transitively depending on vulnerable version of commons-collections

[jkremser]

for the builder-annotations dependency consider adding something like

                <exclusions>
                    <exclusion>
                        <groupId>commons-collections</groupId>
                        <artifactId>commons-collections</artifactId>
                    </exclusion>
                </exclusions>

and then bringing back the dependency

            <dependency>
                <groupId>commons-collections</groupId>
                <artifactId>commons-collections</artifactId>
                <scope>provided</scope>
                <version>3.2.2</version>
            </dependency>

Because currently your library is being reported by tools like snyk.io that are not smart enough to figure out that commons-collections in that broken 3.2.1 version will not end up at the class path at the end... the scope (provided) was declared in the parent pom and the tool wasn't probably good enough to get it.

see the screenshot:
https://i.imgur.com/ehUTAfU.png

same holds for:

• com.fasterxml.jackson.core:jackson-databind:2.7.7
• com.fasterxml.jackson.core:jackson-core:2.7.7