Issue: A duplicate version of protobuf-bom was found  during verification of JBEAP-29980:

• 3.19.2.redhat-00001 in jboss-eap-8.1.0.GA-CR4-maven-repository.zip
• 4.28.3.redhat-00001 in jboss-eap-xp-6.0.0.GA-CR4-maven-repository.zip

The older version (3.19.2.redhat-00001) contains a known CVE, making its presence undesirable even if not directly used as a dependency.

Observed Behavior: The following directory structure was observed, showing two versions of protobuf-bom:

/eaps/8.1.0.GA-CR4-xp-6.0.0.GA-CR4/jboss-eap-8.1.0.GA-CR4-xp-6.0.0.GA-CR4-merged-maven-repository/maven-repository/com/google/protobuf
.
├── protobuf-bom
│ ├── 3.19.2.redhat-00001
│ └── 4.28.3.redhat-00001

Root Cause (Identified): The 3.19.2.redhat-00001 version is explicitly added via eap-supplementary-artifacts/pom.xml in the maven-repository-testsuite project (https://gitlab.cee.redhat.com/pnc-workspace/jboss-eap/maven-repository-testsuite/blob/eap-8.x/content/dependency-lists/eap-supplementary-artifacts/pom.xml).

Impact:

• Presence of a component with a known CVE (3.19.2.redhat-00001) within the distribution, even if not directly linked as a dependency, poses a potential security concern and creates a misleading impression.

• The automated acceptance test eap-8.x-maven-repository-check-unique-artifactId is currently skipped for the "merged" maven repository, meaning this duplication went undetected by automated checks. This test is applicable to "patched" repositories but not "merged" due to relaxed requirements for MRRC (Maven Repository Release Content) repos, which allow for duplicities.

Proposed Resolution:

1. Investigate if protobuf-bom:3.19.2.redhat-00001 is truly unnecessary, potentially by removing it from eap-supplementary-artifacts/pom.xml and verifying that no tests fail.

1. If confirmed as unnecessary, remove the protobuf-bom:3.19.2.redhat-00001 artifact from the merged-maven-repository to eliminate the CVE exposure.