Hi Simon, I see that you have configured the Maven Workflow in the xmlgraphics-batik [1] and xmlgraphics-fop-pdf-images [2] repositories to use an obsolete, unsupported JDK, namely Oracle's JDK8u131, released on April 18, 2017.
In particular, Oracle warns [3] that *WARNING:* These older versions of the JRE and JDK are provided to help > developers debug issues in older systems.* They are not updated with the > latest security patches and are not recommended for use in production.* What is the rationale for XML Graphics projects to use this JDK, rather than, for example, more recent versions that remain supported, at least with respect to applying security patches? As we have seen, a number of vulnerabilities in our projects continue to generate CVEs and larger security concerns. We need to take positive steps to counteract and resolve this situation, such as by employing more modern code analysis tools than findbugs, an abandoned project [4]. For example, we should replace findbugs usage with spotbugs [5]. And we should also pursue the use of other tools, such as SonaCloud [6], about which I have already taken some initial steps [7] — but disregard the incomplete coverage KPIs, as I am still in the midst of configuring Jacoco to generate coverage data. Regards, Glenn [1] https://github.com/apache/xmlgraphics-batik/commit/2f9cf78a97edef99405a299f88b49d4ed62c1afa [2] https://github.com/apache/xmlgraphics-fop-pdf-images/commit/33aa7babf5ebabbfcee4ecc132e36898072bb5c9 [3] https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html [4] https://mailman.cs.umd.edu/pipermail/findbugs-discuss/2016-November/004321.html [5] https://github.com/spotbugs/spotbugs [6] https://docs.sonarcloud.io/ [7] https://sonarcloud.io/organizations/apache/projects?search=xml+graphics
