Upgrade quartz dependency

[kalaiyarasiganeshalingam]

Purpose

$Subject

Fixes: https://github.com/wso2-enterprise/internal-support-ballerina/issues/437

Examples

Checklist

• Linked to an issue
• Updated the changelog
• Added tests
• Updated the spec
• Checked native-image compatibility

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

[codecov]

Codecov Report

Patch and project coverage have no change.

Comparison is base (685d24d) 90.37% compared to head (32414d8) 90.37%.
Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff            @@
##             master     #489   +/-   ##
=========================================
  Coverage     90.37%   90.37%           
  Complexity       92       92           
=========================================
  Files            12       12           
  Lines           343      343           
  Branches         56       56           
=========================================
  Hits            310      310           
  Misses           29       29           
  Partials          4        4           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[dilanSachi]

Can we use rc1 dependencies in our libs?

[kalaiyarasiganeshalingam]

Can we use rc1 dependencies in our libs?

We are using 2.3.2. Quartz's next major version lib hasn't been released yet. Updated versions are in RC, and the issue suggests the version in RC as well.
https://mvnrepository.com/artifact/org.quartz-scheduler/quartz

@daneshk @keizer619 Please give your suggestion.

[daneshk]

Can we use rc1 dependencies in our libs?

We are using 2.3.2. Quartz's next major version lib hasn't been released yet. Updated versions are in RC, and the issue suggests the version in RC as well. https://mvnrepository.com/artifact/org.quartz-scheduler/quartz

@daneshk @keizer619 Please give your suggestion.

According to the quartz issue thread[1], this vulnerability does impact only if we expose the connection factory to be configured by the user. otherwise, there is no way to be vulnerable to the issue. They are still discussing whether it should handled at the application level. IMO, we are not impacted by this. and we can't go with rc1 release.

1. API misuse of org.quartz.jobs.ee.jms.SendQueueMessageJob.execute would lead the code injection vulnerability. quartz-scheduler/quartz#943

[dilanSachi]

According to the quartz issue thread[1], this vulnerability does impact only if we expose the connection factory to be configured by the user. otherwise, there is no way to be vulnerable to the issue. They are still discussing whether it should handled at the application level. IMO, we are not impacted by this. and we can't go with rc1 release.

1. There's a code injection vulnerability of org.quartz.jobs.ee.jms.SendQueueMessageJob.execute quartz-scheduler/quartz#943

If we are not impacted, i guess we can ignore the vulnerability since we cannot use rc1 builds as well