This is an automated email from the ASF dual-hosted git repository.
paulk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/groovy.git
The following commit(s) were added to refs/heads/master by this push:
new 2f56a6e3f4 GROOVY-11528: Bump cyclonedx-gradle-plugin to 1.10.0 (plus
fix some vulnerability warnings)
2f56a6e3f4 is described below
commit 2f56a6e3f4a63151f3fc6bd73748abecff1cd694
Author: Paul King <[email protected]>
AuthorDate: Tue Dec 3 19:41:42 2024 +1000
GROOVY-11528: Bump cyclonedx-gradle-plugin to 1.10.0
(plus fix some vulnerability warnings)
---
build.gradle | 6 ++++
gradle/verification-metadata.xml | 67 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 73 insertions(+)
diff --git a/build.gradle b/build.gradle
index 2a4baa5027..f3158d0e80 100644
--- a/build.gradle
+++ b/build.gradle
@@ -135,7 +135,13 @@ dependencies {
testFixturesImplementation "xmlunit:xmlunit:${versions.xmlunit}"
tools "com.eed3si9n.jarjar:jarjar:${versions.jarjar}"
+ tools "org.apache.ant:ant:1.10.11" // updated jarjar dependency to remove
vulnerability
tools "org.jboss.bridger:bridger:${versions.bridger}"
+ tools "org.codehaus.plexus:plexus-utils:3.0.24" // updated bridger
dependency to remove vulnerability
+ tools "org.apache.maven:maven-core:3.9.9" // updated bridger dependency to
remove vulnerability
+ tools "com.jcraft:jsch:0.1.54" // updated bridger dependency to remove
vulnerability
+ tools "commons-io:commons-io:2.16.1" // updated bridger dependency to
remove vulnerability
+ tools "org.apache.maven.shared:maven-shared-utils:3.4.2" // updated
bridger dependency to remove vulnerability
tools "org.ow2.asm:asm:${versions.asm}"
tools "com.thoughtworks.qdox:qdox:${versions.qdox}"
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index 95702a4e93..44d9aa0702 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -42,6 +42,7 @@
<verify-metadata>false</verify-metadata>
<verify-signatures>true</verify-signatures>
<ignored-keys>
+ <ignored-key id="0374CF2E8DD1BDFD" reason="Key couldn't be downloaded
from any key server"/>
<ignored-key id="0F13D5631D6AF36D" reason="Key couldn't be downloaded
from any key server"/>
<ignored-key id="164779204E106A76" reason="Key couldn't be downloaded
from any key server"/>
<ignored-key id="1A2A1C94BDE89688" reason="Key couldn't be downloaded
from any key server"/>
@@ -89,6 +90,7 @@
<ignored-key id="B5AD94BDD6BDB924" reason="Key couldn't be downloaded
from any key server"/>
<ignored-key id="BCF4173966770193" reason="Key couldn't be downloaded
from any key server"/>
<ignored-key id="BD17A565509DEE20" reason="Key couldn't be downloaded
from any key server"/>
+ <ignored-key id="BF935C771A8474F8" reason="Key couldn't be downloaded
from any key server"/>
<ignored-key id="C038787776A19D18" reason="Key couldn't be downloaded
from any key server"/>
<ignored-key id="C6FC46EB51CF569C" reason="Key couldn't be downloaded
from any key server"/>
<ignored-key id="C71FB765CD9DE313" reason="Key couldn't be downloaded
from any key server"/>
@@ -144,6 +146,7 @@
<trusting group="ch.qos.logback"/>
<trusting group="org.slf4j"/>
</trusted-key>
+ <trusted-key id="6A814B1F869C2BBEAB7CB7271A2A1C94BDE89688"
group="org.apache.maven.resolver"/>
<trusted-key id="6BFAB2E3C6490B421B25C76C9C8C892F91F8E6D1"
group="org.apache.rat"/>
<trusted-key id="6DE9B8077FBB2F8A019F4904BD17A565509DEE20"
group="com.github.javaparser"/>
<trusted-key id="6F538074CCEBF35F28AF9B066A0975F8B1127B83"
group="org.jetbrains.kotlin"/>
@@ -160,6 +163,10 @@
<trusted-key id="AA417737BD805456DB3CBDDE6601E5C08DCCBB96"
group="info.picocli" name="picocli"/>
<trusted-key id="AAAA9D3F580C7223DBD1FF425746EE07D997DDB6"
group="net.jqwik"/>
<trusted-key id="AD296CA014321485EB6780FF8B8E0CB0F6A7657E"
group="org.asciidoctor"/>
+ <trusted-key id="B02137D875D833D9B23392ECAE5A7FB608A0221C">
+ <trusting group="org.apache.maven"/>
+ <trusting group="org.codehaus.plexus"/>
+ </trusted-key>
<trusted-key id="B6E73D84EA4FCC47166087253FAAD2CD5ECBB314">
<trusting group="commons-cli"/>
<trusting group="org.apache.commons"/>
@@ -233,6 +240,11 @@
<sha512
value="5d1c94fa87cfcd116539b49828656d5ba43c4eb342ccaab149cf891c95bc598b427d7210a43f3f0e9c788cd2b1f281b94b9c159d7c6a239d56c7df82f06ca459"
origin="Generated by Gradle" reason="Artifact is not signed"/>
</artifact>
</component>
+ <component group="classworlds" name="classworlds" version="1.1-alpha-2">
+ <artifact name="classworlds-1.1-alpha-2.jar">
+ <sha512
value="eb7752c709ec703764de895099661df36536ff4bd2380bd68726d0cdb40bd27c8cf775ee98fd2ce7b3cfbd07b100c782513d964a2c9c82f33c56909212e5b8cd"
origin="Generated by Gradle" reason="Artifact is not signed"/>
+ </artifact>
+ </component>
<component group="com.beust" name="jcommander" version="1.82">
<artifact name="jcommander-1.82.jar">
<pgp value="C70B844F002F21F6D2B9C87522E44AC0622B91C3"/>
@@ -361,6 +373,11 @@
<sha512
value="5741bcdf5c2d54daa53a60972d61d0fb3acb68a31ab4a913832de71c47b4abd59b85e760a335d7efde55d4e309824839b09f9224a43c124bd54c634a87a9b7f7"
origin="Generated by Gradle" reason="Artifact is not signed"/>
</artifact>
</component>
+ <component group="com.google.errorprone" name="error_prone_annotations"
version="2.1.3">
+ <artifact name="error_prone_annotations-2.1.3.jar">
+ <sha512
value="bd2135cc9eb2c652658a2814ec9c565fa3e071d4cff590cbe17b853885c78c9f84c1b7b24ba736f4f30ed8cec60a6af983827fcbed61ff142f27ac808e97fc6b"
origin="Generated by Gradle" reason="A key couldn't be downloaded"/>
+ </artifact>
+ </component>
<component group="com.google.errorprone" name="error_prone_annotations"
version="2.27.0">
<artifact name="error_prone_annotations-2.27.0.jar">
<sha512
value="479f3c5e25a7ccd90adf70a9b1a71bae18205681ce966618b2ba28aea1b10c087b10ca7172e7b34384901b5e8d2dd009f1cdcbcd2a01be55082d276245de0a35"
origin="Generated by Gradle" reason="A key couldn't be downloaded"/>
@@ -376,12 +393,27 @@
<pgp value="694621A7227D8D5289699830ABE9F3126BB741C1"/>
</artifact>
</component>
