update vulnerable dependencies

commons-beanutils to 1.9.3
commons-collections to 3.2.2
httpclient to 4.5.5
slf4j to 1.7.25
logback to 1.2.3
jackson to 1.9.13

pom.xml

@@ -387,6 +387,75 @@
 
   </profiles>
 
+  <dependencyManagement>
+    <dependencies>
+
+      <!-- utils -->
+
+      <dependency>
+        <groupId>commons-beanutils</groupId>
+        <artifactId>commons-beanutils</artifactId>
+        <version>1.9.3</version>
+      </dependency>
+
+      <dependency>
+        <groupId>commons-collections</groupId>
+        <artifactId>commons-collections</artifactId>
+        <version>3.2.2</version>
+      </dependency>
+
+      <!-- http -->
+
+      <dependency>
+        <groupId>org.apache.httpcomponents</groupId>
+        <artifactId>httpclient</artifactId>
+        <version>4.5.5</version>
+      </dependency>
+
+      <!-- logging -->
+
+      <dependency>
+        <artifactId>slf4j-api</artifactId>
+        <groupId>org.slf4j</groupId>
+        <version>${slf4j.version}</version>
+      </dependency>
+
+      <dependency>
+        <groupId>ch.qos.logback</groupId>
+        <artifactId>logback-classic</artifactId>
+        <version>${logback.version}</version>
+      </dependency>
+
+
+      <!-- json -->
+
+      <dependency>
+        <groupId>org.codehaus.jackson</groupId>
+        <artifactId>jackson-core-asl</artifactId>
+        <version>${jackson.version}</version>
+      </dependency>
+
+      <dependency>
+        <groupId>org.codehaus.jackson</groupId>
+        <artifactId>jackson-mapper-asl</artifactId>
+        <version>${jackson.version}</version>
+      </dependency>
+
+      <dependency>
+        <groupId>org.codehaus.jackson</groupId>
+        <artifactId>jackson-jaxrs</artifactId>
+        <version>${jackson.version}</version>
+      </dependency>
+
+      <dependency>
+        <groupId>org.codehaus.jackson</groupId>
+        <artifactId>jackson-xc</artifactId>
+        <version>${jackson.version}</version>
+      </dependency>
+
+    </dependencies>
+  </dependencyManagement>
+
   <distributionManagement>
 
     <repository>
@@ -410,8 +479,8 @@
     <junit.version>4.12</junit.version>
 
     <!-- logging libraries -->
-    <slf4j.version>1.7.22</slf4j.version>
-    <logback.version>1.1.10</logback.version>
+    <slf4j.version>1.7.25</slf4j.version>
+    <logback.version>1.2.3</logback.version>
     <servlet.version>2.5</servlet.version>
     <guice.version>3.0</guice.version>
     <jersey.version>1.19.4</jersey.version>
@@ -419,6 +488,7 @@
     <freemarker.version>2.3.20</freemarker.version>
     <jetty.version>7.6.21.v20160908</jetty.version>
     <jetty.maven.version>7.6.16.v20140903</jetty.maven.version>
+    <jackson.version>1.9.13</jackson.version>
 
     <!-- security libraries -->
     <shiro.version>1.3.0</shiro.version>

scm-core/pom.xml

@@ -30,7 +30,6 @@
     <dependency>
       <artifactId>slf4j-api</artifactId>
       <groupId>org.slf4j</groupId>
-      <version>${slf4j.version}</version>
     </dependency>
     
     <!-- security -->

scm-webapp/pom.xml

@@ -136,7 +136,6 @@
     <dependency>
       <groupId>ch.qos.logback</groupId>
       <artifactId>logback-classic</artifactId>
-      <version>${logback.version}</version>
     </dependency>
     
     <dependency>
@@ -174,13 +173,11 @@
     <dependency>
       <groupId>commons-beanutils</groupId>
       <artifactId>commons-beanutils</artifactId>
-      <version>1.9.2</version>
     </dependency>
     
     <dependency>
       <groupId>commons-collections</groupId>
       <artifactId>commons-collections</artifactId>
-      <version>3.2.1</version>
     </dependency>
     
     <!-- 
@@ -212,14 +209,6 @@
       </exclusions>
     </dependency>
     
-    <!-- fix version conflict -->
-    
-    <dependency>
-      <groupId>org.apache.httpcomponents</groupId>
-      <artifactId>httpclient</artifactId>
-      <version>4.2.6</version>
-    </dependency>
-    
     <!-- template engine -->
 
     <dependency>