upgrade dependency-check (vulnerability scanner)

.github/workflows/codacy.yml

@@ -25,8 +25,13 @@ jobs:
           output: results.sarif
           gh-code-scanning-compat: true
           max-allowed-issues: 2147483647
+      - name: Check file existence
+        id: check_files
+        uses: andstor/file-existence-action@v2
+        with:
+          files: results.sarif
       - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v2
-        continue-on-error: true
+        if: steps.check_files.outputs.files_exists == 'true'
         with:
           sarif_file: results.sarif

.github/workflows/dependency-check.yml

@@ -30,8 +30,13 @@ jobs:
         with:
           java: ${{ env.JAVA_VERSION }}
           arguments: dependencyCheckAggregate
+      - name: Check file existence
+        id: check_files
+        uses: andstor/file-existence-action@v2
+        with:
+          files: build/reports/dependency-check-report.sarif
       - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v2
-        continue-on-error: true
+        if: steps.check_files.outputs.files_exists == 'true'
         with:
           sarif_file: build/reports/dependency-check-report.sarif

.github/workflows/semgrep.yml

@@ -29,9 +29,13 @@ jobs:
             p/github-actions
             p/semgrep-rule-lints
             p/semgrep-misconfigurations
+      - name: Check file existence
+        id: check_files
+        uses: andstor/file-existence-action@v2
+        with:
+          files: semgrep.sarif
       - name: Upload SARIF file for GitHub Advanced Security Dashboard
         uses: github/codeql-action/upload-sarif@v2
-        continue-on-error: true
+        if: steps.check_files.outputs.files_exists == 'true'
         with:
           sarif_file: semgrep.sarif
-        if: always()

.github/workflows/snyke.yml → .github/workflows/snyk.yml

@@ -1,4 +1,4 @@
-name: snyke
+name: snyk
 on:
   push:
     branches: [master, v2.dev, v3.dev]
@@ -10,7 +10,7 @@ env:
   JAVA_VERSION: 19
 
 jobs:
-  snyke:
+  snyk:
     runs-on: ubuntu-latest
     permissions:
       actions: read
@@ -25,20 +25,30 @@ jobs:
           disable-sudo: true
           egress-policy: audit
       - uses: actions/checkout@v3
+      - name: Downgrade Gradle (snyk-gradle-plugin/issues/252)
+        uses: ./.github/actions/run-gradle
+        with:
+          java: ${{ env.JAVA_VERSION }}
+          arguments: wrapper --gradle-version 7.6
       - name: Run Snyk test
         uses: ./.github/actions/run-gradle
         continue-on-error: true
         with:
           java: ${{ env.JAVA_VERSION }}
-          arguments: snyk-test -PsnykArgs="--sarif-file-output=snyk.sarif"
+          arguments: snyk-test -PsnykArgs="--sarif-file-output=snyk.sarif" --no-configuration-cache
+      - name: Check file existence
+        id: check_files
+        uses: andstor/file-existence-action@v2
+        with:
+          files: snyk.sarif
       - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v2
-        continue-on-error: true
+        if: steps.check_files.outputs.files_exists == 'true'
         with:
           sarif_file: snyk.sarif
       - name: Run Snyk monitor
         uses: ./.github/actions/run-gradle
         continue-on-error: true
         with:
           java: ${{ env.JAVA_VERSION }}
-          arguments: snyk-monitor
+          arguments: snyk-monitor --no-configuration-cache

build.gradle

@@ -144,7 +144,9 @@ tasks.named('dependencyUpdates').configure {
 }
 
 dependencyCheck {
-  formats = ['html', 'sarif']
+  formats = ['html', 'sarif']*.toUpperCase()
+  scanBuildEnv = true
+  failOnError = false
 }
 dependencyCheckAggregate.dependsOn(subprojects*.tasks.jar)
 
