Update dependencies versions to remediate CVEs #5781

build.sbt

@@ -58,6 +58,14 @@ ThisBuild / libraryDependencies ++= Seq(
   // `Optional` means "not transitive", but still included in "stage/lib"
 )
 
+// CVE remediation - override vulnerable transitive dependencies (see https://github.com/joernio/joern/issues/5781)
+ThisBuild / dependencyOverrides ++= Seq(
+  "com.google.protobuf"  % "protobuf-java"  % Versions.protobuf,
+  "org.msgpack"          % "msgpack-core"   % Versions.msgpack,
+  "io.undertow"          % "undertow-core"  % Versions.undertow,
+  "com.squareup.okhttp3" % "okhttp"         % Versions.okhttp
+)
+
 ThisBuild / compile / javacOptions ++= Seq(
   "-g", // debug symbols
   "-Xlint",

project/Versions.scala

@@ -52,6 +52,12 @@ object Versions {
   val zip4j          = "2.11.5"
   val asm            = "9.7.1"
 
+  // CVE remediation - override versions for vulnerable transitive deps (see https://github.com/joernio/joern/issues/5781)
+  val protobuf       = "3.25.5"
+  val msgpack        = "0.9.11"
+  val undertow       = "2.3.20.Final"
+  val okhttp         = "4.9.2"
+
   private def parseVersion(key: String): String = {
     val versionRegexp = s""".*val $key[ ]+=[ ]?"(.*?)"""".r
     val versions: List[String] = scala.io.Source