Update dependencies and add suppressions (#262)

openrewrite · Jan 15, 2024 · abc5cf1 · abc5cf1
1 parent 878e4a6
commit abc5cf1
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 8 deletions.
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -22,6 +22,17 @@ allprojects {
         suppressionFile = "suppressions.xml"
         nvd.apiKey = System.getenv("NVD_API_KEY")
     }
+
+    dependencies{
+        modules {
+            module("com.google.guava:listenablefuture") {
+                replacedBy("com.google.guava:guava", "listenablefuture is part of guava")
+            }
+            module("com.google.collections:google-collections") {
+                replacedBy("com.google.guava:guava", "google-collections is part of guava")
+            }
+        }
+    }
 }
 
 nexusPublishing {

diff --git a/metrics/build.gradle.kts b/metrics/build.gradle.kts
@@ -28,6 +28,13 @@ dependencies {
     api("io.micrometer.prometheus:prometheus-rsocket-client:latest.release")
     api("io.rsocket:rsocket-transport-netty:latest.release")
 
+    implementation(platform("io.netty:netty-bom:latest.release"))
+    implementation("io.projectreactor.netty:reactor-netty-core:latest.release")
+    implementation("io.projectreactor.netty:reactor-netty-http:latest.release")
+    implementation("com.google.guava:guava:latest.release")
+
+    runtimeOnly("org.xerial.snappy:snappy-java:latest.release")
+
     testImplementation(localGroovy())
     testImplementation("org.spockframework:spock-core:2.0-groovy-3.0") {
         exclude(group = "org.codehaus.groovy")

diff --git a/plugin/build.gradle.kts b/plugin/build.gradle.kts
@@ -57,9 +57,9 @@ configurations.all {
     resolutionStrategy {
         cacheChangingModulesFor(0, TimeUnit.SECONDS)
         cacheDynamicVersionsFor(0, TimeUnit.SECONDS)
-        if(name.startsWith("test")) {
+        if (name.startsWith("test")) {
             eachDependency {
-                if(requested.name == "groovy-xml") {
+                if (requested.name == "groovy-xml") {
                     useVersion("3.0.9")
                 }
             }
@@ -109,8 +109,12 @@ dependencies {
     "rewriteDependencies"("org.openrewrite:rewrite-maven")
     // Newer versions of checkstyle are compiled with a newer version of Java than is supported with gradle 4.x
     @Suppress("VulnerableLibrariesLocal", "RedundantSuppression")
-    "rewriteDependencies"("com.puppycrawl.tools:checkstyle:9.3")
+    "rewriteDependencies"("com.puppycrawl.tools:checkstyle:9.3") {
+        because("Latest version supporting gradle 4.x")
+    }
     "rewriteDependencies"("com.fasterxml.jackson.module:jackson-module-kotlin:latest.release")
+    "rewriteDependencies"("com.google.guava:guava:latest.release")
+
 
     implementation(platform("org.openrewrite:rewrite-bom:$latest"))
     compileOnly("org.openrewrite:rewrite-core")
@@ -127,8 +131,11 @@ dependencies {
     compileOnly("org.openrewrite:rewrite-yaml")
     compileOnly("org.openrewrite:rewrite-polyglot:$latest")
     @Suppress("VulnerableLibrariesLocal", "RedundantSuppression")
-    compileOnly("com.puppycrawl.tools:checkstyle:9.3")
+    compileOnly("com.puppycrawl.tools:checkstyle:9.3") {
+        because("Latest version supporting gradle 4.x")
+    }
     compileOnly("org.jetbrains.kotlin:kotlin-gradle-plugin:latest.release")
+    compileOnly("com.google.guava:guava:latest.release")
 
     testImplementation(platform("org.junit:junit-bom:latest.release"))
     testImplementation("org.junit.jupiter:junit-jupiter-api")
@@ -137,6 +144,15 @@ dependencies {
     testImplementation("org.openrewrite:rewrite-test")
     testRuntimeOnly("org.junit.jupiter:junit-jupiter-engine")
     testImplementation("org.assertj:assertj-core:latest.release")
+
+    modules {
+        module("com.google.guava:listenablefuture") {
+            replacedBy("com.google.guava:guava", "listenablefuture is part of guava")
+        }
+        module("com.google.collections:google-collections") {
+            replacedBy("com.google.guava:guava", "google-collections is part of guava")
+        }
+    }
 }
 
 project.rootProject.tasks.getByName("postRelease").dependsOn(project.tasks.getByName("publishPlugins"))
@@ -166,14 +182,14 @@ val gVP = tasks.register("generateVersionsProperties") {
     outputs.file(outputFile)
 
     doLast {
-        if(outputFile.exists()) {
+        if (outputFile.exists()) {
             outputFile.delete()
         } else {
             outputFile.parentFile.mkdirs()
         }
         val resolvedModules = rewriteDependencies.resolvedConfiguration.firstLevelModuleDependencies
         val props = Properties()
-        for(module in resolvedModules) {
+        for (module in resolvedModules) {
             props["${module.moduleGroup}:${module.moduleName}"] = module.moduleVersion
         }
         outputFile.outputStream().use {
@@ -190,7 +206,7 @@ tasks.named<Copy>("processResources") {
 
 tasks.named<Test>("test") {
     systemProperty(
-        "org.openrewrite.test.gradleVersion", project.findProperty("testedGradleVersion") ?: gradle.gradleVersion
+            "org.openrewrite.test.gradleVersion", project.findProperty("testedGradleVersion") ?: gradle.gradleVersion
     )
 }
 

diff --git a/settings.gradle.kts b/settings.gradle.kts
@@ -4,7 +4,7 @@ include("plugin")
 include("metrics")
 
 plugins {
-    id("com.gradle.enterprise") version "3.16"
+    id("com.gradle.enterprise") version "3.16.1"
     id("com.gradle.common-custom-user-data-gradle-plugin") version "1.12.1"
 }
 

diff --git a/suppressions.xml b/suppressions.xml
@@ -1,3 +1,44 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress until="2024-02-15">
+        <notes><![CDATA[
+            Already on the latest version
+           file name: rewrite-gradle-8.14.0-SNAPSHOT.jar: gradle-enterprise-gradle-plugin-3.16.1.jar
+           ]]></notes>
+        <sha1>798124c56fab56f879fc734b5928c3dabd9a32fe</sha1>
+        <cpe>cpe:/a:gradle:enterprise</cpe>
+    </suppress>
+    <suppress until="2024-02-15">
+        <notes><![CDATA[
+            Already on the latest version
+           file name: rewrite-gradle-8.14.0-SNAPSHOT.jar: gradle-enterprise-gradle-plugin-3.16.1.jar
+           ]]></notes>
+        <sha1>798124c56fab56f879fc734b5928c3dabd9a32fe</sha1>
+        <cpe>cpe:/a:gradle:gradle</cpe>
+    </suppress>
+    <suppress until="2024-02-15">
+        <notes><![CDATA[
+            Already on the latest version
+           file name: rewrite-gradle-8.14.0-SNAPSHOT.jar: gradle-enterprise-gradle-plugin-3.16.1.jar
+           ]]></notes>
+        <sha1>798124c56fab56f879fc734b5928c3dabd9a32fe</sha1>
+        <cpe>cpe:/a:gradle:gradle_enterprise</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+            Shaded dependency in latest version:
+           file name: kotlin-gradle-plugin-2.0.0-Beta2-gradle82.jar (shaded: com.google.guava:guava:31.1-jre)
+           ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-2976</vulnerabilityName>
+        <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
+    </suppress>
+    <suppress until="2024-12-13Z">
+        <notes><![CDATA[
+            file name: rewrite-core-8.6.0-SNAPSHOT.jar (shaded: org.eclipse.jgit:org.eclipse.jgit:5.13.2.202306221912-r)
+            Not relevant. And we pin to this version to support Java8.
+            ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-4759</vulnerabilityName>
+    </suppress>
 </suppressions>