Use original servlet-api 3.1.0 artefact instead of tomcat's copy

Gerrit uses tomcat's copy org.apache.tomcat:tomcat-servlet-api:8.5.23
of javax.servlet:javax.servlet-api:3.1.0. Earlier we used Jetty's copy
of the servlet-api which was replaced by Tomcat's copy in
change Ica04d0c19306da9afcadf3919581632f7df93483

This hurts us since Whitesource scans raise Tomcat 8.5.23
vulnerabilities for this dependency since it's not smart enough to
recognize that we only use the Tomcat servlet-api artefact which has
no vulnerability.

Use the original servlet-api instead of Tomcat's copy to get rid of
this issue.

Change-Id: I800d8429f08894f29eb66a0627f50ed2e55e0d54
Release-Notes: Use original javax.servlet-api instead of tomcat's copy

2 files changed, 3 insertions, 3 deletions

diff --git a/WORKSPACE b/WORKSPACE
index b664fe017f..ce7ab95b03 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -168,8 +168,8 @@ maven_jar(
 
 maven_jar(
     name = "servlet-api",
-    artifact = "org.apache.tomcat:tomcat-servlet-api:8.5.23",
-    sha1 = "021a212688ec94fe77aff74ab34cc74f6f940e60",
+    artifact = "javax.servlet:javax.servlet-api:3.1.0",
+    sha1 = "3cd63d075497751784b2fa84be59432f4905bf7c",
 )
 
 # JGit's transitive dependencies
diff --git a/java/com/google/gerrit/launcher/GerritLauncher.java b/java/com/google/gerrit/launcher/GerritLauncher.java
index f6c395e7b6..1999270bae 100644
--- a/java/com/google/gerrit/launcher/GerritLauncher.java
+++ b/java/com/google/gerrit/launcher/GerritLauncher.java
@@ -301,7 +301,7 @@ public final class GerritLauncher {
     move(jars, "javax.inject-1.jar", extapi);
     move(jars, "aopalliance-1.0.jar", extapi);
     move(jars, "guice-servlet-", extapi);
-    move(jars, "tomcat-servlet-api-", extapi);
+    move(jars, "servlet-api-", extapi);
 
     ClassLoader parent = ClassLoader.getSystemClassLoader();
     if (!extapi.isEmpty()) {