Skip to content

build: use maven jdk toolchains to build with Java 25; test against Java 11/17/21/25 #8292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
chadlwilson wants to merge 12 commits into
base: main
Choose a base branch
from
Open

build: use maven jdk toolchains to build with Java 25; test against Java 11/17/21/25 #8292

chadlwilson wants to merge 12 commits into from

Conversation

@chadlwilson
Copy link
Collaborator

@chadlwilson chadlwilson commented Feb 10, 2026
edited
Loading

Description of Change

As discussed in #8275 (comment) this change switches Dependency Check to

  • run Maven and compile using the same "default" JVM (upgraded to Java 11 --> 25)
  • -release target is still Java 11 (as before), ensuring compile time and bootclasspath compatibility.
  • run all unit, integration and maven release tests against all of Java 11/17/21/25 to ensure runtime compatibility

This should allow us to

  • update build-time plugins to later versions while maintaining confidence on a target Java version
  • better support/replicate issues on newer Java versions rather than only running with the minimum

Additional detail

In order to do this and ensure it is as safe as possible this change as a side effect:

Dev Experience

  • everything will work as before when running from CLI or IDE - for convenience, tests and compile will run with the same JVM as Maven
  • Maven is not enforcing running/compiling with a fixed JDK right now; only GitHub Actions controls that
  • running tests with specific JDK versions via Maven toolchains requires opt-in with -Dtoolchain.jdk.test.version (and -Dtoolchain.jdk.test.home for maven integration tests, unfortunately) which activates a Maven profile
  • fixes warnings from both Mockito and ODC's own code when running tests on newer JVM versions

GitHub Actions

  • runs tests in a matrix in parallel
    • for simplicity, each run compiles the code itself rather than consuming artifacts. This could be changed.
    • only the "default" JDK version archives its compiled results/deploys snapshot
  • switches to using setup-java to manage primary maven cache rather than doing manually
  • further aligns build jobs between PR/main/release

Dependencies

  • consolidates nullness annotations on org.jspecify:jspecify similar to other projects (rather than jetbrains annotations)
  • upgrades ancient org.json library to supported variant rather than stale google android fork
  • cleans up exclusions and dependency clashes for transitives that we don't need
    • removes unused mockserver dependency
    • correctly removes transitive bouncycastle dependency from packager-rpm as originally intended
    • removes compile-only dependencies from guava
    • maven plugin project
      • fixes mockito version clashes on maven project from the resolver BOM
      • aligns junit version being used
      • upgrades test groovy dependency to current
      • upgrades one test dependency to ensure it works on modern JVMs

Related issues

N/A

Have test cases been added to cover the new functionality?

yes

  • validated that all surefire/failsafe tests are running with the chosen JVM
  • validated that the maven plugin tests are running with the configured JVM
  • validated builds aren't taking significantly longer to run
  • validated the GitHub workflow runs ok on main (see this run)
  • diffed the ant and cli build archives to ensure any differences in dependencies are expected
  • sanity checked maven site generation
  • sanity checked with the gradle plugin and its tests

@boring-cyborg boring-cyborg bot added ant changes to ant cli changes to the cli core changes to core maven changes to the maven plugin tests test cases labels Feb 10, 2026
@chadlwilson chadlwilson requested a review from Copilot February 10, 2026 09:48
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Dependency-Check’s build and CI configuration to run Maven/compilation on a newer default JDK while expanding test coverage across multiple JDK versions, alongside related dependency and annotation cleanups.

Changes:

  • Switches CI workflows to build/test in a JDK matrix (11/17/21/25) and updates caching/setup-java usage.
  • Migrates nullness annotations from JetBrains to JSpecify and aligns VisibleForTesting usage to Guava.
  • Updates/cleans build dependencies and Maven configuration (plugins, exclusions, test setup, toolchains profile).

