Many of the SB2Quarkus rules use the dependency when criteria to look for embedded jar files.

The rules-reviewed/quarkus/springboot/tests/data subfolders contain a number of jar files that are used to drive the tests.

This spreadsheet details those jar files.

Lots of the test jar files (e.g. spring-beans-5.1.3.RELEASE.jar, spring-boot-2.1.10.RELEASE.jar)  are simply mockups and the hidden rules-reviewed/quarkus/springboot/tests/.windup/cache/nexus-indexer-data/test.archive-metadata.txt file contains the true SHA1 hash of the actual artifact that is being mocked.

However there are also several test application jar files (e.g. AWSLambdaDemoApplication-1.0-SNAPSHOT.jar, batch-demo-0.0.1-SNAPSHOT.jar, etc.) that contain real embedded jar files that are used to drive the rules tests.

These real embedded jar files are becoming increasingly dated and PNC is generating security alerts against them.

There is no need for them to be present as the embedded jar files can be replaced by mock-ups.

For each test application jar, we need to remove them, and replace them with mock-up jar files for the embedded artifacts that are driving the tests.

Adding rows to the test.archive-metadata.txt as we go.

So the scope of this change should be to replace test applications with mocked up artifacts of the relevant dependencies within those test applications.

No change should be required to the rules, or the rules tests.