Fixes #9778

[rjeeb]

Excluding the pom.xml file from rebased protobuf-java-rebased-2.5.0.jar.

The fix excludes the pom file from the jar to ensure that dependency check libraries don't deal with it as usual protobuf-java dependency. It was tested on a project with jeremylong dependency check maven plugin and the result attached has no vulnerability on protobuf-java.

dependency-check-report.zip

[niloc132]

Thanks for this patch.

I've deployed a build of this to https://repo.vertispan.com/gwt-snapshot/ with version 2.11.0-fix-9778-SNAPSHOT. This uses the new groupIds, org.gwtproject:gwt-servlet:2.11.0-fix-9778-SNAPSHOT.

For example, see https://repo.vertispan.com/gwt-snapshot/org/gwtproject/gwt-servlet/2.11.0-fix-9778-SNAPSHOT/ to get the gwt-servlet jar.

[zbynek]

This should fix #9778 , #9790 and #9752

[niloc132]

If anyone can report back that they've tested this and confirmed it removes the false positive, we can see about merging it. That said, another change is in progress to update the sourcemap support so that gwt-servlet.jar doesn't use protobuf at all anyway, so these issues will be resolved in 2.12.