Reviewed changes

Copilot reviewed 42 out of 42 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
utils/src/test/java/org/owasp/dependencycheck/utils/XmlUtilsTest.java Swap JetBrains nullness annotation to JSpecify in tests.
utils/src/main/java/org/owasp/dependencycheck/utils/XmlUtils.java Replace JetBrains annotations with JSpecify + Guava VisibleForTesting.
utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java Migrate nullness annotations to JSpecify across settings APIs.
utils/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java Replace nullness annotations with JSpecify and adjust method annotations.
utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java Replace nullness annotations with JSpecify on downloader APIs.
utils/pom.xml Remove unused test deps/profile and add Guava for new annotation usage.
test-docker.sh Use exec:exec goal (plugin version controlled in parent) to read project version.
shell-docker.sh Use exec:exec goal (plugin version controlled in parent) to read project version.
publish-docker.sh Use exec:exec goal (plugin version controlled in parent) to read project version.
build-docker.sh Use exec:exec goal (plugin version controlled in parent) to read project version.
pom.xml Central build changes: plugin/dependency alignment, toolchains profile, CI/test JVM args, and dependency updates.
maven/src/it/690-threadsafety/first/pom.xml Bump Spring Boot patch version used in IT fixture.
maven/src/it/690-threadsafety/first-a/pom.xml Bump Spring Boot patch version used in IT fixture.
maven/src/it/1751-use-child-repositories/postbuild.groovy Update Groovy XmlSlurper import for newer Groovy.
maven/pom.xml Simplify dependency management and configure invoker ITs to use configured Java home.
core/src/main/java/org/owasp/dependencycheck/xml/XmlInputStream.java Replace JetBrains @NotNull with JSpecify @NonNull.
core/src/main/java/org/owasp/dependencycheck/utils/Filter.java Remove unused JetBrains annotation import.
core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java Replace JetBrains annotations with JSpecify on public methods.
core/src/main/java/org/owasp/dependencycheck/dependency/naming/PurlIdentifier.java Replace JetBrains @NotNull with JSpecify @NonNull.
core/src/main/java/org/owasp/dependencycheck/dependency/naming/GenericIdentifier.java Replace JetBrains @NotNull with JSpecify @NonNull.
core/src/main/java/org/owasp/dependencycheck/dependency/naming/CpeIdentifier.java Replace JetBrains @NotNull with JSpecify @NonNull.
core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java Replace JetBrains @NotNull with JSpecify @NonNull.
core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java Replace JetBrains @NotNull with JSpecify @NonNull and adjust javadoc reference.
core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java Replace JetBrains @NotNull with JSpecify @NonNull.
core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java Replace JetBrains @NotNull with JSpecify @NonNull.
core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java Replace JetBrains @NotNull with JSpecify @NonNull in helper methods.
core/src/main/java/org/owasp/dependencycheck/data/nodeaudit/NodeAuditSearch.java Remove explicit JSONException catch/import after JSON library adjustment.
core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV3Search.java Replace JetBrains @Nullable with JSpecify @Nullable.
core/src/main/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzer.java Adjust JSON parsing of advisory ID field to tolerate non-string types.
core/src/main/java/org/owasp/dependencycheck/analyzer/PnpmAuditAnalyzer.java Replace JetBrains @NotNull with JSpecify @NonNull.
core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java Replace JetBrains VisibleForTesting with Guava equivalent.
core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java Replace JetBrains nullness annotations with JSpecify.
core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java Replace JetBrains nullness annotation with JSpecify and clean imports.
core/src/main/java/org/owasp/dependencycheck/Engine.java Replace JetBrains nullness annotations with JSpecify across engine APIs.
core/pom.xml Adjust test-jar configuration and update JSON dependency usage; add JCL-over-SLF4J.
cli/pom.xml Reuse centralized runtime JVM args and clean dependency exclusions.
ant/pom.xml Align core test-jar dependency reference to tests classifier.
archetype/src/main/resources/archetype-resources/pom.xml Use ${junit.version} property instead of hardcoded JUnit versions.
.github/workflows/release.yml Run release build with default JDK 25 and modernize caching/setup-java usage.
.github/workflows/purge-cache.yml Update cache steps and add setup-java (now expects default JDK env var).
.github/workflows/pull_requests.yml Split into matrix jobs and run unit/integration tests against 11/17/21/25.
.github/workflows/build.yml Run main-branch snapshot build in a JDK test matrix with updated caching/setup-java.
Comments suppressed due to low confidence (1)

pom.xml:936

  • In <reporting>, versions-maven-plugin no longer specifies an explicit <version>. Maven does not consistently apply build/pluginManagement to reporting plugins, so this can lead to the site using whatever version comes from the super POM (hurting reproducibility and possibly breaking on newer JDKs). Recommend setting <version>${versions-maven-plugin.version}</version> in the reporting plugin entry as well.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@chadlwilson chadlwilson marked this pull request as ready for review February 10, 2026 10:05
@chadlwilson chadlwilson requested a review from Copilot February 10, 2026 10:13
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 42 out of 42 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@chadlwilson chadlwilson marked this pull request as draft February 10, 2026 10:21
@chadlwilson chadlwilson force-pushed the use-jvm-toolchains branch 4 times, most recently from b45977b to 711c68e Compare February 10, 2026 12:53
@chadlwilson
build: build with Java 25; test against Java 11/17/21/25
e52950e 
Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
test(maven): workaround unrelated JarAnalyzer failure to look inside …
416f2f6 
…aspectjweaver-1.8.9.jar on Java 25

