This is an automated email from the ASF dual-hosted git repository.

github-actions[bot] pushed a commit to branch site
in repository https://gitbox.apache.org/repos/asf/calcite.git


The following commit(s) were added to refs/heads/site by this push:
     new 45687effd8 [CALCITE-7561] Upgrade OWASP plugin from 6.1.6 to 12.2.2
45687effd8 is described below

commit 45687effd840caf5a525c2ce5d40e4f6b8e156f7
Author: Stamatis Zampetakis <[email protected]>
AuthorDate: Wed May 27 17:45:30 2026 +0200

    [CALCITE-7561] Upgrade OWASP plugin from 6.1.6 to 12.2.2
    
    Due to NVD API changes the old versions of the plugin are unusuable and 
upgrade to 12.2.2 is mandatory.
    New versions require JDK11+ so the plugin is no longer active when older 
versions are used.
---
 build.gradle.kts    |  4 +++-
 gradle.properties   |  2 +-
 settings.gradle.kts |  4 +++-
 site/_docs/howto.md | 11 ++++++-----
 4 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/build.gradle.kts b/build.gradle.kts
index d99ca2457c..aac2674fb4 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -47,7 +47,9 @@
     id("de.thetaphi.forbiddenapis") apply false
     id("net.ltgt.errorprone") apply false
     id("com.github.vlsi.jandex") apply false
-    id("org.owasp.dependencycheck")
+    if (JavaVersion.current() >= JavaVersion.VERSION_11) {
+        id("org.owasp.dependencycheck")
+    }
     id("com.github.johnrengelman.shadow") apply false
     id("org.sonarqube")
     // IDE configuration
diff --git a/gradle.properties b/gradle.properties
index ad146ac3a2..d92fa25c14 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -55,7 +55,7 @@ net.ltgt.errorprone.version=1.3.0
 me.champeau.jmh.version=0.7.2
 org.jetbrains.gradle.plugin.idea-ext.version=1.4.1
 org.nosphere.apache.rat.version=0.8.1
-org.owasp.dependencycheck.version=6.1.6
+org.owasp.dependencycheck.version=12.2.2
 org.sonarqube.version=3.5.0.2730
 com.gradle.develocity.version=3.18.2
 com.gradle.common-custom-user-data-gradle-plugin.version=2.0.2
diff --git a/settings.gradle.kts b/settings.gradle.kts
index 67695f630c..fbc3502a7c 100644
--- a/settings.gradle.kts
+++ b/settings.gradle.kts
@@ -39,7 +39,9 @@ fun PluginDependenciesSpec.idv(id: String, key: String = id) 
= id(id) version ke
         idv("net.ltgt.errorprone")
         idv("org.jetbrains.gradle.plugin.idea-ext")
         idv("org.nosphere.apache.rat")
-        idv("org.owasp.dependencycheck")
+        if (JavaVersion.current() >= JavaVersion.VERSION_11) {
+            idv("org.owasp.dependencycheck")
+        }
         idv("org.sonarqube")
         kotlin("jvm") version "kotlin".v()
     }
diff --git a/site/_docs/howto.md b/site/_docs/howto.md
index 6c66d40ccb..9aa5fbf161 100644
--- a/site/_docs/howto.md
+++ b/site/_docs/howto.md
@@ -728,7 +728,12 @@ ## Making a release candidate
 * Send an email to [[email protected]](mailto:[email protected]) 
notifying that RC build process
   is starting and therefore `main` branch is in code freeze until further 
notice.
 * Set up signing keys as described above.
-* Make sure you are using JDK 8. (Compiling with JDK 21 causes
+* Generate a report of vulnerabilities that occur among dependencies,
+  using `./gradlew dependencyCheckUpdate dependencyCheckAggregate`.
+  Report to [[email protected]](mailto:[email protected])
+  if new critical vulnerabilities are found among dependencies.
+  The task requires a JDK 11 or later so it doesn't appear when using older 
versions.
+* Make sure you are using JDK 8 for all subsequent steps. (Compiling with JDK 
21 causes
   [[CALCITE-6616](https://issues.apache.org/jira/browse/CALCITE-6616)].)
 * Check that `README` and `site/_docs/howto.md` have the correct version 
number.
 * Check that `site/_docs/howto.md` has the correct Gradle version.
@@ -737,10 +742,6 @@ ## Making a release candidate
 * Make sure build and tests succeed
 * Make sure that `./gradlew javadoc` succeeds
   (i.e. gives no errors; warnings are OK)
-* Generate a report of vulnerabilities that occur among dependencies,
-  using `./gradlew dependencyCheckUpdate dependencyCheckAggregate`.
-  Report to [[email protected]](mailto:[email protected])
-  if new critical vulnerabilities are found among dependencies.
 * Decide the supported configurations of JDK, operating system and
   Guava.  These will probably be the same as those described in the
   release notes of the previous release.  Document them in the release

Reply via email to