+ <component group="com.google.guava" name="guava" version="25.1-android">
+ <artifact name="guava-25.1-android.jar">
+ <pgp value="694621A7227D8D5289699830ABE9F3126BB741C1"/>
+ </artifact>
+ </component>
+ <component group="com.google.inject" name="guice" version="4.2.1">
+ <artifact name="guice-4.2.1-no_aop.jar">
+ <pgp value="1616273079FE63E31C938F10F0DF21D1D0A3C384"/>
+ </artifact>
+ </component>
<component group="com.google.inject" name="guice" version="5.1.0">
<artifact name="guice-5.1.0.jar">
<pgp value="D5F46BC0B86AF5DC56DF58F05E975CB00C643DBF"/>
<sha512
value="b9c7a9b815d9ce387ebf6d58a71541da1be3cb8d847358133dc1f35ca45315bb9db11c13f3238adb643670759a58fd106247039f42c10759374a9b361c62e99e"
origin="Generated by Gradle" reason="A key couldn't be downloaded"/>
</artifact>
</component>
+ <component group="com.google.j2objc" name="j2objc-annotations"
version="1.1">
+ <artifact name="j2objc-annotations-1.1.jar">
+ <pgp value="B801E2F8EF035068EC1139CC29579F18FA8FD93B"/>
+ </artifact>
+ </component>
<component group="com.google.j2objc" name="j2objc-annotations"
version="2.8">
<artifact name="j2objc-annotations-2.8.jar">
<pgp value="EB1B3DE71713C9EC2E87CC26EE92349AD86DE446"/>
@@ -419,6 +451,11 @@
<sha512
value="3f205ad4e7b8dd11c48d3c9203128e37e432b92b90e6052545d34ce6b602374d81840b64e3cca41fe3bcb5c7ab1053e587b1b940d11d486f5aa72380ebf7d6e5"
origin="Generated by Gradle" reason="Artifact is not signed"/>
</artifact>
</component>
+ <component group="com.jcraft" name="jsch" version="0.1.54">
+ <artifact name="jsch-0.1.54.jar">
+ <pgp value="34D6FF19930ADF43AC127792A50569C7CA7FA1F0"/>
+ </artifact>
+ </component>
<component group="com.networknt" name="json-schema-validator"
version="1.5.1">
<artifact name="json-schema-validator-1.5.1.jar">
<pgp value="AEB1E1AEC035C66FA39589D13EFC46EE83C40224"/>
@@ -960,6 +997,11 @@
<sha512
value="fb10c3c089921c8173ad285329f730e0e78de175d1b50b9bdd79c6a85a265af9b3331caa0c1ed57e5f47047319ce3b0f3bb5def0a3db9cccf2755cc95e145e52"
origin="Generated by Gradle" reason="A key couldn't be downloaded"/>
</artifact>
</component>
+ <component group="org.checkerframework" name="checker-compat-qual"
version="2.0.0">
+ <artifact name="checker-compat-qual-2.0.0.jar">
+ <pgp value="19BEAB2D799C020F17C69126B16698A4ADF4D638"/>
+ </artifact>
+ </component>
<component group="org.codehaus.gpars" name="gpars" version="1.2.1">
<artifact name="gpars-1.2.1.jar">
<sha512
value="b9583f7923425ffa2df6b986374325b926385f1f6dd0468333253ed71461b7d150c5f3ad905266558c63dcf113defb42ce8c83ad728e1efa87f622a5a6d235f9"
origin="Generated by Gradle" reason="A key couldn't be downloaded"/>
@@ -981,6 +1023,11 @@
<sha512
value="97cd6cae44621166813e70d0b896592a271e7541373fb6b9be9a2a0f4628b7c043880f56457ebf6fb749ffa2cf707c05de2238a6b2adf35b156786794a1e3acf"
origin="Generated by Gradle" reason="Artifact is not signed"/>
</artifact>
</component>
+ <component group="org.codehaus.mojo" name="animal-sniffer-annotations"