The zip file has an invalid header which causes newer JDK zip to fail to parse in the JarAnalyzer:

Caused by: java.util.zip.ZipException: Invalid CEN header (invalid zip64 extra data field size)
    at java.util.zip.ZipFile$Source.zerror (ZipFile.java:1831)
    at java.util.zip.ZipFile$Source.checkZip64ExtraFieldValues (ZipFile.java:1345)
    at java.util.zip.ZipFile$Source.checkExtraFields (ZipFile.java:1305)
    at java.util.zip.ZipFile$Source.checkAndAddEntry (ZipFile.java:1224)
    at java.util.zip.ZipFile$Source.initCEN (ZipFile.java:1767)
    at java.util.zip.ZipFile$Source.<init> (ZipFile.java:1542)
    at java.util.zip.ZipFile$Source.get (ZipFile.java:1506)
    at java.util.zip.ZipFile$CleanableResource.<init> (ZipFile.java:704)
    at java.util.zip.ZipFile.<init> (ZipFile.java:204)
    at java.util.zip.ZipFile.<init> (ZipFile.java:150)
    at java.util.jar.JarFile.<init> (JarFile.java:333)
    at java.util.jar.JarFile.<init> (JarFile.java:306)
    at java.util.jar.JarFile.<init> (JarFile.java:265)
    at org.owasp.dependencycheck.analyzer.JarAnalyzer.parseManifest (JarAnalyzer.java:856)
    at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzeDependency (JarAnalyzer.java:324)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:328)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1090)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:614)
    at java.lang.Thread.run (Thread.java:1474)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
build: bump jsonschema2pojo-maven-plugin fropm 1.2.2 to 1.3.3
e81016c 
Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson chadlwilson requested a review from Copilot February 10, 2026 12:57
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 42 out of 42 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

maven/src/it/1751-use-child-repositories/postbuild.groovy:23

  • This script now imports groovy.xml.XmlSlurper. Ensure the Maven Invoker Plugin has the corresponding Groovy XML module on its classpath (often org.apache.groovy:groovy-xml), otherwise this IT can fail at execution time with a missing-class error.
import groovy.xml.XmlSlurper

String report = new File(basedir, "target/dependency-check-report.xml").text;

def analysis = new XmlSlurper().parseText(report);

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@chadlwilson
build: manage the exec plugin version properly so dependabot can hand…
eed3c8a 
…le it

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
test: simplify test dependency mgmt & fix Mockito warn/error on newer…
e9c5c0f 
… JVMs

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson chadlwilson marked this pull request as ready for review February 10, 2026 13:15
@chadlwilson
test: upgrade groovy version used for scripting and maven postbuild t…
251ed5a 
…est validations

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
build: bump out-of-date/stuck things from versions-maven-plugin
e816706 
Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
build: fix warnings on properties encodings from maven-resources-plugin
50791f9 
Technically they must be ISO-8859-1, not UTF-8.

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
build(security): fix compiler warnings from newer compilers from auto…
49cd276 
…matically loading annotation processors from classpath

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
build: consolidate transitives/exclusions to avoid dependency clashes
6d699d5 
- migrates to maintained org.json:json artifact
- removes unnecessary excludes
- fixes excludes for bouncycastle and unnecessary guava pieces

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
test: remove unused mockserver dependencies
568cdeb 
Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
chore: consolidate on jspecify nullability annotations
436ca2c 
Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
Copy link
Collaborator Author

chadlwilson commented Feb 10, 2026

Sorry for the noise here. Despite running it a few times on my fork, copilot found new things here for some reason, which I addressed. 😅

I am done for now, pending feedback 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jeremylong jeremylong Awaiting requested review from jeremylong

@nhumblot nhumblot Awaiting requested review from nhumblot

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

ant changes to ant cli changes to the cli core changes to core maven changes to the maven plugin tests test cases

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chadlwilson