Dependency on bcpkix-jdk15on introduces vulnerability CVE-2023-33201

[tadhgpearson]

Describe the bug
sslcontext-kickstart-for-pem depends on BouncyCastle bcpkix-jdk15on v1.7.0, which contains vulnerability CVE-2023-33201. This is the latest version of this module, and is not longer maintained because BC supports only LTS versions of Java (versions 8 and up).

If you run Snyk, Blackduck or other vulnerability scan on this module, the compliance alarms will go off. See also https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on

Expected behavior
I'm using this software to make my life easier but compliance people are coming after me. This doesn't make my life easier :D

Additional context
Suggest you drop support for Java versions < 8, by upgrading your BouncyCastle dependency to bcpkix-jdk18on v1.7.6 which is not vulnerable.

Other readers, note that you can work around this in the current version by changing you Maven dependency as so

		<dependency>
			<groupId>io.github.hakky54</groupId>
			<artifactId>sslcontext-kickstart-for-pem</artifactId>
			<version>8.1.6</version>
			<!-- Begin temporary fix for CVE-2023-33201 -->
			<exclusions>
				<exclusion>
					<groupId>org.bouncycastle</groupId>
					<artifactId>bcpkix-jdk15on</artifactId>
				</exclusion>
			</exclusions>
		</dependency>
		<dependency>
			<groupId>org.bouncycastle</groupId>
			<artifactId>bcpkix-jdk18on</artifactId>
			<version>1.76</version>
			<!-- End temporary fix for CVE-2023-33201 -->
		</dependency>

This will keep your compliance dept ✅

[Hakky54]

Hi Tadhg, it has been awhile, maybe 2 years since your previous bug report. How are you doing?

Awesome that you shared this fix. I was assuming BC would fix it and I was waiting for the new version while not being aware that they have a java 8 version of their maven artifact which does not have the bug. Thank you for creating the pull request. I will make a release this week.

[Hakky54]

@tadhgpearson I just released a new version containing this fix. You can use 8.1.7