Patch CVE-2025-48924 : commons-lang:2.6 to commons-lang3:3.19.0

[duttonw]

Also updated

• Allow github actions to build on all push commits
• findsecbugs 2.0.0-M3 to 1.14.0 (public version) as 2.0.0-M3 does not seem publicly available when i was compiling/searching
• Included extra owasp vars which is now required for sonatype login auth

    <ossIndexUsername>${env.OSS_INDEX_USERNAME}</ossIndexUsername>
    <ossIndexPassword>${env.OSS_INDEX_PASSWORD}</ossIndexPassword>

Move from legacy commons-lang 2.6 to commons-lang3 3.19.0 to remove this cve:

CVE-2025-48924 (OSSINDEX) suppress

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2025-48924 for details
CWE-674 Uncontrolled Recursion

CVSSv2:
Base Score: MEDIUM (6.900000095367432)
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References:
OSSINDEX - [CVE-2025-48924] CWE-674: Uncontrolled Recursion
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-48924
OSSIndex - GHSA-j288-q9x7-2f5v
Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:commons-lang:commons-lang:2.6:::::::*

[duttonw]

#895

This PR is better and really should be pushed forward with a minor version change. Yes its been noted that you don't use the parts that has the CVE attached inside the module but its not looking good in 2025 where jdk17+ with owasp checks are in place and the inability to drop commons-lang 2.6 due to other dependency connections.