This is an automated email from the ASF dual-hosted git repository.

zabetak pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/calcite.git


The following commit(s) were added to refs/heads/main by this push:
     new c1550dedec [CALCITE-7561] Upgrade OWASP plugin from 6.1.6 to 12.2.2
c1550dedec is described below

commit c1550dedec6693c01a99d1d2a4a83ff56f6711e4
Author: Stamatis Zampetakis <[email protected]>
AuthorDate: Wed May 27 17:45:30 2026 +0200

    [CALCITE-7561] Upgrade OWASP plugin from 6.1.6 to 12.2.2
    
    Due to NVD API changes the old versions of the plugin are unusuable and 
upgrade to 12.2.2 is mandatory.
    New versions require JDK11+ so the plugin is no longer active when older 
versions are used.
---
 build.gradle.kts    |  4 +++-
 gradle.properties   |  2 +-
 settings.gradle.kts |  4 +++-
 site/_docs/howto.md | 11 ++++++-----
 4 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/build.gradle.kts b/build.gradle.kts
index be7569e17f..a66e7107b4 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -47,7 +47,9 @@
     id("de.thetaphi.forbiddenapis") apply false
     id("net.ltgt.errorprone") apply false
     id("com.github.vlsi.jandex") apply false
-    id("org.owasp.dependencycheck")
+    if (JavaVersion.current() >= JavaVersion.VERSION_11) {
+        id("org.owasp.dependencycheck")
+    }
     id("com.github.johnrengelman.shadow") apply false
     id("org.sonarqube")
     // IDE configuration
diff --git a/gradle.properties b/gradle.properties
index 10e033c123..c874f3ecb2 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -55,7 +55,7 @@ net.ltgt.errorprone.version=1.3.0
 me.champeau.jmh.version=0.7.2
 org.jetbrains.gradle.plugin.idea-ext.version=1.4.1
 org.nosphere.apache.rat.version=0.8.1
-org.owasp.dependencycheck.version=6.1.6
+org.owasp.dependencycheck.version=12.2.2
 org.sonarqube.version=3.5.0.2730
 com.gradle.develocity.version=3.18.2
 com.gradle.common-custom-user-data-gradle-plugin.version=2.0.2
diff --git a/settings.gradle.kts b/settings.gradle.kts
index 67695f630c..fbc3502a7c 100644
--- a/settings.gradle.kts
+++ b/settings.gradle.kts
@@ -39,7 +39,9 @@ fun PluginDependenciesSpec.idv(id: String, key: String = id) 
= id(id) version ke
         idv("net.ltgt.errorprone")
         idv("org.jetbrains.gradle.plugin.idea-ext")
         idv("org.nosphere.apache.rat")
-        idv("org.owasp.dependencycheck")
+        if (JavaVersion.current() >= JavaVersion.VERSION_11) {
+            idv("org.owasp.dependencycheck")
+        }
         idv("org.sonarqube")
         kotlin("jvm") version "kotlin".v()
     }
diff --git a/site/_docs/howto.md b/site/_docs/howto.md
index 6c66d40ccb..9aa5fbf161 100644
--- a/site/_docs/howto.md
+++ b/site/_docs/howto.md
@@ -728,7 +728,12 @@ ## Making a release candidate
 * Send an email to [[email protected]](mailto:[email protected]) 
notifying that RC build process
   is starting and therefore `main` branch is in code freeze until further 
notice.
 * Set up signing keys as described above.
-* Make sure you are using JDK 8. (Compiling with JDK 21 causes
+* Generate a report of vulnerabilities that occur among dependencies,
+  using `./gradlew dependencyCheckUpdate dependencyCheckAggregate`.
+  Report to [[email protected]](mailto:[email protected])
+  if new critical vulnerabilities are found among dependencies.
+  The task requires a JDK 11 or later so it doesn't appear when using older 
versions.
+* Make sure you are using JDK 8 for all subsequent steps. (Compiling with JDK 
21 causes
   [[CALCITE-6616](https://issues.apache.org/jira/browse/CALCITE-6616)].)
 * Check that `README` and `site/_docs/howto.md` have the correct version 
number.
 * Check that `site/_docs/howto.md` has the correct Gradle version.
@@ -737,10 +742,6 @@ ## Making a release candidate
 * Make sure build and tests succeed
 * Make sure that `./gradlew javadoc` succeeds
   (i.e. gives no errors; warnings are OK)
-* Generate a report of vulnerabilities that occur among dependencies,
-  using `./gradlew dependencyCheckUpdate dependencyCheckAggregate`.
-  Report to [[email protected]](mailto:[email protected])
-  if new critical vulnerabilities are found among dependencies.
 * Decide the supported configurations of JDK, operating system and
   Guava.  These will probably be the same as those described in the
   release notes of the previous release.  Document them in the release

Reply via email to