plugin.xml.txt
The jacoco-maven-plugin uses apache commons collections 3.2, which has been determined to have a security vulnerability. (Commons-collections-3.2.2 and higher are patched for the vulnerability.) Our goal is to remove all vulnerable libraries from our local servers, build servers and artifactory, which means we will need to discontinue use of the jacoco maven plugin, unless it is patched.

The dependency is injected via the \META-INF\maven\plugin.xml file.

commons-collections commons-collections jar 3.2

JaCoCo version: jacoco-maven-plugin-0.8.0 and below
Operating system: Linux
Tool integration: Maven/Ant/API/Other

We need the dependency to point to version 3.2.2 or higher, otherwise, our applications that use the jacoco maven plugin will require the vulnerable library to be present in order to run builds.

===================================================

Here is information outlining the security vulnerability.

WebSphere vulnerability report:
https://www-01.ibm.com/support/docview.wss?uid=swg21970575

Determining if your application uses the Apache Commons InvokerTransformer and vulnerable to CVE-2015-7450
https://www.ibm.com/developerworks/community/blogs/aimsupport/entry/determining_if_your_application_uses_apache_commons_invokertransformer_and_vulnerable_to_cve20157450?lang=en

According to this document, anything prior to Apache Commons v3.2.2 is vulnerable to the issue.
https://commons.apache.org/proper/commons-collections/javadocs/api-3.2.2/org/apache/commons/collections/functors/InvokerTransformer.html

This is the original publication of the vulnerability:
https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/