Fix CVE-2023-33201: Upgrade Bouncy Castle from 1.70 to 1.74

[Copilot]

Dependabot alert OWASP-Benchmark#4 flagged CVE-2023-33201 (LDAP injection) in Bouncy Castle 1.70.

Changes

• Artifact migration: bcprov-jdk15on:1.70 → bcprov-jdk15to18:1.74

  • Starting v1.71, Bouncy Castle split artifacts by JDK compatibility
  • Added bcpkix-jdk15to18:1.74 for PKI functionality

• Transitive dependency exclusions: Added to apacheds-core and apacheds-protocol-ldap

  • Excludes bcprov-jdk15on and bcpkix-jdk15on to prevent vulnerable versions from Apache Directory dependencies

<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcprov-jdk15to18</artifactId>
    <version>1.74</version>
</dependency>

Verified via mvn dependency:tree that no 1.70 artifacts remain in the build.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com//advisories
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

fix this alert: https://github.com/octodemo/BenchmarkJavaOwaspADAM/security/dependabot/4

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.