Fix BlackDuck security issues

[mmlinford]

Right now there's a scary "1/10 (high risk)" reported by BlackDuck for our project. We should really see what we can do to remedy this. It might not be possible for all dependencies, but in those cases we can at least document why we can't resolve it.

[aosama]

I agree, these high risk issues are mostly from SPARK dependencies, a question would be how can we decide to exclude a dependency.

[mmlinford]

Yeah, the dependency tree is pretty big. The Maven dependency plugin has some features with the analyze goal that we can investigate, and I know that the shaded JAR plugin as an option to remove anything it thinks we don't need. I'm not saying we should release ours only as a shaded JAR, but that at least implies there's something smart enough out there that we can start with.

I think the main difficulty will be from testing. Not only should we have very good code coverage in our tests for after the dependencies are removed, we'd kind of have to brainstorm what are some ways that MSD could be called that aren't implied by simply hitting all the lines / branches / whatever.