Bump xercesImpl-2.12.0.jar to 2.12.2

[KanakamedalaSiri]

There is vulnerability reported with current dependency version of xercesImpl-2.12.0.jar. Please bump xercesImpl-2.12.0.jar to xercesImpl-2.12.2.jar.

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. |  

Upgrade to version xerces:xercesImpl:2.12.2
Details: GHSA-h65f-jvqw-m9fj

[KanakamedalaSiri]

@MarkEWaite
Can someone help on this please?

[MarkEWaite]

The Jenkins project vulnerability reporting guidelines state:

We do not consider the following issues to be vulnerabilities in Jenkins (core + plugins):

• Vulnerabilities in dependencies without a plausible or demonstrated exploit will not be treated as vulnerabilities. While we may inform maintainers about the need to update their dependencies and track progress in the SECURITY Jira project, no security advisory will be published for these.

If you have a plausible or demonstrated exploit, please follow the vulnerability reporting guidelines and report the exploit.

In any case, you are welcome to open a pull request to update the dependency. You can then test that the updated plugin resolves the issue for you and does not break other uses of the plugin.