🐛 Fix cross build not actually running with sbt 1.2.8 (#238)

* 🐛 Fix cross build not actually running with sbt 1.2.8 and add test case in CI pipeline
* Ignore H2 vulnerabilities, as they are not relevant. H2 will be updated in dc-core v7.0.0

Author: albuch

.github/workflows/ci.yml

@@ -18,7 +18,7 @@ jobs:
           - java: 11
             sbt: "1.2.8"
           - java: 11
-            sbt: "1.5.5"
+            sbt: "1.6.2"
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -29,6 +29,18 @@ jobs:
           java-version: "adopt@1.${{ matrix.java }}"
       - name: Coursier cache
         uses: coursier/cache-action@v6
+      - name: Publish Local
+        run: sbt -v -Dfile.encoding=UTF-8 "^ publishLocal"
+      - name: Get plugin version
+        run: |
+          PLUGIN_VERSION=$(sbt -Dsbt.ci=true -Dsbt.supershell=false -Dsbt.color=false -Dsbt.log.noformat=true -error "print version")
+          echo ${PLUGIN_VERSION}
+          echo "PLUGIN_VERSION=${PLUGIN_VERSION}" >> $GITHUB_ENV
+      - name: Test example project for current snapshot
+        run: |
+          echo "sbt.version=${{ matrix.sbt }}" > ./project/build.properties
+          sbt -v -Dfile.encoding=UTF-8 -Dplugin.version="${{ env.PLUGIN_VERSION }}" version
+        working-directory: ./testProject
       - name: Build and Test
         run: sbt -v -Dfile.encoding=UTF-8 "^^ ${{ matrix.sbt }}" clean test scripted
       - name: DependencyCheck

build.sbt

@@ -1,4 +1,4 @@
-import sbt.{Project, _}
+import sbt.{Global, Project, _}
 import sbtrelease.ReleasePlugin.autoImport.ReleaseTransformations._
 import sbtrelease.ReleasePlugin.autoImport._
 import sbtrelease.ReleaseStateTransformations.setNextVersion
@@ -16,19 +16,18 @@ val sbtDependencyCheck = (project in file("."))
 		),
 		sbtPlugin := true,
 		dependencyUpdatesFilter -= moduleFilter(organization = "org.scala-lang") | moduleFilter(organization = "org.scala-sbt"),
-		dependencyUpdatesFailBuild := true
+		dependencyUpdatesFailBuild := true,
+		crossSbtVersions := Vector("1.2.8"),
+		scriptedLaunchOpts ++= Seq("-Xmx1024M", "-Dplugin.version=" + version.value),
+		scriptedBufferLog := false
 	)
 
 
-ThisBuild / crossSbtVersions .withRank(KeyRanks.Invisible) := Vector("1.2.8")
-
 ThisBuild / dependencyCheckFailBuildOnCVSS := 11
 ThisBuild / dependencyCheckSkipProvidedScope := true
 ThisBuild / dependencyCheckFormat := "ALL"
 ThisBuild / dependencyCheckSuppressionFiles := Seq(new File("dependency-check-suppressions.xml"))
 
-Global / scriptedLaunchOpts ++= Seq("-Xmx1024M", "-Dplugin.version=" + version.value)
-Global / scriptedBufferLog := false
 
 ThisBuild / publishTo := sonatypePublishToBundle.value
 ThisBuild / publishMavenStyle .withRank(KeyRanks.Invisible) := true

dependency-check-suppressions.xml

@@ -1,17 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <suppress>
         <notes><![CDATA[
-   file name: slf4j-simple-1.7.25.jar
+   file name: h2-1.4.199.jar
    ]]></notes>
-        <gav regex="true">^org\.slf4j:slf4j-(?:simple|api):.*$</gav>
-        <cve>CVE-2018-8088</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-   file name: javax.json-1.0.4.jar
-   ]]></notes>
-        <gav regex="true">^org\.glassfish:javax\.json:.*$</gav>
-        <cve>CVE-2018-1000840</cve>
+        <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
+        <cve>CVE-2021-23463</cve>
+        <cve>CVE-2021-42392</cve>
+        <cve>CVE-2022-23221</cve>
+        <vulnerabilityName>CWE-94: Improper Control of Generation of Code ('Code Injection')</vulnerabilityName>
     </suppress>
 </suppressions>

testProject/build.sbt

@@ -0,0 +1,5 @@
+version := "0.1"
+lazy val root = project in file(".")
+scalaVersion := "2.12.15"
+
+resolvers += Resolver.mavenLocal

testProject/project/plugins.sbt

@@ -0,0 +1,6 @@
+sys.props.get("plugin.version") match {
+  case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x)
+  case _ => sys.error(
+    """|The system property 'plugin.version' is not defined.
+       |Specify this property using the sbt parameter -D.""".stripMargin)
+}