Merge pull request #3311 from aurbroszniowski/TDB-19854-upgrade-dependencies-main

TDB-19854 - Remove vulnerable dependencies

Author: prasantakumar82

build-logic/src/main/java/org/ehcache/build/conventions/CheckstyleConvention.java

@@ -13,10 +13,28 @@ public void apply(Project project) {
     project.getPlugins().apply(CheckstylePlugin.class);
 
     project.getExtensions().configure(CheckstyleExtension.class, checkstyle -> {
+      checkstyle.setToolVersion("10.18.1");
       checkstyle.setConfigFile(project.getRootProject().file("config/checkstyle.xml"));
       Map<String, Object> properties = checkstyle.getConfigProperties();
       properties.put("projectDir", project.getProjectDir());
       properties.put("rootDir", project.getRootDir());
     });
+
+    project.getConfigurations().named("checkstyle", config -> {
+      config.getResolutionStrategy().dependencySubstitution(subs -> {
+        subs.substitute(subs.module("org.codehaus.plexus:plexus-utils:3.1.1"))
+          .using(subs.module("org.codehaus.plexus:plexus-utils:3.3.0"))
+          .because("Checkstyle 10.18.1 pulls mismatched plexus-utils versions");
+        subs.substitute(subs.module("org.apache.commons:commons-lang3:3.7"))
+          .using(subs.module("org.apache.commons:commons-lang3:3.8.1"))
+          .because("Checkstyle transitives mix commons-lang3 versions");
+        subs.substitute(subs.module("org.apache.httpcomponents:httpcore:4.4.13"))
+          .using(subs.module("org.apache.httpcomponents:httpcore:4.4.14"))
+          .because("Align httpcore to latest bugfix release");
+        subs.substitute(subs.module("commons-codec:commons-codec:1.11"))
+          .using(subs.module("commons-codec:commons-codec:1.15"))
+          .because("Checkstyle transitive dependencies depend on different commons-codec versions");
+      });
+    });
   }
 }

build-logic/src/main/java/org/ehcache/build/conventions/JavaConvention.java

@@ -22,6 +22,8 @@ public void apply(Project project) {
 
     dependencies.add(JavaPlugin.TEST_IMPLEMENTATION_CONFIGURATION_NAME, "junit:junit:" + project.property("junitVersion"));
     dependencies.add(JavaPlugin.TEST_IMPLEMENTATION_CONFIGURATION_NAME, "org.assertj:assertj-core:" + project.property("assertjVersion"));
+    dependencies.add(JavaPlugin.TEST_IMPLEMENTATION_CONFIGURATION_NAME, "net.bytebuddy:byte-buddy:" + project.property("byteBuddyVersion"));
+    dependencies.add(JavaPlugin.TEST_IMPLEMENTATION_CONFIGURATION_NAME, "net.bytebuddy:byte-buddy-agent:" + project.property("byteBuddyVersion"));
     dependencies.add(JavaPlugin.TEST_IMPLEMENTATION_CONFIGURATION_NAME, "org.hamcrest:hamcrest:" + project.property("hamcrestVersion"));
     dependencies.add(JavaPlugin.TEST_IMPLEMENTATION_CONFIGURATION_NAME, "org.mockito:mockito-core:" + project.property("mockitoVersion"));
     ModuleDependency md = (ModuleDependency)dependencies.add(JavaPlugin.TEST_IMPLEMENTATION_CONFIGURATION_NAME, "org.terracotta:terracotta-utilities-test-tools:" + project.property("terracottaUtilitiesVersion"));
@@ -35,6 +37,14 @@ public void apply(Project project) {
         subs.substitute(subs.module("org.hamcrest:hamcrest-library:1.3")).with(subs.module("org.hamcrest:hamcrest-library:" + project.property("hamcrestVersion")));
         subs.substitute(subs.module("junit:junit:4.12")).using(subs.module("junit:junit:4.13.1"));
       });
+      config.getResolutionStrategy().eachDependency(details -> {
+        String group = details.getRequested().getGroup();
+        String name = details.getRequested().getName();
+        if ("net.bytebuddy".equals(group) && ("byte-buddy".equals(name) || "byte-buddy-agent".equals(name))) {
+          details.useVersion(project.property("byteBuddyVersion").toString());
+          details.because("Align Byte Buddy family versions across AssertJ and Mockito");
+        }
+      });
     });
   }
 }

build-logic/src/main/java/org/ehcache/build/conventions/SpotbugsConvention.java

@@ -17,8 +17,8 @@ public void apply(Project project) {
     SpotBugsExtension spotbugs = project.getExtensions().getByType(SpotBugsExtension.class);
 
     spotbugs.getIgnoreFailures().set(false);
-    // Later versions of Spotbugs have stupid heuristics for EI_EXPOSE_REP*
-    spotbugs.getToolVersion().set("4.2.3");
+    spotbugs.getToolVersion().set("4.9.8");
+    spotbugs.getOmitVisitors().addAll("FindReturnRef", "ConstructorThrow");
 
     project.getPlugins().withType(JavaBasePlugin.class).configureEach(plugin -> {
 
@@ -46,6 +46,12 @@ public void apply(Project project) {
         subs.substitute(subs.module("org.apache.commons:commons-lang3:3.11"))
           .using(subs.module("org.apache.commons:commons-lang3:3.12.0"))
           .because("Spotbugs has dependency divergences");
+        subs.substitute(subs.module("org.apache.commons:commons-lang3:3.18.0"))
+          .using(subs.module("org.apache.commons:commons-lang3:3.19.0"))
+          .because("Spotbugs 4.9.8 has dependency divergences");
+        subs.substitute(subs.module("org.apache.logging.log4j:log4j-core:2.25.2"))
+          .using(subs.module("org.apache.logging.log4j:log4j-core:2.25.3"))
+          .because("Security vulnerability fix");
       });
     });
 

clustered/ehcache-client/src/test/java/org/ehcache/clustered/client/internal/service/DefaultClusteringServiceDestroyTest.java

@@ -55,6 +55,8 @@
 import static org.mockito.Mockito.when;
 import static org.mockito.Mockito.withSettings;
 
+import org.mockito.quality.Strictness;
+
 /**
  * DefaultClusteringServiceDestroyTest
  */
@@ -194,7 +196,7 @@ public void testDestroyOnPartialDestroyState() throws Exception {
 
   private void mockLockForWriteLockSuccess() throws org.terracotta.exception.EntityNotProvidedException, org.terracotta.exception.EntityNotFoundException, org.terracotta.exception.EntityVersionMismatchException {
     when(connection.<VoltronReadWriteLockClient, Object, Void>getEntityRef(same(VoltronReadWriteLockClient.class), eq(1L), any())).thenReturn(lockEntityRef);
-    VoltronReadWriteLockClient lockClient = mock(VoltronReadWriteLockClient.class, withSettings().lenient());
+    VoltronReadWriteLockClient lockClient = mock(VoltronReadWriteLockClient.class, withSettings().strictness(Strictness.LENIENT));
     when(lockEntityRef.fetchEntity(null)).thenReturn(lockClient);
 
     when(lockClient.tryLock(LockMessaging.HoldType.WRITE)).thenReturn(true);
@@ -203,7 +205,7 @@ private void mockLockForWriteLockSuccess() throws org.terracotta.exception.Entit
 
   private void mockLockForReadLockSuccess() throws org.terracotta.exception.EntityNotProvidedException, org.terracotta.exception.EntityNotFoundException, org.terracotta.exception.EntityVersionMismatchException {
     when(connection.<VoltronReadWriteLockClient, Object, Void>getEntityRef(same(VoltronReadWriteLockClient.class), eq(1L), any())).thenReturn(lockEntityRef);
-    VoltronReadWriteLockClient lockClient = mock(VoltronReadWriteLockClient.class, withSettings().lenient());
+    VoltronReadWriteLockClient lockClient = mock(VoltronReadWriteLockClient.class, withSettings().strictness(Strictness.LENIENT));
     when(lockEntityRef.fetchEntity(null)).thenReturn(lockClient);
 
     when(lockClient.tryLock(LockMessaging.HoldType.READ)).thenReturn(true);

clustered/ehcache-common-api/src/main/java/org/ehcache/clustered/common/internal/store/ValueWrapper.java

@@ -25,7 +25,6 @@
 /**
  * ValueWrapper
  */
-@SuppressFBWarnings("EI_EXPOSE_REP")
 public class ValueWrapper implements Serializable {
 
   private static final long serialVersionUID = -4794738044295644587L;

clustered/integration-test/build.gradle

@@ -92,6 +92,15 @@ configurations.all {
         .because('CVE-2020-15250')
         .with(module('junit:junit:4.13.1'))
     }
+    eachDependency { details ->
+      if (details.requested.group == 'ch.qos.logback' &&
+        (details.requested.name == 'logback-classic' || details.requested.name == 'logback-core')) {
+        def enforcedLogbackVersion = project.property('logbackVersion').toString()
+        if (!details.requested.version || details.requested.version < enforcedLogbackVersion) {
+          details.useVersion enforcedLogbackVersion
+          details.because 'Force logback >= ' + enforcedLogbackVersion
+        }
+      }
+    }
   }
 }
-

clustered/osgi-test/build.gradle

@@ -65,8 +65,10 @@ configurations.all {
       substitute(module('org.ops4j.pax.url:pax-url-link:2.6.8'))
         .using(module('org.ops4j.pax.url:pax-url-link:2.6.11'))
       substitute(module('org.ops4j.pax.url:pax-url-aether:2.6.8'))
-      //  the 2 line has CVE-2025-48924 which is preventing build
-        .using(module('org.ops4j.pax.url:pax-url-aether:3.0.1'))
+        .using(module('org.ops4j.pax.url:pax-url-aether:3.0.2'))
+      substitute(module('org.apache.commons:commons-lang3:3.12.0'))
+        .using(module('org.apache.commons:commons-lang3:3.18.0'))
+        .because('CVE-2025-48924')
       substitute(module('org.osgi:org.osgi.util.function:1.1.0'))
         .using(module('org.osgi:org.osgi.util.function:1.2.0'))
         .because('Dependency divergence in org.osgi:org.osgi.util.promise:1.2.0')

config/checkstyle.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE module PUBLIC
-    "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
-    "http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
+  "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
+  "http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
 <module name="Checker">
   <property name="charset" value="UTF-8"/>
 
@@ -22,14 +22,23 @@
   <module name="Header">
     <property name="headerFile" value="${rootDir}/config/java.header"/>
     <property name="fileExtensions" value="java"/>
+    <!-- Allow Checkstyle to skip the IBM line so the regex check below can enforce it -->
+    <property name="ignoreLines" value="3"/>
+  </module>
+
+  <!-- Allow both 2025 and later IBM copyright lines -->
+  <module name="RegexpSingleline">
+    <property name="format" value="^ \\* Copyright IBM Corp\\. 2024, 202[5-9]$"/>
+    <property name="message" value="IBM copyright line must use 2024, 2025 or later"/>
+    <property name="fileExtensions" value="java"/>
   </module>
 
   <module name="SuppressionFilter">
     <property name="file" value="${projectDir}/config/checkstyle-suppressions.xml"/>
   </module>
 
   <module name="TreeWalker">
-      <!-- Allow suppression tags in the code e.g. CSOFF: AvoidStaticImport -->
+    <!-- Allow suppression tags in the code e.g. CSOFF: AvoidStaticImport -->
     <module name="SuppressionCommentFilter">
       <property name="offCommentFormat" value="CSOFF\: ([\w\|]+)"/>
       <property name="onCommentFormat" value="CSON\: ([\w\|]+)"/>

core-spi-test/src/main/java/org/ehcache/internal/store/SPIStoreTester.java

@@ -18,6 +18,8 @@
 package org.ehcache.internal.store;
 
 import org.ehcache.core.spi.store.Store;
+import org.ehcache.spi.resilience.StoreAccessException;
+import org.ehcache.spi.test.LegalSPITesterException;
 import org.ehcache.spi.test.SPITester;
 
 /**
@@ -30,10 +32,39 @@
 
 public class SPIStoreTester<K, V> extends SPITester {
 
+  protected static final String SPI_WARNING = "Warning, an exception is thrown due to the SPI test";
+
   protected final StoreFactory<K,V> factory;
 
   public SPIStoreTester(final StoreFactory<K,V> factory) {
     this.factory = factory;
   }
 
+  @FunctionalInterface
+  protected interface StoreRunnable {
+    void run() throws StoreAccessException;
+  }
+
+  protected <T extends Throwable> T expectException(Class<T> expected, StoreRunnable action)
+      throws LegalSPITesterException {
+    try {
+      action.run();
+    } catch (Throwable throwable) {
+      if (expected.isInstance(throwable)) {
+        return expected.cast(throwable);
+      }
+      if (throwable instanceof StoreAccessException) {
+        throw new LegalSPITesterException(SPI_WARNING, throwable);
+      }
+      if (throwable instanceof RuntimeException) {
+        throw (RuntimeException) throwable;
+      }
+      if (throwable instanceof Error) {
+        throw (Error) throwable;
+      }
+      throw new AssertionError("Unexpected checked exception", throwable);
+    }
+    throw new AssertionError("Expected " + expected.getSimpleName() + " to be thrown");
+  }
+
 }

core-spi-test/src/main/java/org/ehcache/internal/store/StoreContainsKeyTest.java

@@ -73,14 +73,7 @@ public void nullKeyThrowsException()
 
     K key = null;
 
-    try {
-      kvStore.containsKey(key);
-      throw new AssertionError("Expected NullPointerException because the key is null");
-    } catch (NullPointerException e) {
-      // expected
-    } catch (StoreAccessException e) {
-      throw new LegalSPITesterException("Warning, an exception is thrown due to the SPI test");
-    }
+    expectException(NullPointerException.class, () -> kvStore.containsKey(key));
   }
 
   @SPITest