@@ -154,3 +156,11 @@ snyk {
   autoDownload = true
   autoUpdate = true
 }
+tasks.named('snyk-test').configure {
+  notCompatibleWithConfigurationCache(
+    'The snyk-test task is not compatible with the configuration cache')
+}
+tasks.named('snyk-monitor').configure {
+  notCompatibleWithConfigurationCache(
+    'The snyk-monitor task is not compatible with the configuration cache')
+}

gradle/dependencies.gradle

@@ -37,15 +37,15 @@ ext {
     config: '1.4.2',
     ehcache3: '3.10.8',
     errorprone: '2.18.0',
-    errorproneSupport: '0.7.0',
+    errorproneSupport: '0.8.0',
     expiringMap: '0.5.10',
     fastfilter: '1.0.2',
     fastutil: '8.5.11',
     flipTables: '1.1.0',
     googleJavaFormat: '1.15.0',
     guava: '31.1-jre',
     hazelcast: '5.2.1',
-    jackrabbit: '1.46.0',
+    jackrabbit: '1.48.0',
     jamm: '0.3.3',
     javaObjectLayout: '0.16',
     javapoet: '1.13.0',
@@ -57,7 +57,7 @@ ext {
     nullaway: '0.10.8',
     ohc: '0.6.1',
     osgiComponentAnnotations: '1.5.1',
-    picocli: '4.7.0',
+    picocli: '4.7.1',
     slf4j: '2.0.6',
     tcache: '2.0.1',
     stream: '2.9.8',
@@ -71,7 +71,7 @@ ext {
     commonsCollectionsTests: '4.4',
     eclipseCollections: '11.1.0',
     felix: '7.0.5',
-    felixScr: '2.2.4',
+    felixScr: '2.2.6',
     guice: '5.1.0',
     hamcrest: '2.2',
     jcacheTck: '1.1.1',
@@ -92,7 +92,7 @@ ext {
     bnd: '6.4.0',
     checkstyle: '10.6.0',
     coveralls: '2.12.0',
-    dependencyCheck: '7.4.4',
+    dependencyCheck: '8.0.2',
     errorprone: '3.0.1',
     findsecbugs: '1.12.0',
     forbiddenApis: '3.4',
@@ -101,9 +101,9 @@ ext {
     jmhReport: '0.9.0',
     nexusPublish: '1.1.0',
     nullaway: '1.5.0',
-    pmd: '6.53.0',
+    pmd: '6.54.0',
     semanticVersioning: '1.1.0',
-    snyke: '0.4',
+    snyk: '0.4',
     sonarqube: '3.5.0.2730',
     spotbugs: '4.7.3',
     spotbugsContrib: '7.4.7',
@@ -239,7 +239,7 @@ ext {
     nullaway: "net.ltgt.gradle:gradle-nullaway-plugin:${pluginVersions.nullaway}",
     pmd: "net.sourceforge.pmd:pmd:${pluginVersions.pmd}",
     semanticVersioning: "io.ehdev:gradle-semantic-versioning:${pluginVersions.semanticVersioning}",
-    snyke: "gradle.plugin.io.snyk.gradle.plugin:snyk:${pluginVersions.snyke}",
+    snyk: "gradle.plugin.io.snyk.gradle.plugin:snyk:${pluginVersions.snyk}",
     sonarqube: "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:${pluginVersions.sonarqube}",
     spotbugs: "com.github.spotbugs:spotbugs:${pluginVersions.spotbugs}",
     spotbugsContrib: "com.mebigfatguy.sb-contrib:sb-contrib:${pluginVersions.spotbugsContrib}",
@@ -261,6 +261,7 @@ ext {
     'com.fasterxml.jackson:jackson-bom': '2.14.1',
     'com.google.protobuf:protobuf-java': '3.21.8',
     'com.thoughtworks.xstream:xstream': '1.4.20',
+    'net.sourceforge.nekohtml:nekohtml': '1.9.22',
     'org.apache.bcel:bcel': '6.6.1',
     'org.apache.commons:commons-text': '1.10.0',
     'org.apache.httpcomponents:httpclient': '4.5.13',

gradle/wrapper/gradle-wrapper.properties

@@ -1,4 +1,4 @@
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.0-rc-1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.0-rc-2-bin.zip
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME