Upgrade Apache Commons Configuration to 2.x to fix CVE-2025-46392

[jordanpadams]

🗒️ Summary

Upgrades commons-configuration:commons-configuration:1.10 (CVE-2025-46392) to org.apache.commons:commons-configuration2:2.14.0.

Changes:

• pom.xml: Replace commons-configuration:commons-configuration:1.10 with org.apache.commons:commons-configuration2:2.14.0
• ValidateLauncher.java: Update imports to org.apache.commons.configuration2.* and migrate query() to use the 2.x FileBasedConfigurationBuilder / DefaultListDelimiterHandler fluent API (the 1.x AbstractConfiguration.setDefaultListDelimiter() static call is not available in 2.x)

🤖 AI Assistance Disclosure

• AI used for moderate content generation (AI generated some code or logic, but the developer authored or heavily revised the majority)

Estimated % of code influenced by AI: 80%

⚙️ Test Data and/or Report

mvn compile passes cleanly. mvn test -Dtest=ValidationIntegrationTests passes (BUILD SUCCESS, 23 tests). Existing test suite exercises the query() code path via config-file-driven integration tests.

♻️ Related Issues

Fixes NASA-PDS/outlaw-tracker#23

🤓 Reviewer Checklist

Reviewers: Please verify the following before approving this pull request.

Documentation and PR Content

• Documentation: README, Wiki, or inline documentation (Sphinx, Javadoc, Docstrings) have been updated to reflect these changes.
• Issue Traceability: The PR is linked to a valid GitHub Issue
• PR Title: The PR title is "user-friendly" clearly identifying what is being fixed or the new feature being added, that if you saw it in the Release Notes for a tool, you would be able to get the gist of what was done.

Security & Quality

• SonarCloud: Confirmed no new High or Critical security findings.
• Secrets Detection: Verified that the Secrets Detection scan passed and no sensitive information (keys, tokens, PII) is exposed.
• Code Quality: Code follows organization style guidelines and best practices for the specific language (e.g., PEP 8, Google Java Style).

Testing & Validation

• Test Accuracy: Verified that test data is accurate, representative of real-world PDS4 scenarios, and sufficient for the logic being tested.
• Coverage: Automated tests cover new logic and edge cases.
• Local Verification: (If applicable) Successfully built and ran the changes in a local or staging environment.

Maintenance

• Backward Compatibility: Confirmed that these changes do not break existing downstream dependencies or API contracts (or that breaking changes are clearly documented).

[nutjob4life]

Did something break as a result of commons-configuration upgrade? Or something else? I ran maven test twice but got this each time:

[ERROR] Failures: 
[ERROR]   CucumberTest.Example #1.184: NASA-PDS/validate#84-1 Test Failed Due To Exception: Cannot invoke "gov.nasa.pds.validate.report.Report.getWriter()" because "this.report" is null
[ERROR]   CucumberTest.Example #1.185: NASA-PDS/validate#84-2 Test Failed Due To Exception: Cannot invoke "gov.nasa.pds.validate.report.Report.getWriter()" because "this.report" is null
[INFO] 
[ERROR] Tests run: 334, Failures: 2, Errors: 0, Skipped: 23
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE