Bump dependency commons-httpclient

[arnovdk]

Currently, the artifact uk.gov.nationalarchives:droid-container:6.7.0 has a dependency on commons-httpclient:commons-httpclient:3.1. IntelliJ IDEA flags this as having the following problems:

• CVE-2012-6153 4.3 Improper Input Validation vulnerability
• CVE-2012-5783 5.8 Improper Certificate Validation vulnerability

Closer inspection tells me that it's the class uk.gov.nationalarchives.droid.container.httpservice.ContainerSignatureHttpService that is dependent on commons-httpclient. And as far as I can tell, no other classes in the droid artifacts (droid-api, droid-container, droid-core, droid-core-interfaces, droid-parent) have any dependency on that class.

I use the artifact droid-api (and thus droid-container) as a library in software that we develop and I'm pretty sure that the class ContainerSignatureHttpService is never used, so nor is the dependency commons-httpclient. All in all the problem seems relatively small.

Still, it might be nice to refactor the mentioned class to use a newer version of HttpClient (say, 4.x or even 5.x).

[sparkhi]

Thanks for pointing it out, Droid uses the dependency-check-maven plugin and the build fails if the vulnerability is severe. Looks like one of them is missing out on score.

[arnovdk]

Excellent; today we upgraded to include Droid 6.8.0 and the warnings have been cleared.

[sparkhi]

Thank you. I'll now close this issue.