version="1.14">
+ <artifact name="animal-sniffer-annotations-1.14.jar">
+ <pgp value="82F833963889D7ED06F1E4DC6525FD70CC303655"/>
+ </artifact>
+ </component>
<component group="org.codehaus.plexus" name="plexus-cipher"
version="2.0">
<artifact name="plexus-cipher-2.0.jar">
<pgp value="6A814B1F869C2BBEAB7CB7271A2A1C94BDE89688"/>
@@ -1023,6 +1070,11 @@
<sha512
value="ea40c155850aef3fb0e4392df3f5cba9e3331b68e54f462a7bf6f3a5cc29caa754f781b2e9df5a2b56a1dea71b5a616a9825ecd112fe31b5e763b7de01489c86"
origin="Generated by Gradle" reason="Artifact is not signed"/>
</artifact>
</component>
+ <component group="org.codehaus.plexus" name="plexus-interpolation"
version="1.25">
+ <artifact name="plexus-interpolation-1.25.jar">
+ <pgp value="250EC75D1D52E967CE132C548B0378A57CD8E243"/>
+ </artifact>
+ </component>
<component group="org.codehaus.plexus" name="plexus-interpolation"
version="1.27">
<artifact name="plexus-interpolation-1.27.jar">
<sha512
value="34ae1399e75560d6aec6743ce37e10d2236342ec58145c3fdd7b03340f4ed3ef500f824c845d452dbb8c3f14d118c855707de4a080074fa572daf7ccfef4dddf"
origin="Generated by Gradle" reason="A key couldn't be downloaded"/>
@@ -1294,6 +1346,11 @@
<pgp value="475F3B8E59E6E63AA78067482C7B12F2A511E325"/>
</artifact>
</component>
+ <component group="org.slf4j" name="slf4j-api" version="1.7.36">
+ <artifact name="slf4j-api-1.7.36.jar">
+ <pgp value="475F3B8E59E6E63AA78067482C7B12F2A511E325"/>
+ </artifact>
+ </component>
<component group="org.slf4j" name="slf4j-api" version="2.0.13">
<artifact name="slf4j-api-2.0.13.jar">
<sha512
value="b4eeb5757118e264ec7f107d879270784357380d6f53471b7874dd7e0166fdf5686a95eb66bab867abbe9536da032ab052e207165211391c293cbf6178431fb6"
origin="Generated by Gradle" reason="A key couldn't be downloaded"/>
@@ -1365,6 +1422,16 @@
<sha512
value="62efa617e564958a2b427acc4fcd6b8ad407620857774827222840bbd0d349e96deceb20925a29cce3933306bdbed01abebf9b80f050d43830ce44cb86a40c23"
origin="Generated by Gradle" reason="Artifact is not signed"/>
</artifact>
</component>
+ <component group="org.sonatype.plexus" name="plexus-cipher"
version="1.4">
+ <artifact name="plexus-cipher-1.4.jar">
+ <pgp value="9FFED7A118D45A44E4A1E47130E6F80434A72A7F"/>
+ </artifact>
+ </component>
+ <component group="org.sonatype.plexus" name="plexus-sec-dispatcher"
version="1.4">
+ <artifact name="plexus-sec-dispatcher-1.4.jar">
+ <sha512
value="5b947edcb05a1c17648ec9fe53dd2c66b4a86dd2b950d989255f6edd636fd5d50d18b8f31b3a1736dadd9cff6790a3d0355f2ed896c3eb7f72e009199fe9957d"
origin="Generated by Gradle" reason="A key couldn't be downloaded"/>
+ </artifact>
+ </component>
<component group="org.spockframework" name="spock-core"
version="2.3-groovy-4.0">
<artifact name="spock-core-2.3-groovy-4.0.jar">
<sha512
value="67a718b2da6fdc3f64e65e68fa789047b3fe7eb66147b4865e311e4bdf68f821dd6c290261f1db9d9ab0ee3505853bfe5772b94c6c2ca364896c6fc6cc92cedb"
origin="Generated by Gradle" reason="A key couldn't be downloaded"/>
