89e928f23e0..f23cfc70168 100644
--- a/liquibase-dist/src/main/assembly/assembly-bin-common.xml
+++ b/liquibase-dist/src/main/assembly/assembly-bin-common.xml
@@ -110,7 +110,7 @@
 				<include>com.ibm.db2:jcc:jar:</include>
 				<include>org.firebirdsql.jdbc:jaybird:</include>
                 <include>net.snowflake:snowflake-jdbc:</include>
-				<include>org.apache.commons:commons-text:</include>
+				<include>org.apache.commons:commons-text:</include> <!-- TODO: Remove once opencsv has a new release and updates commons-text to a version >= 1.10.0 -->
                 <include>javax.resource:connector-api:</include>
 
 				<!-- CANNOT SHIP FOR LICENSE REASONS -->